dosubot[bot] commented on issue #34666:
URL: https://github.com/apache/superset/issues/34666#issuecomment-3182648772
<!-- Answer -->
Placing your certificate in
`/usr/local/lib/python3.11/site-packages/certifi` does not make it trusted by
Python’s requests library unless you rebuild the certifi bundle, which is not
recommended or reliable in containerized deployments. The supported way to add
a custom CA for outbound HTTPS (including OIDC/OAuth) in Superset is to mount
your CA bundle into the container and set the `REQUESTS_CA_BUNDLE` environment
variable to its path. This tells Python requests to use your CA for SSL
verification.
In a Helm/Kubernetes deployment, you should:
1. Mount your custom CA bundle (e.g., as a Kubernetes Secret or ConfigMap)
into the Superset container, for example at `/etc/ssl/certs/my-ca-bundle.crt`.
2. Set the `REQUESTS_CA_BUNDLE` environment variable in your Helm values to
point to that file.
Example Helm values override:
```yaml
extraEnv:
- name: REQUESTS_CA_BUNDLE
value: /etc/ssl/certs/my-ca-bundle.crt
extraVolumes:
- name: custom-ca
secret:
secretName: my-custom-ca-secret
extraVolumeMounts:
- name: custom-ca
mountPath: /etc/ssl/certs/my-ca-bundle.crt
subPath: my-ca-bundle.crt
readOnly: true
```
This approach is necessary because Superset delegates SSL verification to
Python requests, which only honors the `REQUESTS_CA_BUNDLE` variable for custom
trust stores—there is no Superset-specific config for this use case.
If you still see SSL errors after this, check for DNS issues inside the pod
(sometimes `/etc/resolv.conf` is misconfigured in Kubernetes and can cause
misleading SSL errors)
[source](https://github.com/apache/superset/issues/25004#issuecomment-2761120257).
Let me know if you need a more detailed example for your Helm chart or have
questions about mounting the CA bundle.
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/fa76bcb0-0972-48bf-9f9a-e6722667c787?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/fa76bcb0-0972-48bf-9f9a-e6722667c787?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/fa76bcb0-0972-48bf-9f9a-e6722667c787?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/fa76bcb0-0972-48bf-9f9a-e6722667c787?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/fa76bcb0-0972-48bf-9f9a-e6722667c787?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/fa76bcb0-0972-48bf-9f9a-e6722667c787?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/fa76bcb0-0972-48bf-9f9a-e6722667c787?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu
b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34666)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
