search

upbound / provider-terraform

A @crossplane provider for Terraform
Apache License 2.0
124 stars 55 forks source link

TLS error using External Secret Store #228

Closed phisco closed 3 months ago

phisco commented 5 months ago

What happened?

Following https://docs.crossplane.io/knowledge-base/integrations/vault-as-secret-store/#configure-vault-kubernetes-authentication and deploying the manifest below, results in the following error:

DEBUG    events    cannot write to secret store: cannot apply secret: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"    {"type": "Warning", "object": {"kind":"Workspace","name":"example-random-generator","uid":"ea54747c-8c63-449d-bbcb-a97f29ca943c","apiVersion":"tf.upbound.io/v1beta1","resourceVersion":"2164800533"}, "reason": "CannotPublishConnectionDetails"}
apiVersion: tf.upbound.io/v1beta1
kind: Workspace
metadata:
  name: example-random-generator
  annotations:
    meta.upbound.io/example-id: tf/v1beta1/workspace
    # The terraform workspace will be named 'random'. If you omit this
    # annotation it would be derived from metadata.name - e.g. 'example-random-generator.
    crossplane.io/external-name: crossplane
spec:
  forProvider:
    source: Inline
    module: |
      resource "random_id" "example_id" {
        byte_length = 4
      }
      resource "random_password" "password" {
        length = 16
        special = true
      }
      // Non-sensitive Outputs are written to status.atProvider.outputs and to the connection secret.
      output "random_id_hex" {
        value       = random_id.example_id.hex
      }
      // Sensitive Outputs are only written to the connection secret
      output "random_password" {
        value = random_password.password
        sensitive = true
      }
      // Terraform has several other random resources, see the random provider for details
  providerConfigRef:
    name: ess-terraform
  publishConnectionDetailsTo:
    name: random-to-vault
    configRef:
      name: vault

This is due to the missing injection of the ESS TLS secrets here, as done by other providers, e.g. see https://github.com/upbound/provider-aws/pull/677 or https://github.com/upbound/provider-gcp/pull/294.

Unfortunately, we need to also bump the crossplane-runtime dependency to a more recent version, which breaks the build for some not so trivial issue on the generated code.

How can we reproduce it?

See above.

What environment did it happen in?

DrummyFloyd commented 5 months ago

hi , any update regarding this ? :)