X Tutup
Skip to content
This repository was archived by the owner on Mar 23, 2026. It is now read-only.

fix/external client CA bundle#13451

Merged
cloutierMat merged 4 commits intomainfrom
fix/external-client-ca-bundle
Dec 2, 2025
Merged

fix/external client CA bundle#13451
cloutierMat merged 4 commits intomainfrom
fix/external-client-ca-bundle

Conversation

@cloutierMat
Copy link
Member

@cloutierMat cloutierMat commented Dec 2, 2025
edited
Loading

Motivation

This PR enforces custom CA Certificates to the ExternalBypassDnsClientFactory. This change will enable our users using proxy with ssl termination to register their own CA bundles.

Changes

The CA bundle provided with REQUESTS_CA_BUNDLE will now be used to configure the connections of the ExternalBypassDnsClientFactory

Tests

Related

fixes UNC-137
upstream test full-run: 19842076873

@github-actions
Copy link

github-actions bot commented Dec 2, 2025
edited
Loading

S3 Image Test Results (AMD64 / ARM64)

    2 files  ±0    2 suites  ±0   7m 48s ⏱️ +2s
  544 tests ±0  492 ✅ ±0   52 💤 ±0  0 ❌ ±0 
1 088 runs  ±0  984 ✅ ±0  104 💤 ±0  0 ❌ ±0 

Results for commit 7675df2. ± Comparison against base commit c603057.

♻️ This comment has been updated with latest results.

@cloutierMat cloutierMat added semver: patch Non-breaking changes which can be included in patch releases area: replicator docs: skip Pull request does not require documentation changes notes: skip Pull request does not have to be mentioned in the release notes labels Dec 2, 2025
@github-actions
Copy link

github-actions bot commented Dec 2, 2025
edited
Loading

Test Results - Preflight, Unit

22 889 tests  ±0   21 075 ✅ ±0   6m 53s ⏱️ +26s
     1 suites ±0    1 814 💤 ±0 
     1 files   ±0        0 ❌ ±0 

Results for commit 7675df2. ± Comparison against base commit c603057.

♻️ This comment has been updated with latest results.

@github-actions
Copy link

github-actions bot commented Dec 2, 2025
edited
Loading

Test Results (amd64) - Acceptance

7 tests  ±0   5 ✅ ±0   3m 26s ⏱️ +7s
1 suites ±0   2 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit 7675df2. ± Comparison against base commit c603057.

♻️ This comment has been updated with latest results.

@github-actions
Copy link

github-actions bot commented Dec 2, 2025
edited
Loading

Test Results (amd64) - Integration, Bootstrap

    5 files  ±0      5 suites  ±0   2h 39m 36s ⏱️ - 1m 9s
5 477 tests ±0  4 925 ✅ ±0  552 💤 ±0  0 ❌ ±0 
5 483 runs  ±0  4 925 ✅ ±0  558 💤 ±0  0 ❌ ±0 

Results for commit 7675df2. ± Comparison against base commit c603057.

♻️ This comment has been updated with latest results.

@github-actions
Copy link

github-actions bot commented Dec 2, 2025
edited
Loading

LocalStack Community integration with Pro

    2 files  ±0      2 suites  ±0   2h 3m 48s ⏱️ -26s
5 103 tests ±0  4 711 ✅ ±0  392 💤 ±0  0 ❌ ±0 
5 105 runs  ±0  4 711 ✅ ±0  394 💤 ±0  0 ❌ ±0 

Results for commit 7675df2. ± Comparison against base commit c603057.

♻️ This comment has been updated with latest results.

@cloutierMat cloutierMat marked this pull request as ready for review December 2, 2025 02:33
@cloutierMat cloutierMat requested a review from thrau as a code owner December 2, 2025 02:33
@cloutierMat cloutierMat requested a review from simonrw December 2, 2025 02:34
@cloutierMat cloutierMat added the review: merge when ready Signals to the reviewer that a PR can be merged if accepted label Dec 2, 2025
simonrw
simonrw approved these changes Dec 2, 2025
View reviewed changes
Copy link
Contributor

@simonrw simonrw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am ok with this change given the current api but this envar is not one of ours - it's from requests itself. It's a shame we are hard coding these variables rather than reading from the standard environment. Ho hum...

Let's just address my suggestion otherwise

localstack-core/localstack/aws/connect.py Outdated
if ca_cert := os.getenv("REQUESTS_CA_BUNDLE"):
LOG.debug("Creating External AWS Client with REQUESTS_CA_BUNDLE=%s", ca_cert)

super().__init__(use_ssl=True, verify=ca_cert or True, session=session, config=config)
Copy link
Contributor

@simonrw simonrw Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use USE_SSL here for the ssl flag?

Copy link
Member Author

@cloutierMat cloutierMat Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a shame we are hard coding these variables rather than reading from the standard environment. Ho hum...

I agree this isn't the cleanest, but this is what is currently used and documented in LocalStack. I thought of using AWS_CA_BUNDLE instead, but it seemed quite repetitive with what is already implemented for ca bundles.

Should we use USE_SSL here for the ssl flag?

Good point. Is there any security concern for the user to do so? I guess they are in control of setting the env, so probably not.

@cloutierMat cloutierMat merged commit 049201f into main Dec 2, 2025
49 checks passed
@cloutierMat cloutierMat deleted the fix/external-client-ca-bundle branch December 2, 2025 20:25
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@thrau thrau Awaiting requested review from thrau thrau is a code owner

1 more reviewer

@simonrw simonrw simonrw approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area: replicator docs: skip Pull request does not require documentation changes notes: skip Pull request does not have to be mentioned in the release notes review: merge when ready Signals to the reviewer that a PR can be merged if accepted semver: patch Non-breaking changes which can be included in patch releases

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cloutierMat @simonrw
X Tutup