Gitlab private Registry Authentication

[Robin-Walter]

I will use an existing private gitlab Terraform Module Registry to create AWS Resources. AWS Resources works fine. Only the connection to the gitlab Terraform Modul Registry wouldn't work.
I try tofu.rc as secret, TF_TOKEN as Token only with different Urls and Sources.

My current configuration is:

apiVersion: opentofu.m.upbound.io/v1beta1
kind: Workspace
metadata:
  name: sample-inline-2
  namespace: crossplane-system
spec:
  forProvider:
    env:
      - name: "TF_TOKEN_private_gitlab_domain"
        value: ""
    module: https://private_gitlab_domain/folder/terraform_modul/dev
    source: Remote
    vars:
      - key: "variable1"
        value: "[\"folder1\", \"folder2\"]"
  providerConfigRef:
    kind: ProviderConfig
    name: default

and the configuration

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: upbound-provider-opentofu
spec:
  package: xpkg.upbound.io/upbound/provider-opentofu:v1
---
apiVersion: opentofu.m.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: default
  namespace: crossplane-system
spec:
  configuration: |
    // Modules _must_ use remote state. The provider does not persist state.

    terraform {
      backend "kubernetes" {
        secret_suffix     = "providerconfig-default"
        namespace         = "crossplane-system"
        in_cluster_config = true
      }
      required_providers {
        aws = {
          source = "hashicorp/aws"
        }
      }
    }
    provider "aws" {
      region = "eu-central-1"
      shared_credentials_files = ["${path.module}/credentials"]
    }
  credentials:
    - filename: credentials
      secretRef:
        key: creds
        name: aws-secret
        namespace: crossplane-system
      source: Secret
    - filename: tofu.rc
      secretRef:
        namespace: crossplane-system
        name: tofurc
        key: tofu.rc
      source: Secret

When i am working with hardcoded Url like:
module: "git::https://username:token:@private_gitlab_domain/terraform_modul.git//folder?ref=dev"
it work's.
But this is not the Terraform Modul Registry in our Private Repo, it's the Gitlab Repository.

When i am using as Modul Source
"private_gitlab_domain/..."
the error occured:
file:///tofu/616591dc-a │
│ f53-4659-82e8-1f73cc8caa76/private_gitlab_domain/terraform_modul.git//folder?ref=dev': source path error: stat /tofu/61659 │
│ 1dc-af53-4659-82e8-1f73cc8caa76/private_gitlab_domain/terraform_modul.git//folder?ref=dev: no such file or directory

When i am using as Modul Source
"https://private_gitlab_domain..." the Username is expected

I am using the Token Variable and also the tofurc File.
How can a use gitlab Terraform Module Registries with Authentication?

[alisson276]

I'm using Crossplane 2.0.2. It's working with the following setup:

I have my .tofurc like this:

provider_installation {
  filesystem_mirror {
    path    = "/usr/share/opentofu/providers"
    include = ["registry.terraform.io/hashicorp/*"]
  }
  direct {
    exclude = ["example.com/*/*"]
  }
}

credentials "gitlab.com" {
  token = "glpat-XXXXX"
}

Applied it like:

kubectl create secret generic tofurc -n crossplane-system --from-file=.tofurc --dry-run=client -o yaml | kubectl apply -f -

And my providerconfig is like this:

apiVersion: opentofu.m.upbound.io/v1beta1
kind: ClusterProviderConfig
metadata:
  name: dev
  annotations:
    argocd.argoproj.io/sync-options: PruneLast=true
spec:
  configuration: |
    provider "aws" {
      region = "eu-west-1"
      shared_credentials_files = ["${path.module}/credentials"]
    }

    terraform {
      backend "kubernetes" {
        secret_suffix     = "state"
        namespace         = "dev"
        in_cluster_config = true
      }
    }
  credentials:
    - filename: .git-credentials
      source: Secret
      secretRef:
        namespace: crossplane-system
        name: git-credentials
        key: .git-credentials
    - filename: credentials
      source: Secret
      secretRef:
        namespace: crossplane-system
        name: aws-creds
        key: .aws-credentials
    - filename: .tofurc
      source: Secret
      secretRef:
        namespace: crossplane-system
        name: tofurc
        key: .tofurc

One example of usage could be:

apiVersion: opentofu.m.upbound.io/v1beta1
kind: Workspace
metadata:
  name: my-vpc
  namespace: dev
  labels:
    cloud.resource_type: vpc
    cloud.resource_name: my-vpc
    cloud.region: eu-west-1
spec:
  forProvider:
    enableTofuCLILogging: true
    source: Inline
    module: |
      module "vpc" {
        source = "gitlab.com/my-group/vpc/internal"
        version = "~> 1.0"

        region = "eu-west-1"
        cidr = "10.0.0.0/22"
        singleNatGateway = true
      }
  providerConfigRef:
    kind: ClusterProviderConfig
    name: dev
  writeConnectionSecretToRef:
    name: outputs-vpc-my-vpc

[jeremydescamps]

@alisson276 thanks a lot for this example !
It would be really good idea to have a documentation about it.

By the way, do you have an idea to add CA certificate for my private Gitlab endpoint ?

[alisson276]

Hummm... I believe the only way to you add a private CA in the image is by rebuilding the image used by the provider and then passing it when installing the provider. But I've never done this, so I can't help you more.

[Robin-Walter]

@alisson276 thanks, this solved my issue and it work's fine! So it is not a bug, it's only a missing documentation.

[jsingleton785]

You can mount the private CA to the provider-opentoufu pod using a DeploymentRuntimeConfiguration. This would apply for all Workspaces that are processed by the same provider.