The Rancher2 Terraform Provider double base64 encodes the spec.caBundle field of ClusterRepo/rancher_catalog_v2, as such it is not possible for users to configure ClusterRepo/rancher_catalog_v2 resources via Rancher2 Terraform Provider.
Business impact:
User manages large number of clusters, via Rancher2 Terraform Provider, high overhead in configuring ClusterRepos manually via Rancher as workaround to this bug
Troubleshooting steps:
N/A
Repro steps:
Provision a Rancher v2.7.6 and a single all-role node downstream custom RKE cluster (I used github.com/superseb/tf-do-rancher2)
Attempt to configure a rancher_catalog_v2 resource via Rancher2 Terraform Provider:
Issue description:
The Rancher2 Terraform Provider double base64 encodes the spec.caBundle field of ClusterRepo/rancher_catalog_v2, as such it is not possible for users to configure ClusterRepo/rancher_catalog_v2 resources via Rancher2 Terraform Provider.
Business impact:
User manages large number of clusters, via Rancher2 Terraform Provider, high overhead in configuring ClusterRepos manually via Rancher as workaround to this bug
Troubleshooting steps:
N/A
Repro steps:
Observe error of the format:
Git -C management-state/git-repo/rancher-partners-charts/8f17acdce9bffd6e05a58a3798840e408c4ea71783381ecd2e9af30baad65974 fetch origin – main error: exit status 128, detail: fatal: unable to access 'https://git.rancher.io/partner-charts/': error setting certificate verify locations: CAfile: /tmp/ca-pem-325981070 CApath: none
Check ClusterRepo YAML via Rancher UI and observe the caBundle field has been base64 encoded (again):
Per Rancher docs " add a base64 encoded copy of the CA certificate in DER format to the spec.caBundle field of the chart repo, such as openssl x509 -outform der -in ca.pem | base64 -w0" (https://ranchermanager.docs.rancher.com/v2.6/pages-for-subheaders/helm-charts-in-rancher#repositories)
Create the ClusterRepo via Rancher UI, with the same configuration set via Terraform, observe success without double base64 encoding of the CA.
N.B. for testing purposes I just used the USERTrust_RSA_Certification_Authority CA from my laptop's CA trust store
Workaround:
Is a workaround available and implemented? Yes What is the workaround: Configure ClusterRepo manually via Rancher UI
Actual behavior:
Rancher2 Terraform Provider double base64 encodes spec.caBundle field of ClusterRepo/rancher_catalog_v2
Expected behavior:
Rancher2 Terraform Provider does not double base64 encode spec.caBundle field of ClusterRepo/rancher_catalog_v2
Files, logs, traces:
N/A
Additional notes:
N/A