Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support custom certificates for any exporter that uses requests

See original GitHub issue

The simplest approach is to allow mounting the CA trust file in the container, and then have the environment variable REQUESTS_CA_BUNDLE point to that path.

However, we must take care because prepared requests do not take the environment into account. This is true even if you set the verify path on the session object.

It’s also not clear if specifying this overrides or augments the CA bundles provided by certifi. That’s risky to mix in a project that might reach out to public instances as well as private ones.

One solution that can handle both use cases: detect if a custom CA bundle is specified, and if so, append it to the CA bundle from certifi at container startup.

Issue Analytics

State:
Created a year ago
Comments:10

Top GitHub Comments

2reactions

mpryccommented, May 25, 2022

So the issue is that self-signed SSL certificate for the REST APIs needs to be used by the python exporter which is running inside the pod to access external service, such as self-hosted JIRA instance or other self-hosted service. This is exactly #463, except it’s a bit wider as not only for the JIRA exporter, but more generic for any type of the exporter to consume.

I will play with it, but my initial thought on that is we should allow to create per exporter ConfigMap with self-signed/custom CA-certificate. This will be mounted in the exporter pod and used by the python code to connect to the external service.

I am not convinced (yet) that adding custom/self-signed certificate to global cluster ca-bundle.crt is the right approach, as this will be available to all pods in all namespaces rather than only for the exporter which requires this certificate. We may have multiple REST API endpoints with different self-signed certificates.

1reaction

KevinMGrangercommented, May 25, 2022

It’s also not clear if specifying this overrides or augments the CA bundles provided by certifi

I just verified this. It will override them, which means, for example:

You have two projects tracked by committime.
One is hosted on github.com,
The other on some internal provider with a custom cert.

If you give a custom bundle, getting the first project will break, while the second one works.

Luckily, the library that requests uses, certifi, exposes its bundle! We could have a pre-processing step that appends both together, and then sets that file as the CA bundle.