Skip to content

OpenSearch: Disable SSL validation for unsupported regions #13346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dfangl merged 1 commit into from
Nov 6, 2025
Merged

OpenSearch: Disable SSL validation for unsupported regions #13346

dfangl merged 1 commit into from
Nov 6, 2025
+15 −0

Conversation

@dfangl
Copy link
Member

@dfangl dfangl commented Nov 6, 2025
edited by silv-io
Loading

Motivation

With #13275, we generally enabled SSL certificate validation for our requests clients.
However, this leads to an issue with non-default-region tests (example), with regional endpoints for regions not present in our localhost.localstack.cloud certificates SAN list.

This leads to flakes in our pipeline, every time an ap-southeast-* region is used.

With this fix, we disable certificate validation only for opensearch and the regions not supported by the certificate.

Changes

  • Disable certificate validation for opensearch tests in regions not present in our certificate

Tests

  • Run test_opensearch.py using TEST_AWS_REGION_NAME=ap-northeast-1

Related

Fixes ENG-112
Fixes FLC-152

@dfangl dfangl added semver: patch Non-breaking changes which can be included in patch releases docs: skip Pull request does not require documentation changes notes: skip Pull request does not have to be mentioned in the release notes labels Nov 6, 2025
@dfangl dfangl added semver: patch Non-breaking changes which can be included in patch releases docs: skip Pull request does not require documentation changes notes: skip Pull request does not have to be mentioned in the release notes labels Nov 6, 2025
@silv-io
Copy link
Member

silv-io commented Nov 6, 2025

Nice, this should also fix FLC-152

@github-actions
Copy link

github-actions bot commented Nov 6, 2025

LocalStack Community integration with Pro

 2 files  ±    0   2 suites  ±0   9m 32s ⏱️ - 1h 51m 36s
48 tests  - 4 846  33 ✅  - 4 486  15 💤  - 354  0 ❌  - 6 
50 runs   - 4 846  33 ✅  - 4 486  17 💤  - 354  0 ❌  - 6 

Results for commit d085d56. ± Comparison against base commit 5f5a8fb.

This pull request removes 4846 tests. 
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_lambda_dynamodb
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_opensearch_crud
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_search_books
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_setup
tests.aws.scenario.kinesis_firehose.test_kinesis_firehose.TestKinesisFirehoseScenario ‑ test_kinesis_firehose_s3
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_destination_sns
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_infra
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_prefill_dynamodb_table
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input0-SUCCEEDED]
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input1-SUCCEEDED]
…

@github-actions
Copy link

github-actions bot commented Nov 6, 2025

Test Results - Preflight, Unit

22 278 tests  ±0   20 526 ✅ ±0   15m 23s ⏱️ -20s
     1 suites ±0    1 752 💤 ±0 
     1 files   ±0        0 ❌ ±0 

Results for commit d085d56. ± Comparison against base commit 5f5a8fb.

@github-actions
Copy link

github-actions bot commented Nov 6, 2025

Test Results (amd64) - Acceptance

7 tests  ±0   5 ✅ ±0   3m 21s ⏱️ -1s
1 suites ±0   2 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit d085d56. ± Comparison against base commit 5f5a8fb.

@github-actions
Copy link

github-actions bot commented Nov 6, 2025

Test Results (amd64) - Integration, Bootstrap

 5 files   5 suites   18m 53s ⏱️
72 tests 57 ✅ 15 💤 0 ❌
78 runs  57 ✅ 21 💤 0 ❌

Results for commit d085d56.

alexrashed
alexrashed approved these changes Nov 6, 2025
View reviewed changes
Copy link
Member

@alexrashed alexrashed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, great catch! I wonder if we can just disable the verification just generally for the opensearch tests?

@dfangl
Copy link
Member Author

dfangl commented Nov 6, 2025
edited
Loading

I wonder if we can just disable the verification just generally for the opensearch tests?

We could, but then we don't test that the opensearch names are in the certificate at all. It should not spontaneously change, but I do not see a value in not testing it? Am I overlooking something here?

@dfangl dfangl merged commit a2d83bf into main Nov 6, 2025
68 checks passed
@dfangl dfangl deleted the eng-112-opensearch-mamr-tests-fail-with-certificate-error branch November 6, 2025 12:30
mfurqaan31 pushed a commit to mfurqaan31/localstack that referenced this pull request Nov 6, 2025
@dfangl @mfurqaan31
OpenSearch: Disable SSL validation for unsupported regions (localstac…
2fe8041 
…k#13346)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexrashed alexrashed alexrashed approved these changes

@silv-io silv-io Awaiting requested review from silv-io silv-io is a code owner

Assignees

No one assigned

Labels

docs: skip Pull request does not require documentation changes notes: skip Pull request does not have to be mentioned in the release notes semver: patch Non-breaking changes which can be included in patch releases

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dfangl @silv-io @alexrashed