Fix handling of self-signed certs in s3_conn

chess-knight · chess-knight · commit af40f19801c7 · 2026-04-01T10:23:37.000+02:00
Take insecure/verify/cacert parameter from clouds.yaml
and pass it to boto3.resource.
If insecure is True or verify is False use verify=False
also for boto3.
Else, if you provide cacert(via cacert or verify parameter)
it is also used for boto3.
If nothing from above is met, use verify=None to keep default boto3 behaviour.

Signed-off-by: Roman Hros &lt;roman.hros@dnation.cloud&gt;
diff --git a/Tests/iaas/scs_0123_mandatory_services/mandatory_services.py b/Tests/iaas/scs_0123_mandatory_services/mandatory_services.py
@@ -28,12 +28,13 @@ def compute_scs_0123_service_presence(services_lookup, *names):
 
 def s3_conn(creds, conn):
     """Return an s3 client conn"""
+    insecure = conn.config.config.get("insecure")
+    verify = conn.config.config.get("verify")
     cacert = conn.config.config.get("cacert")
-    # TODO: Handle self-signed certs (from ca_cert in openstack config)
-    if cacert:
-        logger.warning(f"Trust all Certificates in S3, OpenStack uses {cacert}")
+    vrfy = False if (insecure is True or verify is False) else \
+      (cacert or (verify if isinstance(verify, str) else None))
     return boto3.resource(
-        's3', endpoint_url=creds["HOST"], verify=not cacert,
+        's3', endpoint_url=creds["HOST"], verify=vrfy,
         aws_access_key_id=creds["AK"], aws_secret_access_key=creds["SK"],
     )
 
