Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error authenticating using github token #461

Closed
Carles-Figuerola opened this issue Oct 22, 2021 · 7 comments
Closed

Error authenticating using github token #461

Carles-Figuerola opened this issue Oct 22, 2021 · 7 comments

Comments

@Carles-Figuerola
Copy link

I'm having some trouble setting up a GitRepository pointing to an Enterprise GitHub host using user tokens for authentication. It works properly using github.com and there is no proxy needed to access it (so #131 shouldn't apply). The error messages are very similar to fluxcd/flux2#529 but that issue was closed without a good explanation.

I create a secret:

apiVersion: v1
data:
  password: GH_TOKEN_BASE64
  username: GH_USER_BASE64
kind: Secret
metadata:
  creationTimestamp: "2021-10-22T16:33:43Z"
  name: github-credentials
  namespace: mynamespace
  resourceVersion: "7052752"
  uid: 5197c97d-ffbd-4077-9c68-f353be08f72b
type: Opaque

and a GitRepository that references that secret.

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  creationTimestamp: "2021-10-22T18:24:26Z"
  finalizers:
  - finalizers.fluxcd.io
  name: test-helm-repository
  namespace: mynamespace
  resourceVersion: "7095391"
  uid: 0c338e4b-8f30-4286-85f0-d6c1aecf4434
spec:
  gitImplementation: go-git
  interval: 1m
  secretRef:
    name: github-credentials
  timeout: 20s
  url: https://github.mycompany.com/myorg/myrepo
status:
  conditions:
  - lastTransitionTime: "2021-10-22T18:24:48Z"
    message: 'unable to clone ''https://github.mycompany.com/myorg/myrepo'',
      error: authentication required'
    reason: GitOperationFailed
    status: "False"
    type: Ready
  observedGeneration: 3

However, the repository does not pull:

NAME                   URL                                                    READY   STATUS                                                                                                   AGE
test-helm-repository   https://github.mycompany.com/myorg/myrepo   False   unable to clone 'https://github.mycompany.com/myorg/myrepo', error: authentication required   10s

Enabling debug on source-controller I can see:

source-controller-5d8dcdd7cc-gblmh manager {"level":"debug","ts":"2021-10-22T18:22:08.366Z","logger":"events","msg":"Normal","object":{"kind":"GitRepository","namespace":"mynamespace","name":"test-helm-repository","uid":"da5b4f81-84a0-4197-97d3-c2c2c116b838","apiVersion":"source.toolkit.fluxcd.io/v1beta1","resourceVersion":"7094020"},"reason":"error","message":"unable to clone 'https://github.mycompany.com/myorg/myrepo', error: authentication required"}
source-controller-5d8dcdd7cc-gblmh manager {"level":"error","ts":"2021-10-22T18:22:08.370Z","logger":"controller.gitrepository","msg":"Reconciler error","reconciler group":"source.toolkit.fluxcd.io","reconciler kind":"GitRepository","name":"test-helm-repository","namespace":"mynamespace","error":"unable to clone 'https://github.mycompany.com/myorg/myrepo', error: authentication required","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.2\n    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:216\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.UntilWithContext\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:99"}

actual error message:

unable to clone 'https://github.mycompany.com/myorg/myrepo', error: authentication required

multiline stacktrace from above:

sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.2
    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:216
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185
k8s.io/apimachinery/pkg/util/wait.UntilWithContext
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:99

Using gitImplementation: libgit2:

source-controller-5d8dcdd7cc-gblmh manager {"level":"debug","ts":"2021-10-22T18:27:26.648Z","logger":"events","msg":"Normal","object":{"kind":"GitRepository","namespace":"mynamespace","name":"test-helm-repository","uid":"6d4599d4-778e-4f24-96ee-6a56a8df98b7","apiVersion":"source.toolkit.fluxcd.io/v1beta1","resourceVersion":"7096651"},"reason":"error","message":"unable to clone 'https://github.mycompany.com/myorg/myrepo', error: too many redirects or authentication replays"}
source-controller-5d8dcdd7cc-gblmh manager {"level":"error","ts":"2021-10-22T18:27:26.652Z","logger":"controller.gitrepository","msg":"Reconciler error","reconciler group":"source.toolkit.fluxcd.io","reconciler kind":"GitRepository","name":"test-helm-repository","namespace":"mynamespace","error":"unable to clone 'https://github.mycompany.com/myorg/myrepo', error: too many redirects or authentication replays","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.2\n    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:216\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.UntilWithContext\n    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:99"}

actual error message:

unable to clone 'https://github.mycompany.com/myorg/myrepo', error: too many redirects or authentication replays

multiline stacktrace from above:

sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.2
    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:216
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185
k8s.io/apimachinery/pkg/util/wait.UntilWithContext
    /go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:99

I have tried different password/token configurations as that github-credentials secret. If the secretRef object in GitRepository is missing, I get the same error message and if the secret itself does not exist, I get: auth secret error: Secret \"github-credentials\" not found, which makes me think that the secret is being loaded, but not used for the actual authentication to github.
@hiddeco
Copy link
Member

hiddeco commented Oct 22, 2021

One of the more common issues is that one of the credential items has an accidental newline added in the base64 encoded values.

@Carles-Figuerola
Copy link
Author

I did check this a couple of times as I thought this was the error, however I would've expected to see a message more to the tune of "authentication failed" rather than "authentication required"

@Carles-Figuerola
Copy link
Author

Oh! I think I found the real issue, it's the github token authentication that's not working, using a password actually works fine

@Carles-Figuerola Carles-Figuerola changed the title Error authenticating on Enterprise Github Error authenticating using github token Oct 22, 2021
@amitabh91
Copy link

amitabh91 commented Feb 8, 2022
edited
Loading

I was also facing the same issue "error: authentication required".

@Carles-Figuerola Thanks for pointing out the addition of a new line in base64 value.

I created a secret using kubectl command line and it worked. The source controller was able to fetch the code from SCM.

Sharing the command below I hope it will help others too.

kubectl create secret generic https-creds --from-literal=username=abcd --from-literal=password=1234 -n flux-system

@stefanprodan
Copy link
Member

We offer commands in Flux CLI for generating secrets properly, see https://fluxcd.io/docs/cmd/flux_create_secret_git/

@Carles-Figuerola
Copy link
Author

Hi @stefanprodan, the issue I was having was not about having a stray \n on my secret string, (which is indeed and common problem and something I did have during my troubleshooting), but the issue was that using a github token (I was testing against (Enterprise Github, not Public Github, if that's any help) was not working but using an actual password did work.

@stefanprodan
Copy link
Member

@Carles-Figuerola can you use that token to clone a repo locally with the Git CLI? My guess is that the token issue is not specific to Flux but to the GH permissions. Note for a PAT to work, your user must have admin rights on that repo and the token should be generated with all repo permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stefanprodan @amitabh91 @hiddeco @Carles-Figuerola