Currently there is no way to provide SSL configuration for Trove, so it
fails e.g. when uploading backups to a secured Swift endpoint. This
patch sets an environment variable (REQUESTS_CA_BUNDLE [1]) understood
by Requests library for Python, so all HTTPS calls done by trove-guest
service will trust the provided CAs.
For Ubuntu Xenial and Fedora a systemd drop-in sets this environment
variable for trove-guest service, so it uses Ubuntu's/Fedora's system
certificate store to validate server certificates.
For Ubuntu Trusty the upstart script is modified to build and use a
bundle file from certificates in /usr/local/share/ca-certificates,
because Requests library doesn't support CA directories in such old
Python versions.
On Ubuntu systems the custom certificates are taken from
/usr/local/share/ca-certificates; please use PEM format, .crt extension
and call update-ca-certificates.
On Fedora systems custom certificates can be put in
/usr/share/pki/ca-trust-source/anchors; please use PEM format, .pem
extension and call update-ca-trust.
[1] http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
Change-Id: I0025e7c72fa2d863ae9540941956b1ab63bcc636
This commit will merge into trove, the trove-integration tree as of
commit 9f92ca853f8aa2f72921e54682c918941a8f0919. This is in
preparation for making trove-integration go away.
In addition, it supresses any consideration of the integration
directory in the trove tox tests as it is understandably a small pile
of pooh and in need of much cleanup.
Change-Id: Ib7f2655c4c5ed86b5454708c04371ee55e37ec2d
Partially-Implements-Blueprint: eliminate-trove-integration-and-redstack