Skip to content

Use container's system CA trust store #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 15, 2024
Merged

Use container's system CA trust store #16

merged 1 commit into from
Apr 15, 2024

Conversation

markgoddard
Copy link

Previously it was not possible to use this image in an environment with
a CA that is not trusted by the Python trust store. This is because the
rally-verify-wrapper.sh script unset any OS_CACERT environment variable
(presumably assuming any CA cert would not necessarily be available in
the container).

This change makes it possible to bind mount CA certificates in the
container under /usr/local/share/ca-certificates/ and have them added
to the system trust store and used by Rally/Tempest. In this case,
OS_CACERT is set automatically.

If there are no certificates in /usr/local/share/ca-certificates/, we
revert to the previous behaviour of unsetting OS_CACERT.

@markgoddard markgoddard self-assigned this Apr 11, 2024
markgoddard added a commit to stackhpc/kayobe-automation that referenced this pull request Apr 11, 2024
@markgoddard
Add support for specifying a CA certificate for Rally/Tempest
6fb1aa1 
The tempest_cacert variable may specify the CA certificate path.

Depends on stackhpc/docker-rally#16
@markgoddard markgoddard mentioned this pull request Apr 11, 2024
Merged
@markgoddard markgoddard marked this pull request as ready for review April 11, 2024 15:36
@markgoddard markgoddard marked this pull request as draft April 12, 2024 08:26
@markgoddard markgoddard changed the base branch from master to jammy April 13, 2024 08:45
@markgoddard markgoddard marked this pull request as ready for review April 13, 2024 08:45
@markgoddard
Use container's system CA trust store
cd5aec9 
Previously it was not possible to use this image in an environment with
a CA that is not trusted by the Python trust store. This is because the
rally-verify-wrapper.sh script unset any OS_CACERT environment variable
(presumably assuming any CA cert would not necessarily be available in
the container).

This change makes it possible to bind mount CA certificates in the
container under /usr/local/share/ca-certificates/ and have them added
to the system trust store and used by Rally/Tempest. In this case,
OS_CACERT is set automatically.

If there are no certificates in /usr/local/share/ca-certificates/, we
revert to the previous behaviour of unsetting OS_CACERT.
@markgoddard markgoddard changed the base branch from jammy to upper-constraints April 13, 2024 09:02
Base automatically changed from upper-constraints to master April 15, 2024 14:55
@markgoddard markgoddard merged commit defe6b0 into master Apr 15, 2024
markgoddard added a commit to stackhpc/kayobe-automation that referenced this pull request Apr 15, 2024
@markgoddard
Add support for specifying a CA certificate for Rally/Tempest
5c6ba2e 
The tempest_cacert variable may specify the CA certificate path.

Depends on stackhpc/docker-rally#16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnasiadka mnasiadka mnasiadka approved these changes

@jovial jovial Awaiting requested review from jovial

@scrungus scrungus Awaiting requested review from scrungus

@MoteHue MoteHue Awaiting requested review from MoteHue

Assignees

@markgoddard markgoddard

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@markgoddard @mnasiadka