Configure Requests to trust IGTF trust bundle by default

[paulmillar]

Motivation:

Grid services typically authenticate themselves using an X.509 credential where the certificate has been issued by an IGTF-approved CA.

Such CAs are typically not trusted by non-grid clients and so such grid services are not trusted by default.

Therefore, out-of-the-box the Requests HTTP client Python library will fail when connecting the grid sites

Motification:

Move the trust bundle configuration from curl.robot into the generic variables.yaml configuraiton. This allows configuration to be shared between tests and suite initialisation.

Update suite initialisation to set the REQUESTS_CA_BUNDLE environment variable to specify the trust anchors that the requests library should use.

Result:

The Requests HTTP client library now trusts IGTF CAs.

[andreaceccanti]

Hi Paul, thanks for the PR!

the container already does the trust configuration to support IGTF certs...

[paulmillar]

Ah, OK. That make sense.

In my case, I'm running the tests directly, and not from within a container.

I can manually create the environment variable, but that's a hassle.

[paulmillar]

FWIW, the work-around is to set the REQUESTS_CA_BUNDLE environment variable; e.g.,

REQUESTS_CA_BUNDLE=/etc/grid-security/certificates ./run-testsuite.sh prometheus

[andreaceccanti]

In the end I decided to fix this in the run-testsuite.sh script, see https://github.com/indigo-iam/wlcg-jwt-compliance-tests/commit/8ad67c6ba24e3894eef598b7cdfb8716bc3b9196.

Thanks!