terraform-provider-flux icon indicating copy to clipboard operation
terraform-provider-flux copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

SSH key scan for host github.com:22 failed

Open jwang07 opened this issue 10 months ago • 3 comments

image

Could you please add a new provider parameter ssh-hostname to the flux terraform provider so that it works in the environment with a firewall?

jwang07 avatar Aug 30 '23 02:08 jwang07

My terraform version is [1.4-latest]

And here are my TF code

terraform {
  required_providers {
    flux = {
      source  = "fluxcd/flux"
      version = "1.1.0"
      # version = "1.0.1"
    }
  }
}

provider "flux" {
  kubernetes = {
    host                   = xxx
    client_certificate     = xxxx
    client_key             = xxxx
    cluster_ca_certificate = xxxx
  }
  git = {
    url = "ssh://[email protected]/orgName/${local.flux_fleet_repo_name}.git"
    branch = var.flux_v2_deploy.flux_fleet_branch
    ssh = {
      username    = "git"
      private_key = tls_private_key.main.0.private_key_pem
    }
  }
}

resource "tls_private_key" "main" {
  count       = var.flux_v2_deploy.auto_generate_key ? 1 : 0
  algorithm   = "ECDSA"
  ecdsa_curve = "P256"
}

data "github_repository" "main" {
  name = local.flux_fleet_repo_name
}

resource "github_repository_deploy_key" "main" {
  count      = var.flux_v2_deploy.auto_generate_key ? 1 : 0
  title      = xxxx
  repository = data.github_repository.main.name
  key        = tls_private_key.main.0.public_key_openssh
  read_only  = false
}

jwang07 avatar Aug 30 '23 02:08 jwang07

image Could you please add a new provider parameter ssh-hostname to the flux terraform provider so that it works in the environment with a firewall?

Because In our environment, only with proxy can access the public network

jwang07 avatar Sep 05 '23 06:09 jwang07

@stefanprodan We are blocked by this problem due to terraform is inside the intranet, we can access internet only when we use a http_proxy, so to access github is impossible when use new flux provider to install the new version of Fluxcd. Do you know how can we solve this problem base on current situation, or do you have plan to add this parameter?

TOHUHM avatar Oct 10 '23 01:10 TOHUHM

Any update on this?

thecloudstudent avatar Mar 28 '24 17:03 thecloudstudent

You can disable the secret creation with disable_secret_creation so that the provider will not run the SSH scan and create the private key from Terraform directly:

resource "kubernetes_namespace" "flux_system" {
  metadata {
    name = "flux-system"
  }

  lifecycle {
    ignore_changes = [metadata]
  }
}

resource "kubernetes_secret" "ssh_keypair" {
  metadata {
    name      = "flux-system"
    namespace = "flux-system"
  }

  type = "Opaque"

  data = {
    "identity.pub" = tls_private_key.flux.public_key_openssh
    "identity"     = tls_private_key.flux.private_key_pem
    "known_hosts"  = "github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg="
  }

  depends_on = [kubernetes_namespace.flux_system]
}

stefanprodan avatar Apr 08 '24 21:04 stefanprodan

@jwang07 @thecloudstudent, does the proposed fix above resolve the issue, or do you still need the proposed enhancement?

swade1987 avatar Apr 09 '24 17:04 swade1987

@jwang07 @thecloudstudent

A full example of how to resolve this can be seen here.

I will close this issue now. However, if you feel the above still does not resolve your issue, please comment.

swade1987 avatar Apr 23 '24 10:04 swade1987