Use system trust store as REQUESTS_CA_BUNDLE

m-bull · m-bull · commit 9dfc157082d5 · 2025-04-17T10:10:03.000+01:00
By default Python requests uses its own CA bundle rather
than the system trust store. As we optionally update
the system trust store with our own CA, force Python
requests to use the system trust store as its CA bundle.
diff --git a/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml b/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml
@@ -115,6 +115,7 @@
               ACCESS_KEY: "{{ ec2.Access }}"
               SECRET_KEY: "{{ ec2.Secret }}"
               VIRTUAL_PORT: "{{ stackhpc_radosgw_usage_exporter_port | string }}"
+              REQUESTS_CA_BUNDLE: "/etc/ssl/certs/ca-certificates.crt"
             entrypoint: "{{ ['python', '-u', './radosgw_usage_exporter.py', '--insecure'] if not stackhpc_radosgw_usage_exporter_verify else omit }}"
           vars:
             ec2: "{{ credential.stdout | from_json | first }}"
diff --git a/releasenotes/notes/rgw-usage-exporter-deployment-fixes-0196167326dbe456.yaml b/releasenotes/notes/rgw-usage-exporter-deployment-fixes-0196167326dbe456.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Fixed RADOS gateway usage exporter deployment failing
+    to generate ec2 credentials for the ceph_rgw user.
+  - |
+    Fixed RADOS gateway usage exporter not using the system
+    trust root as its CA bundle.
