Terraform
Podman requirements
You must meet the following requirements before installing Terraform Enterprise on Podman.
Versions
Install the following software and versions:
- A Podman version greater than or equal to v4.3.0.
- Red Hat Enterprise Linux 8 or 9
Container tools
For Red Hat Enterprise Linux (RHEL) operating systems, you must download the container-tools
package since it includes packages
that you'll need including Podman, Buildah, and Skopeo.
For RHEL 8, you can download all dependencies with the following commands. Note that you must also download
the podman-docker
package to have access to the Docker socket.
dnf module install -y container-tools
dnf install -y podman-docker
For RHEL 9, you can download all dependencies with this single command:
dnf install -y container-tools
If your host already has a version of Docker installed, extend the installation command with --allowerasing
to mitigate package conflicts.
You may need to reboot your system after completing the installation process to ensure Podman functions correctly.
Enable the Podman socket
Set up Podman’s docker-compatible REST API that runs as a systemd
socket-activated service:
systemctl enable --now podman.socket
Learn more about enabling the Podman API for RHEL 8 or RHEL 9.
SELinux
We recommend adding type: spc_t
to the Kubernetes pod specification's security context when using volumes
for an unprivileged Podman container on an SELinux-enabled system. This ensures the correct permissions
are in place to access the volume when the pod/container is created.
Set the security context in the kube.yaml
:
"securityContext":
"seLinuxOptions":
"type": "spc_t"
HTTP/S Ports
Because Podman does not expose privileged ports, ensure that you set the following environment variables and ports in the Kubernetes pod specification.
Set these environment variables in the kube.yaml
:
- name: "TFE_HTTP_PORT"
value: "8080"
- name: "TFE_HTTPS_PORT"
value: "8443"
Set these ports in the kube.yaml
:
"ports":
- "containerPort": 8080
"hostPort": 80
- "containerPort": 8443
"hostPort": 443
- "containerPort": 9090
"hostPort": 9090
Terraform Enterprise requirements
You meet the shared requirements for all Flexible deployment methods.
A DNS hostname for accessing Terraform Enterprise.
Note: For exisiting Terraform Enterprise users with Replicated deployments, refer to Migrating to Flexible Deployment Options.
TLS certificate
You need three TLS certificate files:
cert.pem
- The end-entity certificate for your DNS hostname with any intermediate certificates appended to it.key.pem
- The private key for the end-entity certificate. Must not be protected by a passphrase.bundle.pem
- Additional certificates to be added to the Certificate Authority (CA) bundle.
If you’re using a certificate from Let’s Encrypt, those file names map to the following Terraform Enterprise files:
Terraform Enterprise | Let’s Encrypt |
---|---|
key.pem | privkey.pem |
cert.pem | fullchain.pem |
bundle.pem | fullchain.pem |
If you do not have a certificate, you can generate a self-signed one. Use the
-nodes
option in your command since Terraform Enterprise cannot
use a private key that is protected by a passphrase.
$ openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
Be sure to replace <terraform.example.com>
with the hostname you use
to access Terraform Enterprise.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:HashiCorp, Inc.
Organizational Unit Name (eg, section) []:Engineering
Common Name (e.g. server FQDN or YOUR name) []:<terraform.example.com>
Email Address []:
When done, you’ll have your cert.pem
and key.pem
files but no bundle.pem
file.
Create your bundle.pem
like so:
$ cp cert.pem bundle.pem