Use system CA Certificate bundle when configuring resources
The charm bundles its dependencies to avoid the boundary violation of the charm being dependent on the software it manages. As a side effect the charm will not use the distro packaged version of ``python3-certifi`` which contains a patch [0] to make consumers load the system wide CA Certificate bundle. As a workaround we explicitly point our OpenStack client operations to the system wide bundle. 0: https://git.launchpad.net/ubuntu/+source/python-certifi/tree/debian/patches/0001-Use-Debian-provided-etc-ssl-certs-ca-certificates.cr.patch Change-Id: Iad466c7ff6cf680f74168852afea4a67815d0249 Closes-Bug: #1819205
This commit is contained in:
parent
a6fdb6ebf5
commit
69dfed11ac
|
@ -41,6 +41,7 @@ NEUTRON_TEMP_EXCS = (keystone_exceptions.catalog.EndpointNotFound,
|
|||
keystone_exceptions.discovery.DiscoveryFailure,
|
||||
keystone_exceptions.http.ServiceUnavailable,
|
||||
neutronclient.common.exceptions.ServiceUnavailable)
|
||||
SYSTEM_CA_BUNDLE = '/etc/ssl/certs/ca-certificates.crt'
|
||||
|
||||
|
||||
class APIUnavailable(Exception):
|
||||
|
@ -100,7 +101,10 @@ def session_from_identity_service(identity_service):
|
|||
project_domain_name=identity_service.service_domain(),
|
||||
project_name=identity_service.service_tenant(),
|
||||
)
|
||||
return keystone_session.Session(auth=auth)
|
||||
# NOTE(fnordahl): LP: #1819205 since the charm bundles its dependencies we
|
||||
# do not get the patched python ``certifi`` package that ponits at the
|
||||
# system wide certificate store. We need to point clients there ourself.
|
||||
return keystone_session.Session(auth=auth, verify=SYSTEM_CA_BUNDLE)
|
||||
|
||||
|
||||
def get_nova_flavor(identity_service):
|
||||
|
|
|
@ -87,7 +87,8 @@ class TestAPICrud(test_utils.PatchHelper):
|
|||
project_name=identity_service.service_tenant(),
|
||||
)
|
||||
self.keystone_session.Session.assert_called_once_with(
|
||||
auth=self.keystone_identity.Password())
|
||||
auth=self.keystone_identity.Password(),
|
||||
verify='/etc/ssl/certs/ca-certificates.crt')
|
||||
self.assertEqual(result, self.keystone_session.Session())
|
||||
|
||||
def test_get_nova_flavor(self):
|
||||
|
|
Loading…
Reference in New Issue