From 2c0379005972a95d1d12605bea580e3f708bad9e Mon Sep 17 00:00:00 2001
From: Gustavo Ornaghi Antunes <gustavo.ornaghiantunes@windriver.com>
Date: Thu, 18 Sep 2025 12:13:34 -0300
Subject: [PATCH] Improve cephclient's SSL error handling

When making requests to the Ceph client API, the SSL error
'CERTIFICATE_VERIFY_FAILED' causes the client to invoke an unnecessary
_get_service_url method.

This change adds specific handling for requests.exceptions.SSLError. If
the error is related to certificate verification failure
(CERTIFICATE_VERIFY_FAILED), the client will only refresh the session.
For other SSL errors, the client will keep the previous behavior.

Test Plan:
1. Scenarios with a Valid Certificate:
  - PASS: Valid restful URL. Expect 'Ceph Storage Healthy: [OK]' in
          'system health-query-kube-upgrade' cmd. No errors should be
          logged.
  - PASS: Invalid restful URL. Expect 'Ceph Storage Healthy: [Fail]' in
          'system health-query-kube-upgrade' cmd. A "Response Error"
          must be logged.
  - PASS: Empty restful URL. Expect 'Ceph Storage Healthy: [Fail]' in
          'system health-query-kube-upgrade' cmd. A "Response Error"
          must be logged.

2. Scenarios with an Invalid Certificate:
  - PASS: Valid restful URL. Expect 'Ceph Storage Healthy: [OK]' in
          'system health-query-kube-upgrade' cmd. A "Response SSL Error"
          must be logged.
  - PASS: Invalid restful URL. Expect 'Ceph Storage Healthy: [Fail]' in
          'system health-query-kube-upgrade' cmd. A "Response Error"
          must be logged.
  - PASS: Empty restful URL. Expect 'Ceph Storage Healthy: [Fail]' in
          'system health-query-kube-upgrade' cmd. A "Response Error"
          must be logged.

NOTE: All tests were performend on SX, DX and Standard environments

Partial-bug: 2125192

Depends-On: https://review.opendev.org/c/starlingx/config/+/961693

Change-Id: Id3cdb934228791194b594e059cb0014ae2bb0c9e
Signed-off-by: Gustavo Ornaghi Antunes <gustavo.ornaghiantunes@windriver.com>
---
 .../python-cephclient/cephclient/client.py             | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ceph/python-cephclient/python-cephclient/cephclient/client.py b/ceph/python-cephclient/python-cephclient/cephclient/client.py
index 2ac022b3..612ec3aa 100644
--- a/ceph/python-cephclient/python-cephclient/cephclient/client.py
+++ b/ceph/python-cephclient/python-cephclient/cephclient/client.py
@@ -250,6 +250,16 @@ class CephClient(object):
                             'and retry.'.format(self.username))
                 self._get_password()
                 self._refresh_session()
+            except requests.exceptions.SSLError as e:
+                if "CERTIFICATE_VERIFY_FAILED" in str(e):
+                    LOG.warning("Request SSL error: %s. Refresh session and retring...", e, exc_info=0)
+                    self._refresh_session()
+                else:
+                    LOG.warning(
+                        'Request SSL error: %s. '
+                        'Refresh restful service URL and retry', e, exc_info=0)
+                    self._get_service_url()
+                    self._refresh_session()
             except (requests.ConnectionError,
                     requests.Timeout,
                     requests.HTTPError) as e: