To introduce env based cert discovery (#1754)

* fix to introduce env based cert discovery and also eliminates conditional ssl logic complexity

* fix review

* fix UT failure

* fix pre-commit

Author: justjais

README.md

@@ -27,6 +27,8 @@ ENABLE_ARI_POSTPROCESS="False"
 WCA_SECRET_BACKEND_TYPE="dummy"
 # configure model server
 ANSIBLE_AI_MODEL_MESH_CONFIG="..."
+# configure SSL certificate path (optional)
+# ANSIBLE_AI_SERVICE_CA_PATH="/etc/ssl/certs/ca-certificates.crt"
 ```
 See the example [ANSIBLE_AI_MODEL_MESH_CONFIG](./docs/config/examples/README-ANSIBLE_AI_MODEL_MESH_CONFIG.md).
 
@@ -61,6 +63,29 @@ podman compose -f tools/docker-compose/compose.yaml down
 
 ### Service configuration
 
+### SSL/TLS Certificate Configuration
+
+For SSL communication with model servers and external services, you can configure the certificate authority (CA) certificate path:
+
+```bash
+# Default: Uses OpenShift/Kubernetes service account certificate
+# Path: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+
+# Custom certificate path (for containerized installations outside OpenShift)
+export ANSIBLE_AI_SERVICE_CA_PATH="/etc/ssl/certs/ca-certificates.crt"
+
+# Disable service CA certificate discovery (rely on system certificates only)
+export ANSIBLE_AI_SERVICE_CA_PATH=""
+```
+
+**ANSIBLE_AI_SERVICE_CA_PATH**
+- **Default**: `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt` (OpenShift/Kubernetes)
+- **Purpose**: Specifies the path to the CA certificate file for SSL verification
+- **Use Cases**:
+  - **OpenShift/Kubernetes**: Default path works automatically
+  - **Containerized deployments**: Set to `/etc/ssl/certs/ca-certificates.crt` or your custom path
+  - **Development/Testing**: Set to empty string to disable custom CA and use system certificates
+
 ### Secret storage
 For most development usages, you can skip the call to AWS Secrets Manager
 and always use the dummy `WCA_SECRET_BACKEND_TYPE` by setting the following in your

ansible_ai_connect/ai/api/model_pipelines/http/pipelines.py

@@ -15,6 +15,7 @@
 import copy
 import json
 import logging
+import os
 import ssl
 from json import JSONDecodeError
 from typing import Any, AsyncGenerator
@@ -70,10 +71,34 @@ def __init__(self, config: HttpConfiguration):
         self.headers = {"Content-Type": "application/json"}
         i = self.config.timeout
         self._timeout = int(i) if i is not None else None
+        # Help ssl.create_default_context() find mounted certificates
+        self._setup_ssl_context()
 
     def task_gen_timeout(self, task_count=1):
         return self._timeout * task_count if self._timeout else None
 
+    def _setup_ssl_context(self):
+        """Let ssl.create_default_context() discover certs.
+        Following container best practices - use environment variables to help
+        Python's default SSL context find mounted certificates automatically.
+        This avoids explicit certificate path management in application code.
+        """
+        if self.config.verify_ssl:
+            # Check for mounted service-ca certificate (container/K8s pattern)
+            service_ca = settings.SERVICE_CA_PATH
+            if os.path.exists(service_ca):
+                os.environ.setdefault("REQUESTS_CA_BUNDLE", service_ca)
+                os.environ.setdefault("SSL_CERT_FILE", service_ca)
+                logger.info("Configured SSL context to use mounted service-ca certificate")
+
+    def get_ssl_verification(self):
+        """Just return verify_ssl boolean.
+        ssl.create_default_context() will automatically discover certificates
+        via environment variables set in _setup_ssl_context().
+        No explicit certificate path management needed.
+        """
+        return self.config.verify_ssl
+
 
 @Register(api_type="http")
 class HttpCompletionsPipeline(HttpMetaData, ModelPipelineCompletions[HttpConfiguration]):
@@ -97,9 +122,7 @@ def invoke(self, params: CompletionsParameters) -> CompletionsResponse:
                 headers=self.headers,
                 json=model_input,
                 timeout=self.task_gen_timeout(task_count),
-                verify=(
-                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
-                ),
+                verify=self.get_ssl_verification(),
             )
             result.raise_for_status()
             response = json.loads(result.text)
@@ -119,9 +142,7 @@ def self_test(self) -> HealthCheckSummary:
         try:
             res = requests.get(
                 url,
-                verify=(
-                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
-                ),
+                verify=self.get_ssl_verification(),
                 timeout=1,
             )
             res.raise_for_status()
@@ -155,9 +176,7 @@ def self_test(self) -> HealthCheckSummary:
                 self.config.inference_url + "/readiness",
                 headers=headers,
                 timeout=1,
-                verify=(
-                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
-                ),
+                verify=self.get_ssl_verification(),
             )
             r.raise_for_status()
 
@@ -214,7 +233,7 @@ def invoke(self, params: ChatBotParameters) -> ChatBotResponse:
             headers=self.headers,
             json=data,
             timeout=self.task_gen_timeout(1),
-            verify=self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl,
+            verify=self.get_ssl_verification(),
         )
 
         if response.status_code == 200:
@@ -277,9 +296,8 @@ def send_schema1_event(self, ev):
 
     async def async_invoke(self, params: StreamingChatBotParameters) -> AsyncGenerator:
 
-        # Configure SSL context based on verify_ssl setting
-        if self.config.ca_cert_file:
-            ssl_context = ssl.create_default_context(cafile=self.config.ca_cert_file)
+        if self.config.verify_ssl:
+            ssl_context = ssl.create_default_context()
             connector = aiohttp.TCPConnector(ssl=ssl_context)
         else:
             connector = aiohttp.TCPConnector(ssl=self.config.verify_ssl)

ansible_ai_connect/ai/api/model_pipelines/http/tests/test_pipelines.py

@@ -14,6 +14,7 @@
 #  limitations under the License.
 import json
 import logging
+import ssl
 from typing import cast
 from unittest import IsolatedAsyncioTestCase
 from unittest.mock import MagicMock, patch
@@ -246,8 +247,11 @@ async def test_ssl_context_verify_ssl_true(self, mock_tcp_connector, mock_post):
         params = self.get_params()
         async for _ in pipeline.async_invoke(params):
             pass
-        # Verify TCPConnector was created with ssl=True
-        mock_tcp_connector.assert_called_once_with(ssl=True)
+        # Verify TCPConnector was created with SSL context when verify_ssl=True
+        mock_tcp_connector.assert_called_once()
+        call_args = mock_tcp_connector.call_args[1]["ssl"]
+        # Should be an SSLContext object when verify_ssl=True
+        self.assertIsInstance(call_args, ssl.SSLContext)
 
     @patch("aiohttp.ClientSession.post")
     @patch("aiohttp.TCPConnector")
@@ -294,7 +298,13 @@ async def test_ssl_context_integration_with_existing_flow(self, mock_tcp_connect
                 # Verify that streaming still works
                 self.assertGreater(result_count, 0, "Streaming should return data")
                 # Verify SSL configuration is correct
-                mock_tcp_connector.assert_called_with(ssl=verify_ssl_value)
+                call_args = mock_tcp_connector.call_args[1]["ssl"]
+                if verify_ssl_value:
+                    # When verify_ssl=True, should get an SSLContext object
+                    self.assertIsInstance(call_args, ssl.SSLContext)
+                else:
+                    # When verify_ssl=False, should get False
+                    self.assertEqual(call_args, False)
                 # Reset mocks for next iteration
                 mock_tcp_connector.reset_mock()
                 mock_post.reset_mock()