Merge ~guoqiao/charm-openstack-service-checks:lp1924816-requests-ca-bundle into charm-openstack-service-checks:master
Status: | Merged |
---|---|
Approved by: | Xav Paice |
Approved revision: | 0be89e2704ce636fa9f9d1df54d264971a3ba26e |
Merged at revision: | 0be89e2704ce636fa9f9d1df54d264971a3ba26e |
Proposed branch: | ~guoqiao/charm-openstack-service-checks:lp1924816-requests-ca-bundle |
Merge into: | charm-openstack-service-checks:master |
Diff against target: |
24 lines (+13/-0) 1 file modified
src/lib/lib_openstack_service_checks.py (+13/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Xav Paice (community) | Approve | ||
🤖 prod-jenkaas-bootstack (community) | continuous-integration | Approve | |
Linda Guo (community) | Approve | ||
Review via email: mp+402381@code.launchpad.net |
Commit message
ensure requests to use system ca bundle for ssl verify
`keystoneclient` will use `requests` to access api endpoints.
When https/ssl is enabled, `requests` will rely on package `certifi` to find ca certs for ssl verify.
However, `certifi` has different behavior:
- in python package, it will return builtin `cacert.pem` which is Mozilla Root Certificates.
- in deb package, it's modified to return `/etc/ssl/
When we use vault, keystone endpoints will be https and ssl verify is needed.
The ca cert configured via `trusted_ssl_ca` will be merged into `/etc/ssl/
This is ok if charm is running globally without venv (certifi deb package is used).
But when charm is running in venv(certifi python package is used),
above cert will be ignored by requests and cause [SSL: CERTIFICATE_
This patch set envvar REQUESTS_CA_BUNDLE to system ca bundle, so
requests will use it as ca cert, instead of `.venv/
Related bugs:
A CI job is currently in progress. A follow up comment will be added when it completes.