charm-openstack-service-checks

Merge ~guoqiao/charm-openstack-service-checks:lp1924816-requests-ca-bundle into charm-openstack-service-checks:master

  1. Git
  2. lp:~guoqiao/charm-openstack-service-checks
  3. lp1924816-requests-ca-bundle
  4. Merge into master
Proposed by Joe Guo
Status: Merged
Approved by: Xav Paice
Approved revision: 0be89e2704ce636fa9f9d1df54d264971a3ba26e
Merged at revision: 0be89e2704ce636fa9f9d1df54d264971a3ba26e
Proposed branch: ~guoqiao/charm-openstack-service-checks:lp1924816-requests-ca-bundle
Merge into: charm-openstack-service-checks:master
Diff against target: 24 lines (+13/-0)
1 file modified
src/lib/lib_openstack_service_checks.py (+13/-0)
Reviewer Review Type Date Requested Status
Xav Paice (community) Approve
🤖 prod-jenkaas-bootstack (community) continuous-integration Approve
Linda Guo (community) Approve
Review via email: mp+402381@code.launchpad.net

Commit message

ensure requests to use system ca bundle for ssl verify

`keystoneclient` will use `requests` to access api endpoints.
When https/ssl is enabled, `requests` will rely on package `certifi` to find ca certs for ssl verify.

However, `certifi` has different behavior:

- in python package, it will return builtin `cacert.pem` which is Mozilla Root Certificates.
- in deb package, it's modified to return `/etc/ssl/certs/ca-certificates.crt` as expected.

When we use vault, keystone endpoints will be https and ssl verify is needed.
The ca cert configured via `trusted_ssl_ca` will be merged into `/etc/ssl/certs/ca-certificates.crt`.

This is ok if charm is running globally without venv (certifi deb package is used).
But when charm is running in venv(certifi python package is used),
above cert will be ignored by requests and cause [SSL: CERTIFICATE_VERIFY_FAILED] error.

This patch set envvar REQUESTS_CA_BUNDLE to system ca bundle, so
requests will use it as ca cert, instead of `.venv/.../certifi/cacert.pem`.

Related bugs:

LP: #1924816
LP: #1926670

To post a comment you must log in.
Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

PASSED: Continuous integration, rev:6ce0b38515e20147929fb7cdedc6343d3ad13e46
https://jenkins.canonical.com/bootstack/job/lp-charm-openstack-service-checks-ci/13/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/bootstack/job/lp-charm-test-unit-withcompiler/22/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/191/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-openstack-service-checks-ci/13//rebuild

review: Approve (continuous-integration)
Revision history for this message
Linda Guo (lihuiguo) wrote :

approved

review: Approve
Revision history for this message
Xav Paice (xavpaice) wrote :

one comment inline. Might be good to rethink a little, or get another opinion.

Revision history for this message
Xav Paice (xavpaice) wrote :

it's been pointed out to me that /etc/ssl/certs/ca-certificates.crt includes all the certs available to the machine, and therefore is a more useful store than the default one that comes with requests.

In which case, let's remove the verify=REQUESTS_CA_BUNDLE and make use of the env var for this, and all the other, requests sessions.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

FAILED: Continuous integration, rev:f65a209d5db724050b04a387a4a7d51c22e481c8
https://jenkins.canonical.com/bootstack/job/lp-charm-openstack-service-checks-ci/14/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/bootstack/job/lp-charm-test-unit-withcompiler/24/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/196/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-openstack-service-checks-ci/14//rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
Joe Guo (guoqiao) wrote :

Hi Xav,

Thanks for your review.

I have verified that with only the envvar, SSL verify is also fixed.

A bugfix rev is released to `cs:~llama-charmers-next/openstack-service-checks-11` which can be used as test or work around.

Modified code re-pushed, new review appreciated.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

A CI job is currently in progress. A follow up comment will be added when it completes.

Revision history for this message
🤖 prod-jenkaas-bootstack (prod-jenkaas-bootstack) wrote :

PASSED: Continuous integration, rev:0be89e2704ce636fa9f9d1df54d264971a3ba26e
https://jenkins.canonical.com/bootstack/job/lp-charm-openstack-service-checks-ci/15/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/bootstack/job/lp-charm-test-unit-withcompiler/25/
    None: https://jenkins.canonical.com/bootstack/job/lp-update-mp/197/

Click here to trigger a rebuild:
https://jenkins.canonical.com/bootstack/job/lp-charm-openstack-service-checks-ci/15//rebuild

review: Approve (continuous-integration)
Revision history for this message
Xav Paice (xavpaice) wrote :

LGTM

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/src/lib/lib_openstack_service_checks.py b/src/lib/lib_openstack_service_checks.py
2index aecb859..e30dd19 100644
3--- a/src/lib/lib_openstack_service_checks.py
4+++ b/src/lib/lib_openstack_service_checks.py
5@@ -22,6 +22,19 @@ import keystoneauth1
6
7 from keystoneclient import session
8
9+# `requests` relies on package `certifi` to find ca certs.
10+# certifi deb package will return `/etc/ssl/certs/ca-certificates.crt` as expected,
11+# while its python package will return its builtin `cacert.pem`, which is
12+# Mozilla Root Certificates.
13+# when charm runs in venv, cetifi python package will be installed.
14+# So when we use self-signed certs (e.g: form vault) to verify, even if
15+# we included it in `/etc/ssl/certs/ca-certificates.crt`, it will be ignored
16+# by requests and cause [SSL: CERTIFICATE_VERIFY_FAILED] error.
17+# ref: LP#1924816
18+# this envvar will ensure requests to use system bundle for ssl verify
19+# instead of `certifi/cacert.pem`
20+os.environ["REQUESTS_CA_BUNDLE"] = "/etc/ssl/certs/ca-certificates.crt"
21+
22
23 class OSCCredentialsError(Exception):
24 """Define OSCCredentialError exception."""

Subscribers

People subscribed via source and target branches

to all changes: