Opensearch: Ignore SSL validation for ES plugin test #13234
Conversation
LocalStack Community integration with Pro 2 files ± 0 2 suites ±0 9m 33s ⏱️ - 1h 49m 30s Results for commit 4f7f972. ± Comparison against base commit 928f470. This pull request removes 4747 tests. |
Test Results (amd64) - Integration, Bootstrap 5 files ± 0 5 suites ±0 19m 7s ⏱️ - 2h 19m 26s Results for commit 4f7f972. ± Comparison against base commit 928f470. This pull request removes 5097 tests. |
| else: | ||
| # TODO fix ssl validation error when using the signed request for the elastic search domain | ||
| plugins_response = requests.get(plugins_url, headers={"Accept": "application/json"}) | ||
| plugins_response = requests.get( |
There was a problem hiding this comment.
I am a bit confused by this change, why does it work in the current test pipeline just here in LocalStack Community? Isn't this what the if/else here is for? Is this change really necessary?
There was a problem hiding this comment.
I'm also a bit confused and cannot understand why it passes in the current pipeline.
In my local env the test fails when running it against localstack-pro container. When I add the verify=False it works.
The long term solution is to fix the certificate domains with https://github.com/localstack/localstack-certificate-infrastructure/pull/4 but this is a bit out of scope of the current project (collecting coverage of operations when running LocalStack on k8s)
There was a problem hiding this comment.
In the current pipeline, we don't face the same problem because of this
that sets the ssl verification offSo this change enforces the same behavior regardless if the tests run with in memory localstack or against an "external" localstack container / pod
There was a problem hiding this comment.
thought (non-blocking): Super interesting and great find!
Do you think it would make sense / would be possible to remove this line though? I am asking because I think it is problematic to change a test here because it is run in a pipeline which is not used as a quality gate here, i.e. there's nothing preventing us from breaking this again, or for a different test in the future.
I would love to make sure that we a guarded against a regression like this in the future.
I think this might be a remnant from a time where we did not serve both HTTP and HTTPS on 4566, so maybe you are actually solving the "same problem" here, i.e. I think if your external pipeline runs against the tests here, the verify_ssl could be set to True without any implications.
In fact, changing the variable here and making sure the test pipeline is still green here in this repo could maybe even speed up the development of your external pipeline. What do you think?
Happy to discuss this specifically, but I also don't want to block this PR in case you want to look at this in a future iteration.
There was a problem hiding this comment.
I will merge this now to unblock the remaining parts.
I think we will be able to remove this line once/when we update our certificate.
I will get back to this next week.
|
Adding @cloutierMat (as author of the test) as a reviewer in case you have some more context |
alexrashed
left a comment
There was a problem hiding this comment.
Thanks a lot for digging into why this is currently working in the test pipeline! 🕵🏽
As I mentioned in the comment, I think it might be worth changing the config of the tests and combining this change with some potential other fixes among the codebase, but I will directly approve this PR as it is right now because it's totally up to you if you want to tackle this in other PRs / in another iteration. Let me know if I can help anywhere! :)
| else: | ||
| # TODO fix ssl validation error when using the signed request for the elastic search domain | ||
| plugins_response = requests.get(plugins_url, headers={"Accept": "application/json"}) | ||
| plugins_response = requests.get( |
There was a problem hiding this comment.
thought (non-blocking): Super interesting and great find!
Do you think it would make sense / would be possible to remove this line though? I am asking because I think it is problematic to change a test here because it is run in a pipeline which is not used as a quality gate here, i.e. there's nothing preventing us from breaking this again, or for a different test in the future.
I would love to make sure that we a guarded against a regression like this in the future.
I think this might be a remnant from a time where we did not serve both HTTP and HTTPS on 4566, so maybe you are actually solving the "same problem" here, i.e. I think if your external pipeline runs against the tests here, the verify_ssl could be set to True without any implications.
In fact, changing the variable here and making sure the test pipeline is still green here in this repo could maybe even speed up the development of your external pipeline. What do you think?
Happy to discuss this specifically, but I also don't want to block this PR in case you want to look at this in a future iteration.
I think there is a misunderstanding. I think we might not update our certificate for this (because we can only have a limited amount of entries in there, and elasticsearch might not be worth it), and I think we can remove the line you identified as fixing this in the pipeline, but replacing the individual requests with their "unverified" calls. So what I am saying here is: Remove this line now, see which tests are breaking here, fix these calls with
Really happy to discuss this directly if you want :) |
Motivation
Fix failing tests from https://github.com/localstack/localstack-pro/pull/5371
The test currently fails when it runs against LocalStack running in k8s.
Changes
Skip SSL validation when reaching the Elasticsearch plugins endpoint in test.
Context
It seems that something like
*.{region}.es.localhost.localstack.cloudshould be added in our certificate creation logic but there is already a comment in the test that SSL validation is skipped.