Use system CA Certificate bundle when configuring resources

The charm bundles its dependencies to avoid the boundary
violation of the charm being dependent on the software it
manages.

As a side effect the charm will not use the distro packaged
version of ``python3-certifi`` which contains a patch [0] to
make consumers load the system wide CA Certificate bundle.

As a workaround we explicitly point our OpenStack client
operations to the system wide bundle.

0: https://git.launchpad.net/ubuntu/+source/python-certifi/tree/debian/patches/0001-Use-Debian-provided-etc-ssl-certs-ca-certificates.cr.patch

Change-Id: Iad466c7ff6cf680f74168852afea4a67815d0249
Closes-Bug: #1819205
This commit is contained in:
Frode Nordahl 2019-03-12 10:27:36 +01:00
parent a6fdb6ebf5
commit 69dfed11ac
No known key found for this signature in database
GPG Key ID: 6A5D59A3BA48373F
2 changed files with 7 additions and 2 deletions

View File

@ -41,6 +41,7 @@ NEUTRON_TEMP_EXCS = (keystone_exceptions.catalog.EndpointNotFound,
keystone_exceptions.discovery.DiscoveryFailure,
keystone_exceptions.http.ServiceUnavailable,
neutronclient.common.exceptions.ServiceUnavailable)
SYSTEM_CA_BUNDLE = '/etc/ssl/certs/ca-certificates.crt'
class APIUnavailable(Exception):
@ -100,7 +101,10 @@ def session_from_identity_service(identity_service):
project_domain_name=identity_service.service_domain(),
project_name=identity_service.service_tenant(),
)
return keystone_session.Session(auth=auth)
# NOTE(fnordahl): LP: #1819205 since the charm bundles its dependencies we
# do not get the patched python ``certifi`` package that ponits at the
# system wide certificate store. We need to point clients there ourself.
return keystone_session.Session(auth=auth, verify=SYSTEM_CA_BUNDLE)
def get_nova_flavor(identity_service):

View File

@ -87,7 +87,8 @@ class TestAPICrud(test_utils.PatchHelper):
project_name=identity_service.service_tenant(),
)
self.keystone_session.Session.assert_called_once_with(
auth=self.keystone_identity.Password())
auth=self.keystone_identity.Password(),
verify='/etc/ssl/certs/ca-certificates.crt')
self.assertEqual(result, self.keystone_session.Session())
def test_get_nova_flavor(self):