docker 集装箱化Terragrunt:安装cloudflare/cloudflare x509时出错:证书由未知授权机构签名

wpx232ag  于 2023-03-01  发布在  Docker
关注(0)|答案(1)|浏览(249)

我在Docker容器中使用以下提供程序配置运行terregrunt

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "~> 3.41"
    }
    cloudflare = {
      source = "cloudflare/cloudflare"
      version = "~> 3.32"
    }
  }
}

我运行以下命令来创建本地Docker容器

$path = 'C:\git\'
docker run --rm -it `
    -e ARM_CLIENT_ID=$appid `
    -e ARM_CLIENT_SECRET=$password `
    -e ARM_TENANT_ID=$tenant `
    -e ARM_SUBSCRIPTION_ID=$subscription `
    -v ${path}:/terragrunt-folder terragrunt:1.0 sh

/terragrunt-folder/qa/eastus/002/a_service # terragrunt init调用期间,我收到以下错误消息

Initializing modules...

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/azurerm from the dependency lock file
- Reusing previous version of cloudflare/cloudflare from the dependency lock file
- Finding latest version of hashicorp/azuread...
- Reusing previous version of hashicorp/time from the dependency lock file
- Installing hashicorp/azurerm v3.43.0...
- Installed hashicorp/azurerm v3.43.0 (signed by HashiCorp)
- Installing hashicorp/azuread v2.34.1...
- Installed hashicorp/azuread v2.34.1 (signed by HashiCorp)
- Installing hashicorp/time v0.9.1...
- Installed hashicorp/time v0.9.1 (signed by HashiCorp)
╷
│ Error: Failed to install provider
│
│ Error while installing cloudflare/cloudflare v3.34.0: could not query
│ provider registry for registry.terraform.io/cloudflare/cloudflare: failed
│ to retrieve authentication checksums for provider: the request failed,
│ please try again later: Get
│ "https://objects.githubusercontent.com/github-production-release-asset-2e65be/93446113/c6fed044-e8e2-4b3f-a40e-d0eef378d5a4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230218%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230218T155203Z&X-Amz-Expires=300&X-Amz-Signature=783ec3bf93b7375d94f2917936b74116dc1e082707356c47e94068407102d603&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=93446113&response-content-disposition=attachment%3B%20filename%3Dterraform-provider-cloudflare_3.34.0_SHA256SUMS&response-content-type=application%2Foctet-stream":
│ x509: certificate signed by unknown authority
╵

ERRO[0051] Terraform invocation failed in /terragrunt-folder/qa/eastus/002/a_service/.terragrunt-cache/fkoLZJwS3kZvCk8fldyKdEtQN24/YVeC5shlCd8w03Dinw3RCnNsmSs/app_service_sql_server_batch  prefix=[/terragrunt-folder/qa/eastus/002/analysis_service]
ERRO[0051] 1 error occurred:
        * exit status 1

我可以手动将提供程序二进制文件复制到c:/git/qa/eastus/002/a_service/.terragrunt-cache/fkoLZJwS3kZvCk8fldyKdEtQN24/YVeC5shlCd8w03Dinw3RCnNsmSs/app_service_sql_server_batch/.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.32.0/linux_amd64/的terragrunt缓存文件夹中,这解决了问题,因为在这种情况下terraform跳过了下载提供程序阶段。问题是,这非常不方便,因为我有多个服务,每个服务都封装为一个模块,这些模块通过terragrunt.hcl文件引用。

├───a_service
│       terraform.tfvars
│       terragrunt.hcl
│
├───b_service
│       terraform.tfvars
│       terragrunt.hcl
│
├───c_service
│       terraform.tfvars
│       terragrunt.hcl
│
├───d_service
│       terraform.tfvars
│       terragrunt.hcl
│
├───e_service
│       terraform.tfvars
│       terragrunt.hcl
│
and more ...

编辑1这是我的Docker文件

FROM alpine:3.16 as builder

# Install build dependencies
RUN set -eux \
    && apk --no-cache add \
    coreutils \
    curl \
    dpkg \
    git \
    unzip

# Get Terraform
ARG VERSION=1.3.7
RUN set -eux \
    && if [ "$(dpkg --print-architecture | awk -F'-' '{print $NF}' )" = "i386" ]; then\
    ARCH=386; \
    elif [ "$(uname -m)" = "x86_64" ]; then \
    ARCH=amd64; \
    elif [ "$(uname -m)" = "aarch64" ]; then \
    ARCH=arm64; \
    elif [ "$(uname -m)" = "armv7l" ]; then \
    ARCH=arm; \
    fi \
    \
    && curl --fail -sS -L -O \
    https://releases.hashicorp.com/terraform/${VERSION}/terraform_${VERSION}_linux_${ARCH}.zip \
    && unzip terraform_${VERSION}_linux_${ARCH}.zip \
    && mv terraform /usr/bin/terraform \
    && chmod +x /usr/bin/terraform

# Get Terragrunt
ARG TG_VERSION=latest
RUN set -eux \
    && git clone https://github.com/gruntwork-io/terragrunt /terragrunt \
    && cd /terragrunt \
    && if [ "${TG_VERSION}" = "latest" ]; then \
    VERSION="$( git describe --abbrev=0 --tags )"; \
    else \
    VERSION="$( git tag | grep -E "v${TG_VERSION}\.[.0-9]+" | sort -Vu | tail -1 )" ;\
    fi \
    # Get correct architecture
    && if [ "$(dpkg --print-architecture | awk -F'-' '{print $NF}' )" = "i386" ]; then\
    ARCH=386; \
    elif [ "$(uname -m)" = "x86_64" ]; then \
    ARCH=amd64; \
    elif [ "$(uname -m)" = "aarch64" ]; then \
    ARCH=arm64; \
    elif [ "$(uname -m)" = "armv7l" ]; then \
    ARCH=arm; \
    fi \
    \
    && curl --insecure --fail -sS -L \
    https://github.com/gruntwork-io/terragrunt/releases/download/${VERSION}/terragrunt_linux_${ARCH} \
    -o /usr/bin/terragrunt \
    && chmod +x /usr/bin/terragrunt \
    \
    && terraform --version \
    && terragrunt --version
FROM mcr.microsoft.com/azure-cli
RUN set -eux \
    && apk --no-cache add \
    coreutils \
    curl \
    dpkg \
    git \
    unzip
COPY --from=builder /usr/bin/terraform /usr/bin/terraform
COPY --from=builder /usr/bin/terragrunt /usr/bin/terragrunt

EDIT 2在容器中运行时

curl "https://objects.githubusercontent.com/github-production-release-asset-2e65be/93446113/c6fed044-e8e
2-4b3f-a40e-d0eef378d5a4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230218%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=202302
18T222220Z&X-Amz-Expires=300&X-Amz-Signature=14b5edce7c1a2f47d82389268701b2ede33da0992a473318dc98b359fbf38fc9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&r
epo_id=93446113&response-content-disposition=attachment%3B%20filename%3Dterraform-provider-cloudflare_3.34.0_SHA256SUMS&response-content-type=application%2F
octet-stream"
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

如果我用--unsecure标志运行同样的命令

curl --insecure "https://objects.githubusercontent.com/github-production-release-asset-2e65be/93446113/c
6fed044-e8e2-4b3f-a40e-d0eef378d5a4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230218%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-
Date=20230218T222220Z&X-Amz-Expires=300&X-Amz-Signature=14b5edce7c1a2f47d82389268701b2ede33da0992a473318dc98b359fbf38fc9&X-Amz-SignedHeaders=host&actor_id=0
&key_id=0&repo_id=93446113&response-content-disposition=attachment%3B%20filename%3Dterraform-provider-cloudflare_3.34.0_SHA256SUMS&response-content-type=app
lication%2Foctet-stream"
03729b0fcf189e732aca54452a105d82fec839580cb5d0137317af9163e0e4dd  terraform-provider-cloudflare_3.34.0_windows_arm64.zip
121b16a779e9f2fe8c96e98f32514ee9228346fc240ce12c3fb440958b93d127  terraform-provider-cloudflare_3.34.0_freebsd_arm64.zip
14509f521845eedd57a8791d76958e50bea4928760a152cd853e43f2c81a329b  terraform-provider-cloudflare_3.34.0_linux_arm64.zip
273336ec2bc59ab90916706c074be27f3fe6ab42addc61a354a0ef5e10c2efa5  terraform-provider-cloudflare_3.34.0_linux_386.zip
54931c30f71666856c5d749698264c15196103667c87d961f3d293ff8a5c3237  terraform-provider-cloudflare_3.34.0_freebsd_amd64.zip
58a35eea3b9e1d2f39d7b5b1c6cf107b70eacdf5891017d6667902903db3bd94  terraform-provider-cloudflare_3.34.0_freebsd_arm.zip
5ec958afe392a76a1fea262d9070df839c4d811fc6ffd613a37f8b939ab159ef  terraform-provider-cloudflare_3.34.0_linux_amd64.zip
7c24c0572aa9beee20a33cb18ac54d5088a09653e94664a9f74a9af2ae0e3554  terraform-provider-cloudflare_3.34.0_windows_arm.zip
890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f  terraform-provider-cloudflare_3.34.0_manifest.json
9248c43f795dbe54e07c6dbc2fb8e2f20aeac8f21ec91373d52b9975f285ba7e  terraform-provider-cloudflare_3.34.0_darwin_arm64.zip
b09abd506601b7c3e0b3bfde0b8b9e1aed7f52b5ad629ef2865b8321852409c7  terraform-provider-cloudflare_3.34.0_darwin_amd64.zip
e00032df4cd4aad12adf3b7955fca3d1baa8bff9436c775588417da171a4e1d9  terraform-provider-cloudflare_3.34.0_freebsd_386.zip
e4a8812770914d6ce9d1f8399d702e3fb0ecc4bfd6220ba015fcb3884b243c69  terraform-provider-cloudflare_3.34.0_linux_arm.zip
f2ad0991ef0820b3fc5bd0a500be4dceffe0b5b2ac6c9c5fd17cbb350f2f1209  terraform-provider-cloudflare_3.34.0_windows_386.zip
fea3a9dfb1e752dc2864028049a4af05fabf7b62eb57fff26d139a424e3476fd  terraform-provider-cloudflare_3.34.0_windows_amd64.zip
[12]+  Done(127)                 response-content-disposition=attachment%3B%20filename%3Dterraform-provider-cloudflare_3.34.0_SHA256SUMS
[11]+  Done                      curl
[9]+  Done                       curl
[8]+  Done                       curl
[6]+  Done(127)                  X-Amz-Signature=14b5edce7c1a2f47d82389268701b2ede33da0992a473318dc98b359fbf38fc9
[2]+  Done                       curl --insecure https://objects.githubusercontent.com/github-production-release-asset-2e65be/93446113/c6fed044-e8e2-4b3f-a40e-d0eef378d5a4?X-Amz-Algorithm=AWS4-HMAC-SHA256
czq61nw1

czq61nw11#

我在评论中关注了@mark的回复,使用了下面的代码:https://stackoverflow.com/a/52553687/4645059我可以下载证书,我将此证书作为ca-cert-githubusercontent.pem文件添加到源代码中,并修改Docker文件,以便在第二阶段中包含以下内容

FROM mcr.microsoft.com/azure-cli
COPY --from=builder /usr/bin/terraform /usr/bin/terraform
COPY --from=builder /usr/bin/terragrunt /usr/bin/terragrunt
COPY ca-cert-githubusercontent.pem /etc/ssl/certs/
RUN apk update ca-certificates

Docker构建阶段与我在问题正文中指定的相同。

注意:我可以运行

openssl s_client -connect objects.githubusercontent.com:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

仅限使用openssl OpenSSL 1.1.1g(2020年4月21日),而非OpenSSL 3.0.7(2022年11月1日)(库:OpenSSL 3.0.7 2022年11月1日)

相关问题