Does Pants not support self signed certificates for self hos Pants #general

Does Pants not support self-signed certificates fo...

acoustic-library-86413

07/07/2023, 8:05 AM

Does Pants not support self-signed certificates for self-hosted PyPI remote repositories? If I run with

--keep-sandboxes=always

and edit the

__run.sh

manually to include

REQUESTS_CA_BUNDLE=/path/to/tmp/sandbox/ca-certificates.crt

everything works. Without this I run into issues with certificate verification. I've tried to set the

REQUESTS_CA_BUNDLE

pants.toml

to the full path, but this is obviously not going to work in isolated environments. Is there a special variable I can use inside the config e.g

env_vars.add = ["REQUESTS_CA_BUNDLE=${chroot}/ca-certificates.crt"]

acoustic-library-86413

07/07/2023, 8:13 AM

I was able to get this working using:

Copy code

[subprocess-environment]
env_vars.add = [
  "REQUESTS_CA_BUNDLE={chroot}/ca-certificates.crt"
]

In the

pants.toml

happy-kitchen-89482

07/07/2023, 10:03 AM

Yep, that is the way to go

acoustic-library-86413

07/07/2023, 10:04 AM

I thought so too. This works for creating lockfiles. However, if we create a simple test and run it with `pants test --timeouts -ldebug --output=all projects/project-1/tests/integration/test_google.py -- -s`:

Copy code

import requests

def test_requests():
    res = requests.get("<https://google.com>")
    print(res.status_code)

This fails with the following error:

Copy code

if not cert_loc or not os.path.exists(cert_loc):
>               raise OSError(
                    f"Could not find a suitable TLS CA certificate bundle, "
                    f"invalid path: {cert_loc}"
                )
E               OSError: Could not find a suitable TLS CA certificate bundle, invalid path: {chroot}/ca-certificates.crt

Inside the code for

requests

. It appears as if it is not expanded here?

happy-kitchen-89482

07/07/2023, 11:55 AM

Tests have their own mechanism: https://www.pantsbuild.org/docs/reference-test#extra_env_vars

acoustic-library-86413

07/07/2023, 12:09 PM

I'm not sure I understand or can use this. We must set

REQUESTS_CA_BUNDLE

pants.toml

in order to generate lockfiles that include packages from our self hosted package repository for PyPI. This also must start with

{chroot}

to work in the isolated environments and use the

ca-certificates.crt

that is copied in here. When running

pants test

this environment variable is not expanded and is interpreted as the raw string

{chroot}/ca-certificates.crt}

. If I set:

Copy code

python_tests(
    name="tests",
    extra_env_vars=[
        "REQUESTS_CA_BUNDLE={chroot}/ca-certificates.crt",
        "TEST_VARIABLE={chroot}/ca-certificates.crt",
    ]
)

And run a test in which we print

TEST_VARIABLE

and

REQUESTS_CA_BUNDLE

the result is:

Copy code

REQUESTS_CA_BUNDLE = {chroot}/ca-certificates.crt
TEST_VARIABLE = /tmp/pants-sandbox-cPNeTM/ca-certificates.crt

This seems like a bug to me regarding inheritance of environment variables from pants.toml.

happy-kitchen-89482

07/08/2023, 10:11 PM

Hmm, yeah that does seem like a bug

👍 1

happy-kitchen-89482

07/08/2023, 10:11 PM

For one thing, the per-target value should win over the general pants.toml value

happy-kitchen-89482

07/08/2023, 10:12 PM

Can you file a bug?

happy-kitchen-89482

07/08/2023, 10:12 PM

And would you be able to tackle it? It should be very straightforward (I hope)

acoustic-library-86413

07/09/2023, 11:52 AM

I'll file a bug and see if I can get to it myself!

2 Views

Open in Slack

Previous Next