Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consul_keys resource needs an 'insecure' option #8690

Closed
pll opened this issue Sep 6, 2016 · 2 comments
Closed

consul_keys resource needs an 'insecure' option #8690

pll opened this issue Sep 6, 2016 · 2 comments
Labels
enhancement provider/consul

Comments

@pll
Copy link

pll commented Sep 6, 2016

This is essentially a feature request for the consul provider and/or the consul_keys resource to provide a means of insecurely connecting to an SSL protected consul server analogous to curl's -k|--insecure or wget's --no-check-certificate options.

Terraform Version

$ terraform -v
Terraform v0.6.16

Version is probably irrelevant, given the current documentation does not indicate this feature even exists for consul or consul_keys.

Affected Resource(s)

  • cosul provider
  • consul_keys resource

And probably other consul related resources such as consul_key_prefix.

Actual Behavior

Error applying plan:
1 error(s) occurred:

* consul_keys.jobservice: Failed to write Consul key 'service/data/elbEndpoint': Put 
https://consul.myco.com/v1/kv/jobservice/data/elbEndpoint?dc=aws: x509: certificate is valid for
consul-service, not consul-myco.com

Steps to Reproduce

  1. Set up a consul service with a self-signed cert where the CN in no way remotely resembles to actual ELB name.
  2. Try to register a key in that consul environment.
@pll
Copy link
Author

pll commented Sep 6, 2016

It appears this feature already exists in the aws, openstack, and rabbitmq providers. It seems that this functionality should be entirely abstracted from this level and brought up to a level to a library common to all providers.

builtin/providers/rabbitmq/provider.go seems to have the clearest code:

func providerConfigure(d *schema.ResourceData) (interface{}, error) {
...
    // Configure TLS/SSL:
    // Ignore self-signed cert warnings
    // Specify a custom CA / intermediary cert
    // Specify a certificate and key
    tlsConfig := &tls.Config{}
    if cacertFile != "" {
        caCert, err := ioutil.ReadFile(cacertFile)
        if err != nil {
            return nil, err
        }

        caCertPool := x509.NewCertPool()
        caCertPool.AppendCertsFromPEM(caCert)
        tlsConfig.RootCAs = caCertPool
    }
    if insecure {
        tlsConfig.InsecureSkipVerify = true
    }

So, it appears we need to be able to set tlsConfig.InsecureSkipVerify = true somewhere. Perhaps insecure needs to be a metaparam across all providers?

@pll pll mentioned this issue Sep 21, 2016
Closed
@hashibot hashibot mentioned this issue Jun 13, 2017
Closed
@ghost
Copy link

ghost commented Apr 10, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 10, 2020
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement provider/consul
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stack72 @pll @hashibot