英文:
Containerized Terragrunt: Error while installing cloudflare/cloudflare x509: certificate signed by unknown authority
问题
I run terragrunt in Docker container with the following providers configuration
我在Docker容器中运行Terragrunt,并配置如下的提供者:
I run the following command to create local Docker container
我运行以下命令创建本地Docker容器:
During /terragrunt-folder/qa/eastus/002/a_service # terragrunt init invocation I am getting the following error message
在执行`/terragrunt-folder/qa/eastus/002/a_service # terragrunt init`时,我收到以下错误消息:
I was able to copy provider binary manually into terragrunt cache folder at
我能够手动将提供者二进制文件复制到Terragrunt缓存文件夹中,位置在:
The problem is that it's extremely inconvenient since I have multiple services each of which is encapsulated as a module and those modules are referenced through terragrunt.hcl files.
问题在于这非常不方便,因为我有多个服务,每个服务都作为一个模块封装,这些模块通过terragrunt.hcl文件引用。
EDIT 1
Here is my Docker file
以下是我的Docker文件:
EDIT 2
When I run in container
当我在容器中运行时:
If I run the same with --insecure flag
如果我使用--insecure标志运行相同的命令:
英文:
I run terragrunt in Docker container with the following providers configuration
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.41"
}
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 3.32"
}
}
}
I run the following command to create local Docker container
$path = 'C:\git\'
docker run --rm -it `
-e ARM_CLIENT_ID=$appid `
-e ARM_CLIENT_SECRET=$password `
-e ARM_TENANT_ID=$tenant `
-e ARM_SUBSCRIPTION_ID=$subscription `
-v ${path}:/terragrunt-folder terragrunt:1.0 sh
During /terragrunt-folder/qa/eastus/002/a_service # terragrunt init invocation I am getting the following error message
Initializing modules...
Initializing the backend...
Initializing provider plugins...
- Reusing previous version of hashicorp/azurerm from the dependency lock file
- Reusing previous version of cloudflare/cloudflare from the dependency lock file
- Finding latest version of hashicorp/azuread...
- Reusing previous version of hashicorp/time from the dependency lock file
- Installing hashicorp/azurerm v3.43.0...
- Installed hashicorp/azurerm v3.43.0 (signed by HashiCorp)
- Installing hashicorp/azuread v2.34.1...
- Installed hashicorp/azuread v2.34.1 (signed by HashiCorp)
- Installing hashicorp/time v0.9.1...
- Installed hashicorp/time v0.9.1 (signed by HashiCorp)
╷
│ Error: Failed to install provider
│
│ Error while installing cloudflare/cloudflare v3.34.0: could not query
│ provider registry for registry.terraform.io/cloudflare/cloudflare: failed
│ to retrieve authentication checksums for provider: the request failed,
│ please try again later: Get
│ "https://objects.githubusercontent.com/github-production-release-asset-2e65be/93446113/c6fed044-e8e2-4b3f-a40e-d0eef378d5a4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230218%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230218T155203Z&X-Amz-Expires=300&X-Amz-Signature=783ec3bf93b7375d94f2917936b74116dc1e082707356c47e94068407102d603&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=93446113&response-content-disposition=attachment%3B%20filename%3Dterraform-provider-cloudflare_3.34.0_SHA256SUMS&response-content-type=application%2Foctet-stream":
│ x509: certificate signed by unknown authority
╵
ERRO[0051] Terraform invocation failed in /terragrunt-folder/qa/eastus/002/a_service/.terragrunt-cache/fkoLZJwS3kZvCk8fldyKdEtQN24/YVeC5shlCd8w03Dinw3RCnNsmSs/app_service_sql_server_batch prefix=[/terragrunt-folder/qa/eastus/002/analysis_service]
ERRO[0051] 1 error occurred:
* exit status 1
I was able to copy provider binary manually into terragrunt cache folder at
c:/git/qa/eastus/002/a_service/.terragrunt-cache/fkoLZJwS3kZvCk8fldyKdEtQN24/YVeC5shlCd8w03Dinw3RCnNsmSs/app_service_sql_server_batch/.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.32.0/linux_amd64/ and it resolves the issue since in this case terraform skips the download provider stage.
The problem is that it's extremely inconvenient since I have multiple services each of which is encapsulated as a module and those modules are referenced through terragrunt.hcl files.
├───a_service
│ terraform.tfvars
│ terragrunt.hcl
│
├───b_service
│ terraform.tfvars
│ terragrunt.hcl
│
├───c_service
│ terraform.tfvars
│ terragrunt.hcl
│
├───d_service
│ terraform.tfvars
│ terragrunt.hcl
│
├───e_service
│ terraform.tfvars
│ terragrunt.hcl
│
and more ...
EDIT 1
Here is my Docker file
FROM alpine:3.16 as builder
# Install build dependencies
RUN set -eux \
&& apk --no-cache add \
coreutils \
curl \
dpkg \
git \
unzip
# Get Terraform
ARG VERSION=1.3.7
RUN set -eux \
&& if [ "$(dpkg --print-architecture | awk -F'-' '{print $NF}' )" = "i386" ]; then\
ARCH=386; \
elif [ "$(uname -m)" = "x86_64" ]; then \
ARCH=amd64; \
elif [ "$(uname -m)" = "aarch64" ]; then \
ARCH=arm64; \
elif [ "$(uname -m)" = "armv7l" ]; then \
ARCH=arm; \
fi \
\
&& curl --fail -sS -L -O \
https://releases.hashicorp.com/terraform/${VERSION}/terraform_${VERSION}_linux_${ARCH}.zip \
&& unzip terraform_${VERSION}_linux_${ARCH}.zip \
&& mv terraform /usr/bin/terraform \
&& chmod +x /usr/bin/terraform
# Get Terragrunt
ARG TG_VERSION=latest
RUN set -eux \
&& git clone https://github.com/gruntwork-io/terragrunt /terragrunt \
&& cd /terragrunt \
&& if [ "${TG_VERSION}" = "latest" ]; then \
VERSION="$( git describe --abbrev=0 --tags )"; \
else \
VERSION="$( git tag | grep -E "v${TG_VERSION}\.[.0-9]+" | sort -Vu | tail -1 )" ;\
fi \
# Get correct architecture
&& if [ "$(dpkg --print-architecture | awk -F'-' '{print $NF}' )" = "i386" ]; then\
ARCH=386; \
elif [ "$(uname -m)" = "x86_64" ]; then \
ARCH=amd64; \
elif [ "$(uname -m)" = "aarch64" ]; then \
ARCH=arm64; \
elif [ "$(uname -m)" = "armv7l" ]; then \
ARCH=arm; \
fi \
\
&& curl --insecure --fail -sS -L \
https://github.com/gruntwork-io/terragrunt/releases/download/${VERSION}/terragrunt_linux_${ARCH} \
-o /usr/bin/terragrunt \
&& chmod +x /usr/bin/terragrunt \
\
&& terraform --version \
&& terragrunt --version
FROM mcr.microsoft.com/azure-cli
RUN set -eux \
&& apk --no-cache add \
coreutils \
curl \
dpkg \
git \
unzip
COPY --from=builder /usr/bin/terraform /usr/bin/terraform
COPY --from=builder /usr/bin/terragrunt /usr/bin/terragrunt
EDIT 2
When I run in container
curl "https://objects.githubusercontent.com/github-production-release-asset-2e65be/93446113/c6fed044-e8e
2-4b3f-a40e-d0eef378d5a4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230218%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=202302
18T222220Z&X-Amz-Expires=300&X-Amz-Signature=14b5edce7c1a2f47d82389268701b2ede33da0992a473318dc98b359fbf38fc9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&r
epo_id=93446113&response-content-disposition=attachment%3B%20filename%3Dterraform-provider-cloudflare_3.34.0_SHA256SUMS&response-content-type=application%2F
octet-stream"
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
If I run the same with --insecure flag
curl --insecure "https://objects.githubusercontent.com/github-production-release-asset-2e65be/93446113/c
6fed044-e8e2-4b3f-a40e-d0eef378d5a4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230218%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-
Date=20230218T222220Z&X-Amz-Expires=300&X-Amz-Signature=14b5edce7c1a2f47d82389268701b2ede33da0992a473318dc98b359fbf38fc9&X-Amz-SignedHeaders=host&actor_id=0
&key_id=0&repo_id=93446113&response-content-disposition=attachment%3B%20filename%3Dterraform-provider-cloudflare_3.34.0_SHA256SUMS&response-content-type=app
lication%2Foctet-stream"
03729b0fcf189e732aca54452a105d82fec839580cb5d0137317af9163e0e4dd terraform-provider-cloudflare_3.34.0_windows_arm64.zip
121b16a779e9f2fe8c96e98f32514ee9228346fc240ce12c3fb440958b93d127 terraform-provider-cloudflare_3.34.0_freebsd_arm64.zip
14509f521845eedd57a8791d76958e50bea4928760a152cd853e43f2c81a329b terraform-provider-cloudflare_3.34.0_linux_arm64.zip
273336ec2bc59ab90916706c074be27f3fe6ab42addc61a354a0ef5e10c2efa5 terraform-provider-cloudflare_3.34.0_linux_386.zip
54931c30f71666856c5d749698264c15196103667c87d961f3d293ff8a5c3237 terraform-provider-cloudflare_3.34.0_freebsd_amd64.zip
58a35eea3b9e1d2f39d7b5b1c6cf107b70eacdf5891017d6667902903db3bd94 terraform-provider-cloudflare_3.34.0_freebsd_arm.zip
5ec958afe392a76a1fea262d9070df839c4d811fc6ffd613a37f8b939ab159ef terraform-provider-cloudflare_3.34.0_linux_amd64.zip
7c24c0572aa9beee20a33cb18ac54d5088a09653e94664a9f74a9af2ae0e3554 terraform-provider-cloudflare_3.34.0_windows_arm.zip
890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f terraform-provider-cloudflare_3.34.0_manifest.json
9248c43f795dbe54e07c6dbc2fb8e2f20aeac8f21ec91373d52b9975f285ba7e terraform-provider-cloudflare_3.34.0_darwin_arm64.zip
b09abd506601b7c3e0b3bfde0b8b9e1aed7f52b5ad629ef2865b8321852409c7 terraform-provider-cloudflare_3.34.0_darwin_amd64.zip
e00032df4cd4aad12adf3b7955fca3d1baa8bff9436c775588417da171a4e1d9 terraform-provider-cloudflare_3.34.0_freebsd_386.zip
e4a8812770914d6ce9d1f8399d702e3fb0ecc4bfd6220ba015fcb3884b243c69 terraform-provider-cloudflare_3.34.0_linux_arm.zip
f2ad0991ef0820b3fc5bd0a500be4dceffe0b5b2ac6c9c5fd17cbb350f2f1209 terraform-provider-cloudflare_3.34.0_windows_386.zip
fea3a9dfb1e752dc2864028049a4af05fabf7b62eb57fff26d139a424e3476fd terraform-provider-cloudflare_3.34.0_windows_amd64.zip
[12]+ Done(127) response-content-disposition=attachment%3B%20filename%3Dterraform-provider-cloudflare_3.34.0_SHA256SUMS
[11]+ Done curl
[9]+ Done curl
[8]+ Done curl
[6]+ Done(127) X-Amz-Signature=14b5edce7c1a2f47d82389268701b2ede33da0992a473318dc98b359fbf38fc9
[2]+ Done curl --insecure https://objects.githubusercontent.com/github-production-release-asset-2e65be/93446113/c6fed044-e8e2-4b3f-a40e-d0eef378d5a4?X-Amz-Algorithm=AWS4-HMAC-SHA256
答案1
得分: 0
我遵循了@mark在评论中的回答。通过使用此回答中的代码:https://stackoverflow.com/a/52553687/4645059
我成功下载了证书。我将此证书添加到了我的源代码中,命名为ca-cert-githubusercontent.pem,并修改了Docker文件,以在第二阶段包含以下内容:
FROM mcr.microsoft.com/azure-cli
COPY --from=builder /usr/bin/terraform /usr/bin/terraform
COPY --from=builder /usr/bin/terragrunt /usr/bin/terragrunt
COPY ca-cert-githubusercontent.pem /etc/ssl/certs/
RUN apk update ca-certificates
Docker构建阶段保持与我在问题主体中指定的相同。
注意:我能够通过使用OpenSSL 1.1.1g 2020年4月21日,而不是OpenSSL 3.0.7 2022年11月1日(库:OpenSSL 3.0.7 2022年11月1日)运行
openssl s_client -connect objects.githubusercontent.com:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
英文:
I followed @mark's response from comments. By using code from this response: https://stackoverflow.com/a/52553687/4645059
I was able to download the certificate. I added this certificate to my source code as ca-cert-githubusercontent.pem file and modified Docker file to include the following in a second stage
FROM mcr.microsoft.com/azure-cli
COPY --from=builder /usr/bin/terraform /usr/bin/terraform
COPY --from=builder /usr/bin/terragrunt /usr/bin/terragrunt
COPY ca-cert-githubusercontent.pem /etc/ssl/certs/
RUN apk update ca-certificates
The Docker build stage remains the same as I specified in a question body.
Note: I was able to run
openssl s_client -connect objects.githubusercontent.com:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
only by using openssl OpenSSL 1.1.1g 21 Apr 2020 but not with OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论