Revert PR #1754: Environment-based cert discovery (#1758)

This reverts commit 7092618.

Reverting due to WCA SSL failure observed after the introduction of
environment-based certificate discovery functionality.

Changes reverted:
- Removed SERVICE_CA_PATH setting from base.py
- Removed _setup_ssl_context() and get_ssl_verification() methods from pipelines.py
- Restored original SSL verification logic using ca_cert_file precedence
- Reverted SSL/TLS documentation changes in README.md
- Reverted test files to their pre-PR state

This restores the previous SSL verification behavior:
verify=(self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl)

Author: justjais

README.md

@@ -27,8 +27,6 @@ ENABLE_ARI_POSTPROCESS="False"
 WCA_SECRET_BACKEND_TYPE="dummy"
 # configure model server
 ANSIBLE_AI_MODEL_MESH_CONFIG="..."
-# configure SSL certificate path (optional)
-# ANSIBLE_AI_SERVICE_CA_PATH="/etc/ssl/certs/ca-certificates.crt"
 ```
 See the example [ANSIBLE_AI_MODEL_MESH_CONFIG](./docs/config/examples/README-ANSIBLE_AI_MODEL_MESH_CONFIG.md).
 
@@ -63,29 +61,6 @@ podman compose -f tools/docker-compose/compose.yaml down
 
 ### Service configuration
 
-### SSL/TLS Certificate Configuration
-
-For SSL communication with model servers and external services, you can configure the certificate authority (CA) certificate path:
-
-```bash
-# Default: Uses OpenShift/Kubernetes service account certificate
-# Path: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
-
-# Custom certificate path (for containerized installations outside OpenShift)
-export ANSIBLE_AI_SERVICE_CA_PATH="/etc/ssl/certs/ca-certificates.crt"
-
-# Disable service CA certificate discovery (rely on system certificates only)
-export ANSIBLE_AI_SERVICE_CA_PATH=""
-```
-
-**ANSIBLE_AI_SERVICE_CA_PATH**
-- **Default**: `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt` (OpenShift/Kubernetes)
-- **Purpose**: Specifies the path to the CA certificate file for SSL verification
-- **Use Cases**:
-  - **OpenShift/Kubernetes**: Default path works automatically
-  - **Containerized deployments**: Set to `/etc/ssl/certs/ca-certificates.crt` or your custom path
-  - **Development/Testing**: Set to empty string to disable custom CA and use system certificates
-
 ### Secret storage
 For most development usages, you can skip the call to AWS Secrets Manager
 and always use the dummy `WCA_SECRET_BACKEND_TYPE` by setting the following in your

ansible_ai_connect/ai/api/model_pipelines/http/pipelines.py

@@ -15,7 +15,6 @@
 import copy
 import json
 import logging
-import os
 import ssl
 from json import JSONDecodeError
 from typing import Any, AsyncGenerator
@@ -71,34 +70,10 @@ def __init__(self, config: HttpConfiguration):
         self.headers = {"Content-Type": "application/json"}
         i = self.config.timeout
         self._timeout = int(i) if i is not None else None
-        # Help ssl.create_default_context() find mounted certificates
-        self._setup_ssl_context()
 
     def task_gen_timeout(self, task_count=1):
         return self._timeout * task_count if self._timeout else None
 
-    def _setup_ssl_context(self):
-        """Let ssl.create_default_context() discover certs.
-        Following container best practices - use environment variables to help
-        Python's default SSL context find mounted certificates automatically.
-        This avoids explicit certificate path management in application code.
-        """
-        if self.config.verify_ssl:
-            # Check for mounted service-ca certificate (container/K8s pattern)
-            service_ca = settings.SERVICE_CA_PATH
-            if os.path.exists(service_ca):
-                os.environ.setdefault("REQUESTS_CA_BUNDLE", service_ca)
-                os.environ.setdefault("SSL_CERT_FILE", service_ca)
-                logger.info("Configured SSL context to use mounted service-ca certificate")
-
-    def get_ssl_verification(self):
-        """Just return verify_ssl boolean.
-        ssl.create_default_context() will automatically discover certificates
-        via environment variables set in _setup_ssl_context().
-        No explicit certificate path management needed.
-        """
-        return self.config.verify_ssl
-
 
 @Register(api_type="http")
 class HttpCompletionsPipeline(HttpMetaData, ModelPipelineCompletions[HttpConfiguration]):
@@ -122,7 +97,9 @@ def invoke(self, params: CompletionsParameters) -> CompletionsResponse:
                 headers=self.headers,
                 json=model_input,
                 timeout=self.task_gen_timeout(task_count),
-                verify=self.get_ssl_verification(),
+                verify=(
+                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
+                ),
             )
             result.raise_for_status()
             response = json.loads(result.text)
@@ -142,7 +119,9 @@ def self_test(self) -> HealthCheckSummary:
         try:
             res = requests.get(
                 url,
-                verify=self.get_ssl_verification(),
+                verify=(
+                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
+                ),
                 timeout=1,
             )
             res.raise_for_status()
@@ -176,7 +155,9 @@ def self_test(self) -> HealthCheckSummary:
                 self.config.inference_url + "/readiness",
                 headers=headers,
                 timeout=1,
-                verify=self.get_ssl_verification(),
+                verify=(
+                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
+                ),
             )
             r.raise_for_status()
 
@@ -233,7 +214,7 @@ def invoke(self, params: ChatBotParameters) -> ChatBotResponse:
             headers=self.headers,
             json=data,
             timeout=self.task_gen_timeout(1),
-            verify=self.get_ssl_verification(),
+            verify=self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl,
         )
 
         if response.status_code == 200:
@@ -296,8 +277,9 @@ def send_schema1_event(self, ev):
 
     async def async_invoke(self, params: StreamingChatBotParameters) -> AsyncGenerator:
 
-        if self.config.verify_ssl:
-            ssl_context = ssl.create_default_context()
+        # Configure SSL context based on verify_ssl setting
+        if self.config.ca_cert_file:
+            ssl_context = ssl.create_default_context(cafile=self.config.ca_cert_file)
             connector = aiohttp.TCPConnector(ssl=ssl_context)
         else:
             connector = aiohttp.TCPConnector(ssl=self.config.verify_ssl)

ansible_ai_connect/ai/api/model_pipelines/http/tests/test_pipelines.py

@@ -14,7 +14,6 @@
 #  limitations under the License.
 import json
 import logging
-import ssl
 from typing import cast
 from unittest import IsolatedAsyncioTestCase
 from unittest.mock import MagicMock, patch
@@ -247,11 +246,8 @@ async def test_ssl_context_verify_ssl_true(self, mock_tcp_connector, mock_post):
         params = self.get_params()
         async for _ in pipeline.async_invoke(params):
             pass
-        # Verify TCPConnector was created with SSL context when verify_ssl=True
-        mock_tcp_connector.assert_called_once()
-        call_args = mock_tcp_connector.call_args[1]["ssl"]
-        # Should be an SSLContext object when verify_ssl=True
-        self.assertIsInstance(call_args, ssl.SSLContext)
+        # Verify TCPConnector was created with ssl=True
+        mock_tcp_connector.assert_called_once_with(ssl=True)
 
     @patch("aiohttp.ClientSession.post")
     @patch("aiohttp.TCPConnector")
@@ -298,13 +294,7 @@ async def test_ssl_context_integration_with_existing_flow(self, mock_tcp_connect
                 # Verify that streaming still works
                 self.assertGreater(result_count, 0, "Streaming should return data")
                 # Verify SSL configuration is correct
-                call_args = mock_tcp_connector.call_args[1]["ssl"]
-                if verify_ssl_value:
-                    # When verify_ssl=True, should get an SSLContext object
-                    self.assertIsInstance(call_args, ssl.SSLContext)
-                else:
-                    # When verify_ssl=False, should get False
-                    self.assertEqual(call_args, False)
+                mock_tcp_connector.assert_called_with(ssl=verify_ssl_value)
                 # Reset mocks for next iteration
                 mock_tcp_connector.reset_mock()
                 mock_post.reset_mock()