search

plumber-cd / terraform-backend-git

Terraform HTTP Backend implementation that uses Git repository as storage
Apache License 2.0
198 stars 19 forks source link

x509: certificate signed by unknown authority #31

Closed joaquinrovira closed 1 year ago

joaquinrovira commented 1 year ago

Firstly, I'd like to thank you for this awesome project. It's crazy how HashiCorp hasn't included it yet into Terraform. Now onto the issue at hand.

Issue

I am testing terraform-backend-git standalone server using the Docker image ghcr.io/plumber-cd/terraform-backend-git:latest (v0.1.2 at this time). The Terraform backend is setup like so: 

docker run --name terraform-git-backend --rm \
    -e GIT_USERNAME=<MY-GIT-USERNAME> -e GITHUB_TOKEN=<MY-GIT-TOKEN> \
    -e TF_BACKEND_GIT_ADDRESS=0.0.0.0:6061 -p 6061:6061 \
    ghcr.io/plumber-cd/terraform-backend-git:latest terraform-backend-git
terraform {
  backend "http" {
    address        = "http://localhost:6061/?type=git&repository=https://<MY-GIT-SERVER>&ref=main&state=terraform.tfstate"
    lock_address   = "http://localhost:6061/?type=git&repository=https://<MY-GIT-SERVER>&ref=main&state=terraform.tfstate"
    unlock_address = "http://localhost:6061/?type=git&repository=https://<MY-GIT-SERVER>&ref=main&state=terraform.tfstate"
  }
}

When running terraform init I get the following output:

Initializing the backend...

Successfully configured the backend "http"! Terraform will automatically
use this backend unless the backend configuration changes.
Error refreshing state: Failed to get state: GET http://localhost:6061/?type=git&repository=https://<MY-GIT-SERVER>&ref=main&state=terraform.tfstate giving up after 3 attempt(s)

While the server produces the following output:

WARNING: Published ports are discarded when using host network mode
[terraform-backend-git]: WARNING: HTTP basic auth is disabled, please specify TF_BACKEND_GIT_HTTP_USERNAME and TF_BACKEND_GIT_HTTP_PASSWORD
[terraform-backend-git]: listen on 0.0.0.0:6061
[terraform-backend-git]: Get "https://<MY-GIT-SERVER>/info/refs?service=git-upload-pack": x509: certificate signed by unknown authority
[terraform-backend-git]: Get "https://<MY-GIT-SERVER>/info/refs?service=git-upload-pack": x509: certificate signed by unknown authority
[terraform-backend-git]: Get "https://<MY-GIT-SERVER>/info/refs?service=git-upload-pack": x509: certificate signed by unknown authority

Using http://<MY-GIT-SERVER> instead of https://<MY-GIT-SERVER> yields the same output, as the request is redirected by the git server back to https. Going via ssh is not possible as the access method must be via an access token (i.e. using GIT_USERNAME/GITHUB_TOKEN env vars). As such, the StrictHostKeyChecking option is useless.

Solution

As I see it, there are two ways this can be solved:

  1. Including CA certificates with the docker image.
  2. Adding an option to ignore TLS for HTTPS requests.

Include CA Certs in the image

This would be as simple as adding the following instruction after FROM debian:buster to the Dockerfile

RUN DEBIAN_FRONTEND="noninteractive" apt-get update && apt-get install -y ca-certificates

I have build the image locally and can confirm it works once the certificates are included with the image.

Ignoring TLS for HTTPS requests

As the project is using the go-git library, ignoring TLS would mean including the attribute InsecureSkipTLS: true to all git requests. This would involve more coding as the option has to be added to all constructors of CloneOptions, PullOptions, FetchOptions, PushOptions and ListOptions. Not very complex, but certainly more involved than the first option.

dee-kryvenko commented 1 year ago

Thanks @joaquinrovira for your interest in the project and your contribution! I just released https://github.com/plumber-cd/terraform-backend-git/releases/tag/v0.1.3 that includes your fix.