If you are dealing with AI these days like myself you are probably deploying a lot of python applications in containers. If your applications are referencing AI models API endpoint you are most likely also dealing with SSL communication configuration.
In this post I'll quickly explain how to validate certificates signed by custom CA in SSL communication in Python applications (using requests package) needed to access the CA certificates chain used to sign the certificate used by secured service. Here is guideline how this can be achieved in OpenShift or other Kubernetes flavour.
1. First we need to download certificate chain used by the secured service:
$ openssl s_client -showcerts -connect my-service.my-domain.local:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate_chain.pem
If CA certs are missing you must manually copy them to certificate_chain.pem
We can quickly check what is the content of the file:
$ cat certificate_chain.pem | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs | grep subject | head
2. Next let's create secret containing these certificates:
$ oc create secret generic ca-certs --from-file=cacerts.crt=certificate_chain.pem
3. Mount secret to the python application Kubernetes deployment:
$ oc set volume deployment my-python-app --add --type secret --mount-path /var/secrets --secret-name ca-certs --read-only
4. Add environment variable REQUESTS_CA_BUNDLE to the python application Kubernetes deployment pointing to the path where secret containing certificates has been mounted:
$ oc set env deployment my-python-app REQUESTS_CA_BUNDLE=/var/secrets/cacerts.crt --overwrite=true
From now on the requests package will use these certificates to validate certificates presented by secured service referenced by the python application.