Skip to content

Commit fe04174

Browse files
committed
fix(miniblue): install self-signed cert into system CA trust store
1 parent 4cc4ae7 commit fe04174

52 files changed

Lines changed: 614 additions & 53 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/copilot-instructions.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@ For Azure-flavoured scenarios (e.g. `terraform-cli-apply-azure`), substitute Loc
141141

142142
- `init/background.sh` calls `start_miniblue` instead of `start_localstack`. Do NOT call both — each scenario picks one cloud emulator.
143143
- `assets/docker-compose.yml` uses image `ghcr.io/lonegunmanb/miniblue:sha-8cc1c25` (a fork that fixes case-insensitive ARM routing for azurerm v4 compatibility, persists blob metadata on `?comp=metadata` and plain `PUT {blob}`, and adds the `MINIBLUE_DISABLE_SHAREDKEY_AUTH` env var so the azurerm backend's lock + state-write flow works without per-request SharedKey signing; version pinned by SHA tag, never `latest`), exposes ports `4566` (HTTP) and `4567` (HTTPS), and limits memory to 512M. The compose `environment:` block sets `MINIBLUE_STORAGE_ENDPOINT=http://localhost:4566` (so ARM returns local blob endpoints) and `MINIBLUE_DISABLE_SHAREDKEY_AUTH=1` (so curl/azlocal can hit the data plane without HMAC-SHA256 signing — strictly a tutorial convenience; real Azure always requires SharedKey). Do NOT bind-mount the cert directory — the image is distroless and runs as `nonroot`, so the cert lives at `/home/nonroot/.miniblue/cert.pem` inside the container; `start_miniblue` extracts it via `docker cp` instead.
144-
- `start_miniblue` writes `SSL_CERT_FILE=/root/.miniblue/cert.pem` to both `/etc/profile.d/miniblue.sh` and `/root/.bashrc` (Killercoda terminals are non-login shells), and exports it for the current shell.
144+
- `start_miniblue` writes `SSL_CERT_FILE=/root/.miniblue/cert.pem` to both `/etc/profile.d/miniblue.sh` and `/root/.bashrc` (Killercoda terminals are non-login shells), and exports it for the current shell. It ALSO installs the cert into the system CA trust store via `update-ca-certificates` (`/usr/local/share/ca-certificates/miniblue.crt`) — this is the primary trust mechanism, because Killercoda terminals are opened BEFORE `background.sh` runs, so the `~/.bashrc` append does not affect the user's existing shell. With the cert in the system store, Terraform/azurerm trusts `https://localhost:4567` regardless of `SSL_CERT_FILE`.
145145
- After `start_miniblue`, call `install_azlocal` to extract the bundled `azlocal` binary (`/azlocal` inside the container) to `/usr/local/bin/`. `azlocal` is a standalone Go CLI (no `az` dependency) that talks to miniblue over HTTP 4566 — use it in step text instead of raw `curl` for resource verification (`azlocal group list`, `azlocal dns zone list --resource-group ...`, `azlocal network vnet list --resource-group ...`).
146146
- `assets/main.tf` MUST use the **azurerm v4** provider:
147147
```hcl
@@ -176,7 +176,7 @@ For Azure-flavoured scenarios (e.g. `terraform-cli-apply-azure`), substitute Loc
176176
- Available functions: `install_terraform`, `install_awscli`, `install_tflint`, `start_localstack`, `start_miniblue`, `install_azlocal`, `install_theia_plugin`, `finish_setup`.
177177
- `install_awscli` installs AWS CLI v2 (official binary) and creates an `awslocal` shell wrapper that sets `--endpoint-url=http://localhost:4566` automatically.
178178
- `start_localstack` auto-installs Docker Compose v2 plugin if missing before running `docker compose up -d`.
179-
- `start_miniblue` runs `docker compose up -d`, waits for `http://localhost:4566/health`, primes the HTTPS port to materialise the self-signed cert, then exports `SSL_CERT_FILE=/root/.miniblue/cert.pem` globally via `/etc/profile.d/miniblue.sh`.
179+
- `start_miniblue` runs `docker compose up -d`, waits for `http://localhost:4566/health`, primes the HTTPS port to materialise the self-signed cert, copies the cert out via `docker cp`, installs it into the system CA trust store (`update-ca-certificates`), and also exports `SSL_CERT_FILE=/root/.miniblue/cert.pem` globally via `/etc/profile.d/miniblue.sh` + `~/.bashrc` as a belt-and-braces fallback.
180180
- Versions can be overridden via env vars: `TERRAFORM_VERSION`, `TFLINT_VERSION`. The miniblue container image tag is **not** an env var — it lives in `scripts/miniblue-image.mjs` (single source of truth) and is propagated into every `docker-compose.yml` and `background.sh` heredoc by `npm run sync-miniblue`.
181181

182182
### Miniblue Image Pin

scripts/setup-common.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,20 @@ start_miniblue() {
152152
echo "WARNING: failed to copy miniblue cert.pem out of container"
153153
else
154154
chmod 644 /root/.miniblue/cert.pem
155+
# Install the cert into the system CA trust store so Go-based tools
156+
# (terraform, azurerm provider) trust https://localhost:4567 WITHOUT
157+
# needing SSL_CERT_FILE. This matters because Killercoda terminals are
158+
# opened BEFORE background.sh runs, so the export appended to ~/.bashrc
159+
# below does not affect the user's existing shell.
160+
if command -v update-ca-certificates > /dev/null 2>&1; then
161+
mkdir -p /usr/local/share/ca-certificates
162+
cp /root/.miniblue/cert.pem /usr/local/share/ca-certificates/miniblue.crt
163+
update-ca-certificates > /dev/null 2>&1 || true
164+
fi
155165
fi
156166

157-
# Make SSL_CERT_FILE available for all interactive shells
167+
# Make SSL_CERT_FILE available for all interactive shells (belt-and-braces;
168+
# the system trust store above is the primary mechanism).
158169
cat > /etc/profile.d/miniblue.sh <<'PROF'
159170
export SSL_CERT_FILE=/root/.miniblue/cert.pem
160171
PROF

terraform-tutorial/terraform-backend-azure/assets/setup-common.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,20 @@ start_miniblue() {
152152
echo "WARNING: failed to copy miniblue cert.pem out of container"
153153
else
154154
chmod 644 /root/.miniblue/cert.pem
155+
# Install the cert into the system CA trust store so Go-based tools
156+
# (terraform, azurerm provider) trust https://localhost:4567 WITHOUT
157+
# needing SSL_CERT_FILE. This matters because Killercoda terminals are
158+
# opened BEFORE background.sh runs, so the export appended to ~/.bashrc
159+
# below does not affect the user's existing shell.
160+
if command -v update-ca-certificates > /dev/null 2>&1; then
161+
mkdir -p /usr/local/share/ca-certificates
162+
cp /root/.miniblue/cert.pem /usr/local/share/ca-certificates/miniblue.crt
163+
update-ca-certificates > /dev/null 2>&1 || true
164+
fi
155165
fi
156166

157-
# Make SSL_CERT_FILE available for all interactive shells
167+
# Make SSL_CERT_FILE available for all interactive shells (belt-and-braces;
168+
# the system trust store above is the primary mechanism).
158169
cat > /etc/profile.d/miniblue.sh <<'PROF'
159170
export SSL_CERT_FILE=/root/.miniblue/cert.pem
160171
PROF

terraform-tutorial/terraform-backend/assets/setup-common.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,20 @@ start_miniblue() {
152152
echo "WARNING: failed to copy miniblue cert.pem out of container"
153153
else
154154
chmod 644 /root/.miniblue/cert.pem
155+
# Install the cert into the system CA trust store so Go-based tools
156+
# (terraform, azurerm provider) trust https://localhost:4567 WITHOUT
157+
# needing SSL_CERT_FILE. This matters because Killercoda terminals are
158+
# opened BEFORE background.sh runs, so the export appended to ~/.bashrc
159+
# below does not affect the user's existing shell.
160+
if command -v update-ca-certificates > /dev/null 2>&1; then
161+
mkdir -p /usr/local/share/ca-certificates
162+
cp /root/.miniblue/cert.pem /usr/local/share/ca-certificates/miniblue.crt
163+
update-ca-certificates > /dev/null 2>&1 || true
164+
fi
155165
fi
156166

157-
# Make SSL_CERT_FILE available for all interactive shells
167+
# Make SSL_CERT_FILE available for all interactive shells (belt-and-braces;
168+
# the system trust store above is the primary mechanism).
158169
cat > /etc/profile.d/miniblue.sh <<'PROF'
159170
export SSL_CERT_FILE=/root/.miniblue/cert.pem
160171
PROF

terraform-tutorial/terraform-basics-azure/assets/setup-common.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,20 @@ start_miniblue() {
152152
echo "WARNING: failed to copy miniblue cert.pem out of container"
153153
else
154154
chmod 644 /root/.miniblue/cert.pem
155+
# Install the cert into the system CA trust store so Go-based tools
156+
# (terraform, azurerm provider) trust https://localhost:4567 WITHOUT
157+
# needing SSL_CERT_FILE. This matters because Killercoda terminals are
158+
# opened BEFORE background.sh runs, so the export appended to ~/.bashrc
159+
# below does not affect the user's existing shell.
160+
if command -v update-ca-certificates > /dev/null 2>&1; then
161+
mkdir -p /usr/local/share/ca-certificates
162+
cp /root/.miniblue/cert.pem /usr/local/share/ca-certificates/miniblue.crt
163+
update-ca-certificates > /dev/null 2>&1 || true
164+
fi
155165
fi
156166

157-
# Make SSL_CERT_FILE available for all interactive shells
167+
# Make SSL_CERT_FILE available for all interactive shells (belt-and-braces;
168+
# the system trust store above is the primary mechanism).
158169
cat > /etc/profile.d/miniblue.sh <<'PROF'
159170
export SSL_CERT_FILE=/root/.miniblue/cert.pem
160171
PROF

terraform-tutorial/terraform-basics/assets/setup-common.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,20 @@ start_miniblue() {
152152
echo "WARNING: failed to copy miniblue cert.pem out of container"
153153
else
154154
chmod 644 /root/.miniblue/cert.pem
155+
# Install the cert into the system CA trust store so Go-based tools
156+
# (terraform, azurerm provider) trust https://localhost:4567 WITHOUT
157+
# needing SSL_CERT_FILE. This matters because Killercoda terminals are
158+
# opened BEFORE background.sh runs, so the export appended to ~/.bashrc
159+
# below does not affect the user's existing shell.
160+
if command -v update-ca-certificates > /dev/null 2>&1; then
161+
mkdir -p /usr/local/share/ca-certificates
162+
cp /root/.miniblue/cert.pem /usr/local/share/ca-certificates/miniblue.crt
163+
update-ca-certificates > /dev/null 2>&1 || true
164+
fi
155165
fi
156166

157-
# Make SSL_CERT_FILE available for all interactive shells
167+
# Make SSL_CERT_FILE available for all interactive shells (belt-and-braces;
168+
# the system trust store above is the primary mechanism).
158169
cat > /etc/profile.d/miniblue.sh <<'PROF'
159170
export SSL_CERT_FILE=/root/.miniblue/cert.pem
160171
PROF

terraform-tutorial/terraform-cli-apply-azure/assets/setup-common.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,20 @@ start_miniblue() {
152152
echo "WARNING: failed to copy miniblue cert.pem out of container"
153153
else
154154
chmod 644 /root/.miniblue/cert.pem
155+
# Install the cert into the system CA trust store so Go-based tools
156+
# (terraform, azurerm provider) trust https://localhost:4567 WITHOUT
157+
# needing SSL_CERT_FILE. This matters because Killercoda terminals are
158+
# opened BEFORE background.sh runs, so the export appended to ~/.bashrc
159+
# below does not affect the user's existing shell.
160+
if command -v update-ca-certificates > /dev/null 2>&1; then
161+
mkdir -p /usr/local/share/ca-certificates
162+
cp /root/.miniblue/cert.pem /usr/local/share/ca-certificates/miniblue.crt
163+
update-ca-certificates > /dev/null 2>&1 || true
164+
fi
155165
fi
156166

157-
# Make SSL_CERT_FILE available for all interactive shells
167+
# Make SSL_CERT_FILE available for all interactive shells (belt-and-braces;
168+
# the system trust store above is the primary mechanism).
158169
cat > /etc/profile.d/miniblue.sh <<'PROF'
159170
export SSL_CERT_FILE=/root/.miniblue/cert.pem
160171
PROF

terraform-tutorial/terraform-cli-apply/assets/setup-common.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,20 @@ start_miniblue() {
152152
echo "WARNING: failed to copy miniblue cert.pem out of container"
153153
else
154154
chmod 644 /root/.miniblue/cert.pem
155+
# Install the cert into the system CA trust store so Go-based tools
156+
# (terraform, azurerm provider) trust https://localhost:4567 WITHOUT
157+
# needing SSL_CERT_FILE. This matters because Killercoda terminals are
158+
# opened BEFORE background.sh runs, so the export appended to ~/.bashrc
159+
# below does not affect the user's existing shell.
160+
if command -v update-ca-certificates > /dev/null 2>&1; then
161+
mkdir -p /usr/local/share/ca-certificates
162+
cp /root/.miniblue/cert.pem /usr/local/share/ca-certificates/miniblue.crt
163+
update-ca-certificates > /dev/null 2>&1 || true
164+
fi
155165
fi
156166

157-
# Make SSL_CERT_FILE available for all interactive shells
167+
# Make SSL_CERT_FILE available for all interactive shells (belt-and-braces;
168+
# the system trust store above is the primary mechanism).
158169
cat > /etc/profile.d/miniblue.sh <<'PROF'
159170
export SSL_CERT_FILE=/root/.miniblue/cert.pem
160171
PROF

terraform-tutorial/terraform-cli-basics-azure/assets/setup-common.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,20 @@ start_miniblue() {
152152
echo "WARNING: failed to copy miniblue cert.pem out of container"
153153
else
154154
chmod 644 /root/.miniblue/cert.pem
155+
# Install the cert into the system CA trust store so Go-based tools
156+
# (terraform, azurerm provider) trust https://localhost:4567 WITHOUT
157+
# needing SSL_CERT_FILE. This matters because Killercoda terminals are
158+
# opened BEFORE background.sh runs, so the export appended to ~/.bashrc
159+
# below does not affect the user's existing shell.
160+
if command -v update-ca-certificates > /dev/null 2>&1; then
161+
mkdir -p /usr/local/share/ca-certificates
162+
cp /root/.miniblue/cert.pem /usr/local/share/ca-certificates/miniblue.crt
163+
update-ca-certificates > /dev/null 2>&1 || true
164+
fi
155165
fi
156166

157-
# Make SSL_CERT_FILE available for all interactive shells
167+
# Make SSL_CERT_FILE available for all interactive shells (belt-and-braces;
168+
# the system trust store above is the primary mechanism).
158169
cat > /etc/profile.d/miniblue.sh <<'PROF'
159170
export SSL_CERT_FILE=/root/.miniblue/cert.pem
160171
PROF

terraform-tutorial/terraform-cli-basics/assets/setup-common.sh

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,9 +152,20 @@ start_miniblue() {
152152
echo "WARNING: failed to copy miniblue cert.pem out of container"
153153
else
154154
chmod 644 /root/.miniblue/cert.pem
155+
# Install the cert into the system CA trust store so Go-based tools
156+
# (terraform, azurerm provider) trust https://localhost:4567 WITHOUT
157+
# needing SSL_CERT_FILE. This matters because Killercoda terminals are
158+
# opened BEFORE background.sh runs, so the export appended to ~/.bashrc
159+
# below does not affect the user's existing shell.
160+
if command -v update-ca-certificates > /dev/null 2>&1; then
161+
mkdir -p /usr/local/share/ca-certificates
162+
cp /root/.miniblue/cert.pem /usr/local/share/ca-certificates/miniblue.crt
163+
update-ca-certificates > /dev/null 2>&1 || true
164+
fi
155165
fi
156166

157-
# Make SSL_CERT_FILE available for all interactive shells
167+
# Make SSL_CERT_FILE available for all interactive shells (belt-and-braces;
168+
# the system trust store above is the primary mechanism).
158169
cat > /etc/profile.d/miniblue.sh <<'PROF'
159170
export SSL_CERT_FILE=/root/.miniblue/cert.pem
160171
PROF

0 commit comments

Comments
 (0)