offline-snap-install : lp:charm-openstack-service-checks : Git : Code : charm-openstack-service-checks

Get this branch:: git clone -b offline-snap-install https://git.launchpad.net/charm-openstack-service-checks

Members of Canonical BootStack Charmers can upload to this branch. Log in for directions.

Branch merges

Merged into charm-openstack-service-checks:master at revision 8f5b59bb22834f64aea957be7411afb4679a3c7c

🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration) on 2021-07-19

Xav Paice (community): Approve on 2021-07-19

Branch information

Name:: offline-snap-install

Repository:: lp:charm-openstack-service-checks

Recent commits

8f5b59b... by Celia Wang on 2021-07-19

Fix README syntax and add N818 ignore for lint

6d81e45... by Celia Wang on 2021-07-19

Merge remote-tracking branch 'fandanbango/offline-snap-install'

0be89e2... by Joe Guo on 2021-05-05

ensure requests to use system ca bundle for ssl verify

`keystoneclient` will use `requests` to access api endpoints.
When https/ssl is enabled, `requests` will rely on package `certifi` to find ca certs for ssl verify.

However, `certifi` has different behavior:

- in python package, it will return builtin `cacert.pem` which is Mozilla Root Certificates.
- in deb package, it's modified to return `/etc/ssl/certs/ca-certificates.crt` as expected.

When we use vault, keystone endpoints will be https and ssl verify is needed.
The ca cert configured via `trusted_ssl_ca` will be merged into `/etc/ssl/certs/ca-certificates.crt`.

This is ok if charm is running globally without venv (certifi deb package is used).
But when charm is running in venv(certifi python package is used),
above cert will be ignored by requests and cause [SSL: CERTIFICATE_VERIFY_FAILED] error.

This patch set envvar REQUESTS_CA_BUNDLE to system ca bundle, so
requests will use it as ca cert, instead of `.venv/.../certifi/cacert.pem`.

Related bugs:
LP: #1924816
LP: #1926670