From f30afbb1bc47634487e1b35900f4a42422198a43 Mon Sep 17 00:00:00 2001
From: Chi Wai Chan <chiwai.chan@canonical.com>
Date: Mon, 8 Jul 2024 09:27:54 +0800
Subject: [PATCH] Use custom TLS certificate if provided

Since `urllib3` uses `certifi` as the certificate provider [1], if the
users enable TLS with a custom certificate, the `Service.do_get` method
will not be able to verify the custom certificate. According to the
documentation [1], we need to add `cert_reqs` and `ca_certs` to the
`urllib3.PoolManager` when a custom certificate is used.

[1] https://urllib3.readthedocs.io/en/latest/advanced-usage.html#custom-tls-certificates

Story: #2011168
Task: #50514
Change-Id: I75857cf0d0d37254180aa3ae2305e16610c9fab4
---
 config_tempest/services/base.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config_tempest/services/base.py b/config_tempest/services/base.py
index 662f96cb..9b8ca62a 100644
--- a/config_tempest/services/base.py
+++ b/config_tempest/services/base.py
@@ -59,6 +59,10 @@ class Service(object):
             if self.disable_ssl_validation:
                 urllib3.disable_warnings()
                 http = urllib3.PoolManager(cert_reqs='CERT_NONE')
+            elif self.ca_certs is not None:
+                http = urllib3.PoolManager(
+                    cert_reqs='REQUIRED', ca_certs=self.ca_certs
+                )
             else:
                 http = urllib3.PoolManager()
             r = http.request('GET', url, headers=self.headers)