Rancher2 Terraform Provider double base64 encodes `spec.caBundle` field of `ClusterRepo/rancher_catalog_v2`

Issue description:

The Rancher2 Terraform Provider double base64 encodes the spec.caBundle field of ClusterRepo/rancher_catalog_v2, as such it is not possible for users to configure ClusterRepo/rancher_catalog_v2 resources via Rancher2 Terraform Provider.

Business impact:

User manages large number of clusters, via Rancher2 Terraform Provider, high overhead in configuring ClusterRepos manually via Rancher as workaround to this bug

Troubleshooting steps:

N/A

Repro steps:

Provision a Rancher v2.7.6 and a single all-role node downstream custom RKE cluster (I used github.com/superseb/tf-do-rancher2)
Attempt to configure a rancher_catalog_v2 resource via Rancher2 Terraform Provider:

terraform {
  required_providers {
    rancher2 = {
      source = "rancher/rancher2"
      version = "3.2.0"
    }
  }
}

provider "rancher2" {
  api_url = "https://206.189.110.4/"
  token_key = "token-r2w6h:d2wf9q25pq7t5m9qf2znj28zpthklscp9bws4txmgkwsq8bscmr4mx"
  insecure = true
}

resource "rancher2_catalog_v2" "rancher" {
  cluster_id = "c-ccswc"
  name       = "rancher-partners-charts"
  git_repo   = "https://git.rancher.io/partner-charts"
  git_branch = "main"
  ca_bundle  = "MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkYtJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmTYo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97lc6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4eeUB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeEHg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPFUp/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KOVWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcRiQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYzeSf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZXHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRBVXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aBL6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfGjjxDah2nGN59PRbxYvnKkKj9"}

Observe error of the format: Git -C management-state/git-repo/rancher-partners-charts/8f17acdce9bffd6e05a58a3798840e408c4ea71783381ecd2e9af30baad65974 fetch origin – main error: exit status 128, detail: fatal: unable to access 'https://git.rancher.io/partner-charts/': error setting certificate verify locations: CAfile: /tmp/ca-pem-325981070 CApath: none

Check ClusterRepo YAML via Rancher UI and observe the caBundle field has been base64 encoded (again):

TUlJRjNqQ0NBOGFnQXdJQkFnSVFBZjF0TVB5anlsR29HN3hrRGpVRExUQU5CZ2txaGtpRzl3MEJBUXdGQURDQmlERUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2s1bGR5QktaWEp6WlhreEZEQVNCZ05WQkFjVEMwcGxjbk5sZVNCRGFYUjVNUjR3SEFZRFZRUUtFeFZVYUdVZ1ZWTkZVbFJTVlZOVUlFNWxkSGR2Y21zeExqQXNCZ05WQkFNVEpWVlRSVkpVY25WemRDQlNVMEVnUTJWeWRHbG1hV05oZEdsdmJpQkJkWFJvYjNKcGRIa3dIaGNOTVRBd01qQXhNREF3TURBd1doY05Nemd3TVRFNE1qTTFPVFU1V2pDQmlERUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2s1bGR5QktaWEp6WlhreEZEQVNCZ05WQkFjVEMwcGxjbk5sZVNCRGFYUjVNUjR3SEFZRFZRUUtFeFZVYUdVZ1ZWTkZVbFJTVlZOVUlFNWxkSGR2Y21zeExqQXNCZ05WQkFNVEpWVlRSVkpVY25WemRDQlNVMEVnUTJWeWRHbG1hV05oZEdsdmJpQkJkWFJvYjNKcGRIa3dnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDQUVtVVhOZzdEMndpejBLeFhEWGJ0elNmVFRLMVFnMkhpcWlCTkNTMWtDZHpPaVovTVBhbnM5cy9CM1BIVHNkWjdOeWdSSzBmYU9jYThPaG0wWDZhOWZaMmpZMEsyZHZLcE95dVIrT0p2ME93V0lKQUpQdUxvZE1rWXRKSFVZbVRiZjZNRzhZZ1lhcEFpUEx6K0UvQ0hGSHYyNUIrTzFPUlJ4aEZuUmdoUnk0WVVWRCs4TS81K2JKei9GcDBZdlZHT05hYW5ac2h5WjlzaFpySFVtM2dEd0ZBNjZNenczTHllVFA2dkJaWTFIMWRhdC8vTytUMjNMTGIyVk4zSTV4STZUYTVNaXJkY21yUzNJRDNLZnlJMHJuNDdhR1lCUk9jQlRrWlRtek5nOTVTK1V6ZVFjMFB6TXNOVDc5dXEvblJPYWNkcmpHQ1Qzc1RIRE4vaE1xN01renRSZUpWbmkrNDlWdjRNMEdrUEd3L3pKU1pyTTIzM2JrZjZjMFBsZmc2bFpyRXBmREtFWTFXSnhBM0JrMVF3R1JPczAzMDNwK3RkT213MVhOdEIxeExhcVVrTDM5aUFpZ21UWW82MVpzOGxpTTJFdUxFL3BEa1AyUUtlNnhKTWxYenphd1dwWGhhRHpMaG40dWdUbmN4Ymd0Tk1zKzFiLzk3bGM2d2pPeTBBdnpWVmRBbEoyRWxZR24rU051WlJrZzd6Sm4wY1RSZTh5ZXhESnRDL1FWOUFxVVJFOUpublY0ZWVVQjlYVktnKy9YUmpMN0ZRWlFubVdFSXVReHBNdFBBbFIxbjZCQjZUMUNaR1NsQ0JzdDYrZUxmOFp4WGh5VmVFSGc5ajF1bGl1dFpmVlM3cVhNWW9DQVFsT2JnT0s2bnlUSmNjQno4TlV2WHQ3eStDRHdJREFRQUJvMEl3UURBZEJnTlZIUTRFRmdRVVUzbS9XcW9yU3M5VWdPSFltOENkOHJJRFpzc3dEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRU1CUUFEZ2dJQkFGelVmQTNQOXdGOVFabGxESFBGVXAvTCtNK1pCbjhiMmtNVm41NENWVmVXRlBGU1BDZUhsQ2p0SHpvQk42SjIvRk5Rd0lTYnhtdE91b3doVDZLT1ZXS1I4MmtWMkx5STQ4U3FDLzN2cU9sTFZTb0dJRzFWZUNrWjdsOHdYRXNrRVZYL0pKcHVYaW9yN2d0Tm4zLzNBVGlVRkpWREJ3bjdZS251SEtzU2pLQ2FYcWVZYWxsdGl6OEkrOGpSUmE4WUZXU1FFZzl6S0M3RjRpUk8vRmpzOFBSRi9pS3o2eStPMHRsRllRWEJsMitvZG5LUGk0dzJyNzhOQmM1eGplYW1ieDlzcG5GaXhkalFnM0lNOFdjUmlReWNFMHh5Tk4rODFYSGZxbkhkNGJsc2pEd1NYV1hhdlZjU3RrTnIvK1hlVFdZUlVjK1pydXdYdHVoeGtZemVTZjdkTlhHaUZTZVVITTloNHlhN2I2Tm5KU0ZkNXQwZEN5NW9HenVDcit5RFo0WFVtRkYwc2JtWmdJbi9mM2daWEhsS1lDNlNRSzVNTnlvc3ljZGl5QTVkOXpaYnl1QWxKUUcwM1JvSG5IY0FQOURjMWV3OTFQcTdQOHlGMW05L3FTM2Z1UUwzOVplYXRUWGF3MmV3aDBxcEtKNGpqdjljSjJ2aHNFL3pCKzRBTHRSWmg4dFNRWlhxOUVmWDdtUkJWWHlOV1FLVjNXS2R3cm51V2loMGhLV2J0NURIREFmZjlZazJkRExXS01Hd3NBdmduRXpESE5iODQybTFSMGFCTDZLQ3E5TmpSSERFamY4dE03cXRqM3UxY0lpdVBoblBRQ2pZL01pUXUxMlpJdlZTNWxqRkg0Z3hRKzZJSGRmR2pqeERhaDJuR041OVBSYnhZdm5La0tqOQ==

Per Rancher docs " add a base64 encoded copy of the CA certificate in DER format to the spec.caBundle field of the chart repo, such as openssl x509 -outform der -in ca.pem | base64 -w0" (https://ranchermanager.docs.rancher.com/v2.6/pages-for-subheaders/helm-charts-in-rancher#repositories)

Create the ClusterRepo via Rancher UI, with the same configuration set via Terraform, observe success without double base64 encoding of the CA.

N.B. for testing purposes I just used the USERTrust_RSA_Certification_Authority CA from my laptop's CA trust store

Workaround:

Is a workaround available and implemented? Yes What is the workaround: Configure ClusterRepo manually via Rancher UI

Actual behavior:

Rancher2 Terraform Provider double base64 encodes spec.caBundle field of ClusterRepo/rancher_catalog_v2

Expected behavior:

Rancher2 Terraform Provider does not double base64 encode spec.caBundle field of ClusterRepo/rancher_catalog_v2

Files, logs, traces:

N/A

Additional notes:

N/A

rancher / terraform-provider-rancher2