git-credentials secret is not properly loading

[brett-au]

What happened?

Following these steps https://github.com/crossplane-contrib/provider-terraform#private-git-repository-support I was unable to get crosspane-terraform to pull from a private repo.

I was able to get it working by creating a .git-credentials file inside the container with kubectl ssh -u root, so it seems to stem from the file not getting mounted into the pod properly.

The error message I get is

could not read Username for 'https://github.com': No such device or address\n"}

How can we reproduce it?

My configurations are as follows

apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: terraform-config
  labels:
    app: crossplane-provider-terraform
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::OMITTED:role/crossplane
spec:
  image: crossplane/provider-terraform-controller:v0.4.0-rc.0.2.gf3bd7e0
  args:
    - "--debug"
    - "--poll=5m"
  podSecurityContext:
    fsGroup: 2000
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: crossplane-provider-terraform
spec:
  package: crossplane/provider-terraform:v0.4.0
  controllerConfigRef:
    name: terraform-config
---
apiVersion: tf.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  annotations: {}
  name: aws-irsa
spec:
  credentials:
    # Terraform natively supports IRSA auth so we can use None here
    - filename: aws.json
      source: None
 ---
apiVersion: tf.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
  - filename: .git-credentials
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: git-credentials
      key: .git-credentials     

Secret

k get secret git-credentials -o yaml
apiVersion: v1
data:
  .git-credentials: OMITTED
kind: Secret
metadata:
  name: git-credentials
  namespace: crossplane-system
type: Opaque

What environment did it happen in?

Crossplane version: package: crossplane/provider-terraform:v0.4.0 image: crossplane/provider-terraform-controller:v0.4.0-rc.0.2.gf3bd7e0

Same issues with version 0.3.0

[ytsarev]

Hi @brett-au , thanks a lot for report.

I've double-checked on my side, the .git-credentials are getting propagated properly from a Secret

/tmp/tf/cd081adf-d90f-4dac-b4c4-2ed54643ba26/.git-credentials
/ $ cat /tmp/tf/cd081adf-d90f-4dac-b4c4-2ed54643ba26/.git-credentials
https://<user>:<pass>@github.com

Please note that we are mounting them under /tmp/tf/$uuid per each Workspace MR and not globally within the container.

I've noticed you are using two ProviderConfigs in your configuration, are you sure you are using default one for the propagation test?

apiVersion: tf.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  annotations: {}
  name: aws-irsa
spec:
  credentials:
    # Terraform natively supports IRSA auth so we can use None here
    - filename: aws.json
      source: None
 ---
apiVersion: tf.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
  - filename: .git-credentials
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: git-credentials
      key: .git-credentials     

[balu-ce]

Hi @ytsarev , Is there is a way to integrate the git credentials via a ssh key

[ytsarev]

@balu-ce not currently, but there is PR https://github.com/crossplane-contrib/provider-terraform/pull/77 which addresses this functionality. Unfortunately, PR requires some substantial rework/update

[milkfinch]

Hi,

I have the same problem. It seems that the terraform provider doesn't pick the credential file.

apiVersion:  tf.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: tf-provider-config
spec:
  credentials:
    - filename: credentials
      source: Secret
      secretRef:
        namespace: crossplane-system
        name: aws-secret
        key: creds
    - filename: .git-credentials
      source: Secret
      secretRef: 
        namespace: crossplane-system
        name: git-credentials
        key: .git-credentials
  configuration: |
      provider "aws" {
        shared_credentials_files = ["credentials"]
        profile = "default"
      }

      terraform {
        backend "kubernetes" {
          secret_suffix     = "state"
          namespace         = "crossplane-system"
          in_cluster_config = true
        }

$ kubectl exec -ti -n crossplane-system provider-terraform-c07358410444-6854b8df6f-nq4b6 -- cat /tmp/tf/cb7865e9-a58e-4036-a8e5-ccad1df5f228/.git-credentials
https://<redacted>:<redacted>@gitlab.com

apiVersion: tf.upbound.io/v1beta1    
kind: Workspace    
metadata:    
  name: tf-remote-test    
spec:    
  forProvider:    
    source: Remote    
    module: https://gitlab.com/<redacted>/tf-basic-module.git    
  # All Terraform outputs are written to the connection secret.    
  writeConnectionSecretToRef:    
    namespace: default    
    name: terraform-workspace-remote-test    
  providerConfigRef:    
    name: tf-provider-config

But I got

$ kubectl describe workspaces  
Warning  CannotConnectToProvider  9s (x5 over 24s)  managed/workspace.tf.upbound.io  cannot get remote Terraform module: error downloading 'https://gitlab.com/<redacted>/tf-basic-module.git': bad response code: 403

The credential is good. Both the username and the token are valid and could be used to pull the repo manually. But the provider couldn't use the credential file it seems.

[milkfinch]

Ok I solved the issue by changing the source to: git::< url here >?ref=master In the second example in the doc there is this prefix. :D In the first one there no "git::" prefix, I should have read through all the docs :D

[ytsarev]

@milkfinch could you point to the problematic place in the doc? The PR with the fix would be the most amazing :)

[milkfinch]

On the page https://github.com/upbound/provider-terraform in the example after 'modul:' the URI doesn't have the 'git::' prefix. But without that my setting didn't work. In the git examples folder the workspace-remote.yaml has the right URI.