lp1924816-requests-ca-bundle : lp:~guoqiao/charm-openstack-service-checks : Git : Code : charm-openstack-service-checks

Get this branch:: git clone -b lp1924816-requests-ca-bundle https://git.launchpad.net/~guoqiao/charm-openstack-service-checks

Only Joe Guo can upload to this branch. If you are Joe Guo please log in for upload directions.

Branch merges

Merged into charm-openstack-service-checks:master at revision 0be89e2704ce636fa9f9d1df54d264971a3ba26e

Xav Paice (community): Approve on 2021-05-26

🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration) on 2021-05-14

Linda Guo (community): Approve on 2021-05-13

Branch information

Name:: lp1924816-requests-ca-bundle

Repository:: lp:~guoqiao/charm-openstack-service-checks

Recent commits

0be89e2... by Joe Guo on 2021-05-05

ensure requests to use system ca bundle for ssl verify

`keystoneclient` will use `requests` to access api endpoints.
When https/ssl is enabled, `requests` will rely on package `certifi` to find ca certs for ssl verify.

However, `certifi` has different behavior:

- in python package, it will return builtin `cacert.pem` which is Mozilla Root Certificates.
- in deb package, it's modified to return `/etc/ssl/certs/ca-certificates.crt` as expected.

When we use vault, keystone endpoints will be https and ssl verify is needed.
The ca cert configured via `trusted_ssl_ca` will be merged into `/etc/ssl/certs/ca-certificates.crt`.

This is ok if charm is running globally without venv (certifi deb package is used).
But when charm is running in venv(certifi python package is used),
above cert will be ignored by requests and cause [SSL: CERTIFICATE_VERIFY_FAILED] error.

This patch set envvar REQUESTS_CA_BUNDLE to system ca bundle, so
requests will use it as ca cert, instead of `.venv/.../certifi/cacert.pem`.

Related bugs:
LP: #1924816
LP: #1926670