Closed pnadolny13 closed 2 years ago
In GitLab by @DouweM on Mar 16, 2021, 13:41
I am not really a python guy, but from what I read setting the envars
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
orCURL_CA_BUNDLE=/usr/local/share/ca-certificates/ca.crt
should also work, but they do not.
@toxsick That's odd, it seems like that should work from the docs and code.
We can consider adding a new config.json
setting like ssl_verify
, which could take a path or a boolean, but I'd like to start by debugging the env var solution.
Can you show me how you're setting REQUESTS_CA_BUNDLE
? And can you run meltano elt
in debug mode (https://meltano.com/docs/command-line-interface.html#debugging) with meltano --log-level elt ...
so that we get to see the full environment tap-gitlab
is invoked with? We should be able to see there if REQUESTS_CA_BUNDLE
makes it through correctly or not.
In GitLab by @DouweM on Mar 16, 2021, 13:41
assigned to @DouweM
In GitLab by @toxsick on Mar 16, 2021, 17:05
Hey @DouweM ,
I am running this thing in a docker container. Here is what happens when I run meltano --log-level=debug elt tap-gitlab target-postgres --job_id=gitlab-to-postgres
in the conainer (Sorry it's a lot):
The debug shows that 'REQUESTS_CA_BUNDLE': '/etc/ssl/certs/ca-certificates.crt'
is present.
If I comment in SESSION.verify = "/etc/ssl/certs/ca-certificates.crt"
in as described above it works fine.
Thanks for looking into this!
In GitLab by @DouweM on Mar 16, 2021, 18:45
@toxsick Can you please share your complete Dockerfile
?
Are you confident that /etc/ssl/certs/ca-certificates.crt
is present inside the Docker container when you're taking the env var approach? Otherwise I have no idea why requests
would be ignoring it :/
In GitLab by @toxsick on Mar 17, 2021, 05:07
@DouweM sure, here you go:
ARG MELTANO_IMAGE=meltano/meltano:latest
FROM $MELTANO_IMAGE
WORKDIR /project
# Install any additional requirements
COPY ./requirements.txt .
RUN pip install -r requirements.txt
# Install all plugins into the `.meltano` directory
COPY ./meltano.yml .
RUN meltano install
# Pin `discovery.yml` manifest by copying cached version to project root
RUN cp -n .meltano/cache/discovery.yml . 2>/dev/null || :
# Don't allow changes to containerized project files
ENV MELTANO_PROJECT_READONLY 1
# Copy over remaining project files
COPY . .
# Expose default port used by `meltano ui`
EXPOSE 5000
# Install self-signed cert
COPY misc/our_ca.crt /usr/local/share/ca-certificates/ca.crt
RUN apt-get update && apt-get install -y ca-certificates \
&& update-ca-certificates --fresh
ENV TAP_GITLAB_API_URL https://git.internal.lan
ENV REQUESTS_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt
ENTRYPOINT ["meltano"]
This is also what I don't understand. I also think that requests should pick it up. But since it works when I do SESSION.verify = "/etc/ssl/certs/ca-certificates.crt"
here I am pretty confident that ca-certificates.crt
includes my self-signed cert.
Could it be that a requests.Session()
does not use the REQUESTS_CA_BUNDLE
envar? I think the docs are a little fuzzy on that...
In GitLab by @DouweM on Mar 17, 2021, 16:53
But since it works when I do
SESSION.verify = "/etc/ssl/certs/ca-certificates.crt"
here I am pretty confident thatca-certificates.crt
includes my self-signed cert.
@toxsick Makes sense. When you are editing that file, how are you making sure that change makes it into the Docker image? I'd expect that meltano install
would just reinstall the plugin from the pip_url
specified in your meltano.yml
, so .meltano
would not contain any changes you made.
Could it be that a
requests.Session()
does not use theREQUESTS_CA_BUNDLE
envar? I think the docs are a little fuzzy on that...
The env var logic (https://github.com/psf/requests/blob/8c211a96cdbe9fe320d63d9e1ae15c5c07e179f8/requests/sessions.py#L718) is implemented on the Session
class, so we should be good. Your ENV
directive looks good as well, and as we verified with meltano --log-level=debug
, that value is actually making it into the tap's execution environment :/
In GitLab by @DouweM on Mar 17, 2021, 17:02
@toxsick I think I've figured it out: The merge_environment_settings
method that reads the environment is called from Session.request
, but not Session.send
which is used by the tap.
So I'm thinking the solution is to rewrite https://gitlab.com/meltano/tap-gitlab/-/blob/master/tap_gitlab/__init__.py#L226-228 to use Session.request
instead of Session.send
, so that the env var is respected:
resp = SESSION.request('GET', url, params=params, headers=headers)
LOGGER.info("GET {}".format(url))
The calls below to req.url
would also need to be changed to just url
.
Can you try making that change locally and see if it has the desired effect? If so, I'd appreciate a merge request to fix this issue!
In GitLab by @toxsick on Mar 18, 2021, 04:42
@DouweM sounds promising. Thanks for digging into this! I will give it a try and create a PR tomorrow.
Have a good day
In GitLab by @toxsick on Mar 19, 2021, 09:15
mentioned in commit toxsick/tap-gitlab@5d721553c75a65b662464c3ac7462f34163dbd7a
In GitLab by @toxsick on Mar 19, 2021, 09:19
mentioned in merge request !38
In GitLab by @toxsick on Mar 19, 2021, 09:21
@DouweM That worked perfectly, my MR !38 is really just that. Thanks für investigating this so fast.
In GitLab by @DouweM on Mar 22, 2021, 11:20
assigned to @toxsick
In GitLab by @DouweM on Mar 22, 2021, 11:30
mentioned in commit bf5be2bd22b849bdc56a41f258111314a6bfee73
In GitLab by @toxsick on Mar 14, 2021, 17:40
Hey guys,
I'm just playing around with Meltano and our self-hosted internal Gitlab instance and I am getting errors like this:
I think this is a pretty standard one, but I don't find a clean way to fix this. What works is to install our cert in the docker container with:
And than add a line in
.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/tap_gitlab/__init__.py
(here):... I guess
SESSION.verify = False
would also work.I am not really a python guy, but from what I read setting the envars
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
orCURL_CA_BUNDLE=/usr/local/share/ca-certificates/ca.crt
should also work, but they do not.Is the a clean way to do this without modifying code inside the .meltano folder?
regards and thanks!