Merge pull request 'Fix S3 SSL certificate validation and boto3 checksum compatibility' (#2 ) from benvin/boto3_fixes into master

Reviewed-on: #2
Fix S3 SSL certificate validation and boto3 checksum compatibility
2026-01-08 23:55:42 +11:00 · 2026-01-08 23:54:39 +11:00
1 changed files with 19 additions and 10 deletions
--- a/src/artifactapi/storage.py
+++ b/src/artifactapi/storage.py
@ -22,16 +22,25 @@ class S3Storage:
        self.bucket = bucket
        self.secure = secure

-        self.client = boto3.client(
-            "s3",
-            endpoint_url=f"http{'s' if self.secure else ''}://{self.endpoint}",
-            aws_access_key_id=self.access_key,
-            aws_secret_access_key=self.secret_key,
-            config=Config(
-                request_checksum_calculation="when_required",
-                response_checksum_validation="when_required"
-            )
-        )
+        ca_bundle = os.environ.get('REQUESTS_CA_BUNDLE') or os.environ.get('SSL_CERT_FILE')
+        config_kwargs = {
+            "request_checksum_calculation": "when_required",
+            "response_checksum_validation": "when_required"
+        }
+        client_kwargs = {
+            "endpoint_url": f"http{'s' if self.secure else ''}://{self.endpoint}",
+            "aws_access_key_id": self.access_key,
+            "aws_secret_access_key": self.secret_key,
+            "config": Config(**config_kwargs)
+        }
+
+        if ca_bundle and os.path.exists(ca_bundle):
+            client_kwargs["verify"] = ca_bundle
+            print(f"Debug: Using CA bundle: {ca_bundle}")
+        else:
+            print(f"Debug: No CA bundle found. REQUESTS_CA_BUNDLE={os.environ.get('REQUESTS_CA_BUNDLE')}, SSL_CERT_FILE={os.environ.get('SSL_CERT_FILE')}")
+
+        self.client = boto3.client("s3", **client_kwargs)

        # Try to ensure bucket exists, but don't fail if MinIO isn't ready yet
        try: