Add use_os_truststore config option and ca_truststore grain#69148
Merged
Conversation
twangboy
force-pushed
the
fix/65439/3008.x
branch
from
567e618 to
44c5bd9
Compare
dwoz
previously approved these changes
May 14, 2026
twangboy
force-pushed
the
fix/65439/3008.x
branch
from
44c5bd9 to
1c87543
Compare
…ltstack#65439) Introduces opt-in support for verifying outbound TLS connections against the native OS certificate store (Windows CryptoAPI, macOS Keychain, Linux system CA bundle) instead of the bundled certifi CA bundle. - New config option use_os_truststore (default False) on both master and minion; when True, calls truststore.inject_into_ssl() once at daemon startup via salt.utils.ostruststore.apply_if_enabled() - Injection is gated behind the config option and is one-shot per process, preserving existing certifi behavior for all deployments that do not opt in - Explicit ca_bundle: in config always takes precedence over the OS store - New ca_truststore grain reports which store is active (certifi or os) - get_ca_bundle() in salt.utils.http short-circuits to None when use_os_truststore is True and no explicit ca_bundle is configured - Requires the truststore package (Python 3.10+); Salt logs a warning and falls back to certifi if the package is absent - Documents that pip-system-certs must not be installed in the Salt environment as its .pth file bypasses the config option entirely - Does not affect the master/minion PKI authentication layer
Python's compiler treats any name that appears in an import statement anywhere in a function as a local variable for the entire function scope. Each daemon prepare() method contains a late "import salt.master" or "import salt.minion", which caused the compiler to mark "salt" as local throughout the function. The "salt.utils.ostruststore.apply_if_enabled()" call at the top of each prepare() then raised UnboundLocalError because the local "salt" had not yet been assigned. Fix by importing ostruststore as "_ostruststore" at module level so the call sites reference "_ostruststore" directly, which is never shadowed by the late salt imports inside the function bodies.
twangboy
force-pushed
the
fix/65439/3008.x
branch
from
3f1d04c to
b50ea1a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Introduces opt-in support for verifying outbound TLS connections against the native OS certificate store (Windows CryptoAPI, macOS Keychain, Linux system CA bundle) instead of the bundled certifi CA bundle.
What issues does this PR fix or reference?
Fixes #65439
Merge requirements satisfied?
[NOTICE] Bug fixes or features added to Salt require tests.
Commits signed with GPG?
Yes