Merge pull request #22 from HumairAK/add_certs

add more cert file paths to executor.
opendatahub-io · Mar 11, 2024 · 8517013 · 8517013
2 parents 2ef1607 + 5cf4655
commit 8517013
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/backend/src/v2/compiler/argocompiler/container.go b/backend/src/v2/compiler/argocompiler/container.go
@@ -347,11 +347,36 @@ func (c *workflowCompiler) addContainerExecutorTemplate() string {
 	caBundleCfgMapKey := os.Getenv("ARTIFACT_COPY_STEP_CABUNDLE_CONFIGMAP_KEY")
 	caBundleMountPath := os.Getenv("ARTIFACT_COPY_STEP_CABUNDLE_MOUNTPATH")
 	if caBundleCfgMapName != "" && caBundleCfgMapKey != "" {
+		caFile := fmt.Sprintf("%s/%s", caBundleMountPath, caBundleCfgMapKey)
 		var certDirectories = []string{
 			caBundleMountPath,
 			"/etc/ssl/certs",
 			"/etc/pki/tls/certs",
 		}
+		// Add to REQUESTS_CA_BUNDLE for python request library.
+		// As many python web based libraries utilize this, we add it here so the user
+		// does not have to manually include this in the user pipeline.
+		// Note: for packages like Boto3, even though it is documented to use AWS_CA_BUNDLE,
+		// we found the python boto3 client only works if we include REQUESTS_CA_BUNDLE.
+		// https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification
+		// https://github.com/aws/aws-cli/issues/3425
+		executor.Container.Env = append(executor.Container.Env, k8score.EnvVar{
+			Name:  "REQUESTS_CA_BUNDLE",
+			Value: caFile,
+		})
+		// For AWS utilities like cli, and packages.
+		executor.Container.Env = append(executor.Container.Env, k8score.EnvVar{
+			Name:  "AWS_CA_BUNDLE",
+			Value: caFile,
+		})
+		// OpenSSL default cert file env variable.
+		// Similar to AWS_CA_BUNDLE, the SSL_CERT_DIR equivalent for paths had unyielding
+		// results, even after rehashing.
+		// https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html
+		executor.Container.Env = append(executor.Container.Env, k8score.EnvVar{
+			Name:  "SSL_CERT_FILE",
+			Value: caFile,
+		})
 		sslCertDir := strings.Join(certDirectories, ":")
 		executor.Container.Env = append(executor.Container.Env, k8score.EnvVar{
 			Name:  "SSL_CERT_DIR",
@@ -372,7 +397,7 @@ func (c *workflowCompiler) addContainerExecutorTemplate() string {
 
 		volumeMount := k8score.VolumeMount{
 			Name:      volumeNameCABUndle,
-			MountPath: fmt.Sprintf("%s/%s", caBundleMountPath, caBundleCfgMapKey),
+			MountPath: caFile,
 			SubPath:   caBundleCfgMapKey,
 		}