Allow pulling modules from insecure/self-signed registries and repos

[michaelvdnet]

What problem are you facing?

We're looking into managing our terraform modules from Crossplane, but are blocked by SSL certificate errors when pulling from our on-premise gitlab registry/repository.

connect failed: cannot get remote Terraform module: error downloading 'https://<module repo>?ref=main': /usr/bin/git exited with 128: Cloning into '/tf/d0703514-f1ed-4a74-a7d9-17ff4d6632ca'...
fatal: unable to access 'https://<module repo>': SSL certificate problem: unable to get local issuer certificate

How could Official Terraform Provider help solve your problem?

Allowing to either skip tls verify (this can be done by setting Insecure to true in the go-getter Client constructor) or setting the CA certificate would allow us to pull from self-signed registries

[MrVinkel]

Hi,

I looked into this since we also need to pull from a self-signed repository. I found it is not enough to just add the Insecure: true to the go-getter client, since it is only used for when the go-getter client makes http requests.

However I found you can disable SSL check in git by setting the environment variable GIT_SSL_NO_VERIFY=true. This can be done in the controller config:

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-terraform
spec:
  package: xpkg.upbound.io/upbound/provider-terraform:v0.10.0
  controllerConfigRef:
    name: provider-terraform
---
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: provider-terraform
spec:
  env:
    - name: GIT_SSL_NO_VERIFY
      value: "true"

it ain't pretty, but it is a workarround.

I think the correct solution is to inject a configmap with root and intermediate certificates which needs to be trusted by the go-getter http/git client - but I have not looked into this yet or if it is even possible