Use the system trust store for python requests rather than certifi

Custom CA are added to the system trust store, never to certifi. It is necessary to use the system trust store to cover the scenario where private or self-signed certificate authrorities are used to secure APIs that the uwsgi service should communicate with. The default is changed to the system trust store, and can be overridden per service through uwsgi_services, or globally through uwsgi_ini_overrides. Change-Id: Idb532c206c3338b9934dfa47e76170aebbb5a5ef
2021-06-23 09:06:01 +01:00 · 2021-06-23 09:06:01 +01:00 · 5f2a073243
parent 95f74142a3
commit 5f2a073243
7 changed files with 15 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -28,6 +28,9 @@ uwsgi_python_executable: "python3"

 uwsgi_package_state: "latest"

+# Default environment variables to set for uwsgi process
+uwsgi_env: "{{ _uwsgi_env }}"
+
 # Define uwsgi_services for deployment of uwsgi. You should provide
 # at least wsgi_path and uwsgi_port. wsgi_venv should be defined for
 # services installed inside virtualenv.
@ -45,6 +48,7 @@ uwsgi_package_state: "latest"
 #     uwsgi_threads: 1
 #     uwsgi_bind_address: 0.0.0.0
 #     uwsgi_port: 8080
+#     uwsgi_env: "FOO=bar"
 uwsgi_services: {}

 # Override can be used to apply config change to all uwsgi services
--- a/templates/uwsgi.ini.j2
+++ b/templates/uwsgi.ini.j2
@ -30,6 +30,7 @@ http-auto-chunked = true
 http-raw-body = true
 socket-timeout = 10
 need-app = true
+env = {{ item.value.uwsgi_env |  default(uwsgi_env) }}

 log-x-forwarded-for = true
 # Avoid filling up the logs with health check requests from haproxy.
--- a/vars/debian-10.yml
+++ b/vars/debian-10.yml
@ -22,3 +22,5 @@ uwsgi_distro_packages:
  - libpython3.7
  - uwsgi
  - uwsgi-plugin-python3
+
+_uwsgi_env: "REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt"
--- a/vars/debian-11.yml
+++ b/vars/debian-11.yml
@ -22,3 +22,5 @@ uwsgi_distro_packages:
  - libpython3.9
  - uwsgi
  - uwsgi-plugin-python3
+
+_uwsgi_env: "REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt"
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -18,3 +18,5 @@ uwsgi_bin: '/usr/sbin'
 uwsgi_distro_packages:
  - uwsgi
  - uwsgi-plugin-python3
+
+_uwsgi_env: "REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt"
--- a/vars/ubuntu-18.04.yml
+++ b/vars/ubuntu-18.04.yml
@ -22,3 +22,5 @@ uwsgi_distro_packages:
  - libpython3.6
  - uwsgi
  - uwsgi-plugin-python3
+
+_uwsgi_env: "REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt"
--- a/vars/ubuntu-20.04.yml
+++ b/vars/ubuntu-20.04.yml
@ -22,3 +22,5 @@ uwsgi_distro_packages:
  - libpython3.8
  - uwsgi
  - uwsgi-plugin-python3
+
+_uwsgi_env: "REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt"