Support for private Gitlab

[jeremydescamps]

Hello,

We would like to use our private Gitlab as endpoint for terraform modules.

Here is my trial :

          spec:
            forProvider:
              source: Remote
              module: "git::https://gitlab.private.example.com/gitlab/terraform/registry/terraform-aws-s3-bucket.git?ref=v5.8.2"
              vars:
                - key: bucket
                  value: "xxx-patched-xxx"
                - key: force_destroy
                  value: "true"

What problem are you facing?

The provider-opentofu is not able to reach the private Gitlab endpoint because of the following SSL error :

  Warning  CannotConnectToProvider  10s (x23 over 39h)  managed/workspace.opentofu.m.upbound.io  cannot get remote tofu module: error downloading 'https://gitlab.private.example.com/gitlab/terraform/registry/terraform-aws-s3-bucket.git?ref=v5.8.2': /usr/bin/git exited with 128: fatal: unable to access 'https://gitlab.private.example.com/gitlab/terraform/registry/terraform-aws-s3-bucket.git/': SSL certificate problem: self-signed certificate in certificate chain

By the way, there is no official documentation about the usage of a private Gitlab endpoint.

How could Upbound help solve your problem?

It could be nice to have an official documentation explaining :

• how to configure credentials when using private Gitlab endpoint
• how to add CA certificate in the provider-opentofu docker image
• how to set environment variables in the opentofu pod for example to set GIT_SSL_NO_VERIFY or any other useful config
• how to create my own docker image based on xpkg.upbound.io/upbound/provider-opentofu:v1

Thanks a lot !

[jsingleton785]

You can mount the CA cert that signed the private endpoint certs to a path that allows it to read and use them to verify.

If you're using self signed or unsigned certs, you'll need that ENV, and can use a DeploymentRuntimeConfiguration object to set that ENV for the provider pod as a whole:

apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
  name: test
spec:
  deploymentTemplate:
    metadata:
      labels:
        app.kubernetes.io/name: test
      name: test
    spec:
      selector:
        matchLabels:
          app.kubernetes.io/name: test
      replicas: 1
      template:
        metadata:
          labels:
            app.kubernetes.io/name: test
        spec:
          containers:
          - args:
            - -d
            - --poll=30
            - --max-reconcile-rate=20
            - --leader-election
            name: package-runtime
            imagePullPolicy: Always
            volumeMounts:
            - mountPath: /etc/ssl
              name: pem-certs
            env:
              - name: SSL_CERT_FILE
                value: /etc/ssl/cert.pem
              - name: GIT_SSL_CAINFO
                value: /etc/ssl/cert.pem
              - name: GIT_SSL_NO_VERIFY
                value: "true"
          volumes:
          - configMap:
              items:
              - key: ca-bundle.crt
                path: cert.pem
              name: tls-certs
            name: pem-certs
  serviceAccountTemplate:
    metadata:
      name: test

Then point the provider at the deploymentruntimeconfiguration

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: opentofu
spec:
  package: xpkg.upbound.io/upbound/provider-opentofu:v1.0.0
  packagePullPolicy: Always
  runtimeConfigRef:
    name: test
  skipDependencyResolution: true