search

lxc / terraform-provider-incus

Incus provider for Terraform/OpenTofu
https://linuxcontainers.org/incus
Mozilla Public License 2.0
50 stars 11 forks source link

Terraform provider does not work with my PKI and certs, however accessing incus API directly with curl works #67

Closed invizus closed 4 months ago

invizus commented 4 months ago

summary

I have several incus servers, and want to create containers from one central place (i.e. my laptop). therefore it needs to work via https and incus API. I also need to use my PKI so that I can issue certificates to other users.

On Incus server, I placed CA cert in /var/lib/incus/server.ca and using incus config trust add-certificate command. See relevant links below.

I stored client cert/key and CA (client.crt, client.key, client.ca) on my laptop in ~/.config/incus/.

curl tests pass, see below.

issue

I think certificates and PKI are setup correctly, and deployed into incus server correctly. curl test works with these certs,

however does not work when I use terraform.

I tried concatenating (cat) client.ca into client.crt, still works for curl but still does not work for terraform.

incus_instance.instance: Creating...
╷
│ Error: Failed to retrieve Incus InstanceServer
│ 
│   with incus_instance.instance,
│   on main.tf line 1, in resource "incus_instance" "instance":
│    1: resource "incus_instance" "instance" {
│ 
│ Unable to create server client for remote "test-11": Unable to authenticate with remote server: not authorized

terraform code:

# provider.tf
terraform {
  required_providers {
    incus = {
      source = "lxc/incus"
      version = "0.1.1"
    }
  }
}

provider "incus" {
  generate_client_certificates = false
  accept_remote_certificate    = true
  remote {
    name = "test-11"
    scheme = "https"
    address = "192.168.1.11"
    default = true
  }
}

# main.tf
resource "incus_instance" "instance" {
  name = "testytest"
  image = "images:debian/bookworm/cloud"
  profiles = ["default"]
}

other relevant logs

terraform can access certs

$ inotifywait -m -e open ~/.config/incus/*
Setting up watches.
Watches established.
/home/invizus/.config/incus/servercerts/ OPEN test-11.crt
/home/invizus/.config/incus/client.crt OPEN 
/home/invizus/.config/incus/client.ca OPEN 
/home/invizus/.config/incus/client.key OPEN

curl works:

$ curl -s -k --cert ~/.config/incus/client.crt --cacert ~/.config/incus/client.ca \
--key ~/.config/incus/client.key https://192.168.1.11:8443/1.0 -X GET | jq .metadata.auth
"trusted"

Update: Just FYI curl works only when concatenating CA into client cert.

relevant links

https://discuss.linuxcontainers.org/t/how-to-add-a-certificate-to-incus-remotely/19549

https://linuxcontainers.org/incus/docs/main/authentication/#using-a-pki-system

invizus commented 4 months ago

Just FYI curl works only when concatenating CA into client cert.

invizus commented 4 months ago

invalid