terraform-provider-flux
terraform-provider-flux copied to clipboard
SSH key scan for host github.com:22 failed
Could you please add a new provider parameter ssh-hostname to the flux terraform provider so that it works in the environment with a firewall?
My terraform version is [1.4-latest]
And here are my TF code
terraform {
required_providers {
flux = {
source = "fluxcd/flux"
version = "1.1.0"
# version = "1.0.1"
}
}
}
provider "flux" {
kubernetes = {
host = xxx
client_certificate = xxxx
client_key = xxxx
cluster_ca_certificate = xxxx
}
git = {
url = "ssh://[email protected]/orgName/${local.flux_fleet_repo_name}.git"
branch = var.flux_v2_deploy.flux_fleet_branch
ssh = {
username = "git"
private_key = tls_private_key.main.0.private_key_pem
}
}
}
resource "tls_private_key" "main" {
count = var.flux_v2_deploy.auto_generate_key ? 1 : 0
algorithm = "ECDSA"
ecdsa_curve = "P256"
}
data "github_repository" "main" {
name = local.flux_fleet_repo_name
}
resource "github_repository_deploy_key" "main" {
count = var.flux_v2_deploy.auto_generate_key ? 1 : 0
title = xxxx
repository = data.github_repository.main.name
key = tls_private_key.main.0.public_key_openssh
read_only = false
}
Could you please add a new provider parameter ssh-hostname to the flux terraform provider so that it works in the environment with a firewall?
Because In our environment, only with proxy can access the public network
@stefanprodan We are blocked by this problem due to terraform is inside the intranet, we can access internet only when we use a http_proxy, so to access github is impossible when use new flux provider to install the new version of Fluxcd. Do you know how can we solve this problem base on current situation, or do you have plan to add this parameter?
Any update on this?
You can disable the secret creation with disable_secret_creation
so that the provider will not run the SSH scan and create the private key from Terraform directly:
resource "kubernetes_namespace" "flux_system" {
metadata {
name = "flux-system"
}
lifecycle {
ignore_changes = [metadata]
}
}
resource "kubernetes_secret" "ssh_keypair" {
metadata {
name = "flux-system"
namespace = "flux-system"
}
type = "Opaque"
data = {
"identity.pub" = tls_private_key.flux.public_key_openssh
"identity" = tls_private_key.flux.private_key_pem
"known_hosts" = "github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg="
}
depends_on = [kubernetes_namespace.flux_system]
}
@jwang07 @thecloudstudent, does the proposed fix above resolve the issue, or do you still need the proposed enhancement?
@jwang07 @thecloudstudent
A full example of how to resolve this can be seen here.
I will close this issue now. However, if you feel the above still does not resolve your issue, please comment.