To use openshift SA cert when required for SSL verfication for TLS enablement (#1751)

* to use openshift SA cert when provided for SSL verfication

* add utc for the change

* fix pre-commit

* address review

* fix review

* fix ci

Author: justjais

ansible_ai_connect/ai/api/model_pipelines/http/configuration.py

@@ -48,15 +48,18 @@ def __init__(
         verify_ssl: bool,
         stream: bool = False,
         mcp_servers: Optional[list[dict[str, str]]] = None,
+        ca_cert_file: Optional[str] = None,
     ):
         super().__init__(inference_url, model_id, timeout, enable_health_check)
         self.verify_ssl = verify_ssl
         self.stream = stream
         self.mcp_servers = mcp_servers or []
+        self.ca_cert_file = ca_cert_file
 
     verify_ssl: bool
     stream: bool
     mcp_servers: Optional[list[dict[str, str]]] = None
+    ca_cert_file: Optional[str] = None
 
 
 @Register(api_type="http")
@@ -73,6 +76,7 @@ def __init__(self, **kwargs):
                 verify_ssl=kwargs["verify_ssl"],
                 stream=kwargs["stream"],
                 mcp_servers=kwargs["mcp_servers"],
+                ca_cert_file=kwargs.get("ca_cert_file"),
             ),
         )
 
@@ -81,6 +85,9 @@ def __init__(self, **kwargs):
 class HttpConfigurationSerializer(BaseConfigSerializer):
     verify_ssl = serializers.BooleanField(required=False, default=True)
     stream = serializers.BooleanField(required=False, default=False)
+    ca_cert_file = serializers.CharField(
+        required=False, default=None, allow_blank=True, allow_null=True
+    )
     mcp_servers = serializers.ListSerializer(
         child=MCPServersSerializer(), allow_empty=True, required=False, default=None
     )

ansible_ai_connect/ai/api/model_pipelines/http/pipelines.py

@@ -15,6 +15,7 @@
 import copy
 import json
 import logging
+import ssl
 from json import JSONDecodeError
 from typing import Any, AsyncGenerator
 
@@ -96,7 +97,9 @@ def invoke(self, params: CompletionsParameters) -> CompletionsResponse:
                 headers=self.headers,
                 json=model_input,
                 timeout=self.task_gen_timeout(task_count),
-                verify=self.config.verify_ssl,
+                verify=(
+                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
+                ),
             )
             result.raise_for_status()
             response = json.loads(result.text)
@@ -114,7 +117,13 @@ def self_test(self) -> HealthCheckSummary:
             }
         )
         try:
-            res = requests.get(url, verify=self.config.verify_ssl, timeout=1)
+            res = requests.get(
+                url,
+                verify=(
+                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
+                ),
+                timeout=1,
+            )
             res.raise_for_status()
         except Exception as e:
             logger.exception(str(e))
@@ -146,7 +155,9 @@ def self_test(self) -> HealthCheckSummary:
                 self.config.inference_url + "/readiness",
                 headers=headers,
                 timeout=1,
-                verify=self.config.verify_ssl,
+                verify=(
+                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
+                ),
             )
             r.raise_for_status()
 
@@ -203,7 +214,7 @@ def invoke(self, params: ChatBotParameters) -> ChatBotResponse:
             headers=self.headers,
             json=data,
             timeout=self.task_gen_timeout(1),
-            verify=self.config.verify_ssl,
+            verify=self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl,
         )
 
         if response.status_code == 200:
@@ -267,8 +278,11 @@ def send_schema1_event(self, ev):
     async def async_invoke(self, params: StreamingChatBotParameters) -> AsyncGenerator:
 
         # Configure SSL context based on verify_ssl setting
-        ssl_context = self.config.verify_ssl
-        connector = aiohttp.TCPConnector(ssl=ssl_context)
+        if self.config.ca_cert_file:
+            ssl_context = ssl.create_default_context(cafile=self.config.ca_cert_file)
+            connector = aiohttp.TCPConnector(ssl=ssl_context)
+        else:
+            connector = aiohttp.TCPConnector(ssl=self.config.verify_ssl)
 
         async with aiohttp.ClientSession(raise_for_status=True, connector=connector) as session:
             headers = {