-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Unable to clone gitlab private GitRepository with libgit2 #433
Comments
This is pretty baffling -- image-automation-controller uses substantially the same code as source-controller for cloning the repo. The only difference I can see is that source-controller assigns // determine auth method
auth := &git.Auth{}
if repository.Spec.SecretRef != nil {
authStrategy, err := strategy.AuthSecretStrategyForURL(
repository.Spec.URL,
git.CheckoutOptions{
GitImplementation: repository.Spec.GitImplementation,
RecurseSubmodules: repository.Spec.RecurseSubmodules,
})
if err != nil {
return sourcev1.GitRepositoryNotReady(repository, sourcev1.AuthenticationFailedReason, err.Error()), err
}
name := types.NamespacedName{
Namespace: repository.GetNamespace(),
Name: repository.Spec.SecretRef.Name,
}
var secret corev1.Secret
err = r.Client.Get(ctx, name, &secret)
if err != nil {
err = fmt.Errorf("auth secret error: %w", err)
return sourcev1.GitRepositoryNotReady(repository, sourcev1.AuthenticationFailedReason, err.Error()), err
}
auth, err = authStrategy.Method(secret)
if err != nil {
err = fmt.Errorf("auth error: %w", err)
return sourcev1.GitRepositoryNotReady(repository, sourcev1.AuthenticationFailedReason, err.Error()), err
}
}
checkoutStrategy, err := strategy.CheckoutStrategyForRef(
repository.Spec.Reference,
git.CheckoutOptions{
GitImplementation: repository.Spec.GitImplementation,
RecurseSubmodules: repository.Spec.RecurseSubmodules,
},
)
if err != nil {
return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err
}
gitCtx, cancel := context.WithTimeout(ctx, repository.Spec.Timeout.Duration)
defer cancel()
commit, revision, err := checkoutStrategy.Checkout(gitCtx, tmpGit, repository.Spec.URL, auth)
if err != nil {
return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err
} while image-automation-controller assigns into a struct, then uses the value from the struct: type repoAccess struct {
auth *git.Auth
url string
}
func (r *ImageUpdateAutomationReconciler) getRepoAccess(ctx context.Context, repository *sourcev1.GitRepository) (repoAccess, error) {
var access repoAccess
access.auth = &git.Auth{}
access.url = repository.Spec.URL
authStrat, err := gitstrat.AuthSecretStrategyForURL(access.url, git.CheckoutOptions{GitImplementation: sourcev1.LibGit2Implementation})
if err != nil {
return access, err
}
if repository.Spec.SecretRef != nil && authStrat != nil {
name := types.NamespacedName{
Namespace: repository.GetNamespace(),
Name: repository.Spec.SecretRef.Name,
}
var secret corev1.Secret
err = r.Client.Get(ctx, name, &secret)
if err != nil {
err = fmt.Errorf("auth secret error: %w", err)
return access, err
}
access.auth, err = authStrat.Method(secret)
if err != nil {
err = fmt.Errorf("auth error: %w", err)
return access, err
}
}
return access, nil
}
func (r repoAccess) remoteCallbacks() libgit2.RemoteCallbacks {
return libgit2.RemoteCallbacks{
CertificateCheckCallback: r.auth.CertCallback,
CredentialsCallback: r.auth.CredCallback,
}
}
// cloneInto clones the upstream repository at the `ref` given (which
// can be `nil`). It returns a `*gogit.Repository` since that is used
// for committing changes.
func cloneInto(ctx context.Context, access repoAccess, ref *sourcev1.GitRepositoryRef, path string) (*gogit.Repository, error) {
checkoutStrat, err := gitstrat.CheckoutStrategyForRef(ref, git.CheckoutOptions{GitImplementation: sourcev1.LibGit2Implementation})
if err == nil {
_, _, err = checkoutStrat.Checkout(ctx, path, access.url, access.auth)
}
if err != nil {
return nil, err
}
return gogit.PlainOpen(path)
} |
Well that's barring the difference that image-automation-controller always uses libgit2, rather than the default go-git. @jjlakis If you set the GitRepository object's |
@squaremo Good point, source-controller indeed fails with gitImplementation set to libgit2, same error.
Should I consider the Git server to be a problem then maybe? Ideally image automation controller uses the git implementation from GitRepository resource. Thanks. |
I switched to using libgit2 regardless of the GitRepository object |
I'm going to move this to source-controller, since it fails there too (and image-automation-controller uses that code). |
A bit of info that might help: @jjlakis Can you tell us what data fields are in the secret you use for the GitRepository? (not the contents obviously! just which fields have values, in other words, the keys) |
@squaremo Here's the
I just realized that I didn't try http user/token access to GitLab. Not sure if this would make any difference though |
In https://github.com/fluxcd/source-controller/blob/main/pkg/git/libgit2/transport.go#L173, |
@jjlakis if your For other folks looking for authentication related issues: the latest release of the image-automation-controller ( |
I have installed latest flux with v0.15.0 image-automation-controller and get this error:
Is there any workaround? I have upgraded to the latest flux and image automation stopped working after this... Switching |
@ilya-git can you provide a pseudo example of your |
Hi, thanks for the fast reply, I have actually just figured out what was wrong, I was using a "wrong" format that was nonetheless accepted by the previous library:
After I upgraded, the new libgit2 library is used in the image automation controller that does not support this format apparently, so I have fixed it to:
I don't know if the first format is even correct, but since it was supported it is probably worth noting in the changelog as a breaking change (unless it was totally wrong)? Is it a good idea to implement validation of the url maybe to throw an error if the format is wrong? P.S. The documentation actually provides an example of the correct format quite explicitly, I don't know how it slipped in in the first place, and ironically enough was working "fine" |
The user part of the URL is technically optional -- so you were getting the username wrong, rather than the format wrong. Possibly newer versions of libgit2 consider leaving out the username as a probable mistake, if they warn about it. |
If the user part is technically optional, then I assume this is an unintended breaking change, so might be a good idea to update the changelog with it. |
I get this, but I'm using a |
Hello, I came across an issue very similar to that described here. Some details about my setup and observations:
As mentioned hereabove, I applied I tried to work around this by changing the ECDSA key that Google provides for the host So, reaching out to you guys here to have your opinion or update about this issue :) Thanks for the support you're offering us all here! |
I ran into this same issue today after generating a new secret. Originally I created the known_hosts with |
Hi there, Thanks for your feedback @nniehoff . On my end, I'm not hashing the hostnames but still, it's not working. See the $ ssh-keyscan -p 2022 source.developers.google.com | tee known_hosts
# source.developers.google.com:2022 SSH-2.0-Go
# source.developers.google.com:2022 SSH-2.0-Go
# source.developers.google.com:2022 SSH-2.0-Go
[source.developers.google.com]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY= |
We have recently upgraded our libgit implementation to This version also includes an experimental libgit2 transport. If the vanilla installation does not work for you, would you mind to give it a try enabling the experimental transport and trying again too please? Instructions on how to enable it on the link above. |
@flelain can you please try again with the RC we have just released: I have recently tested this version against GCP and it worked fine, so would be keen to understand whether that fixes your issue. |
Hello @pjbgf , Thanks for your feedback. I tested it out once again and it's still failing the same way (I used But unless I'm totally mistaken, I doubt the issue is due to
We're in Thank you for your support! |
@flelain I managed to reproduce your issue and I believe this is now fixed when using the latest versions of both source-controller and image-automation-controller. Can you please try again with the images below and let us know how you get on?
|
@pjbgf Just tested it out with the last two versions you pointed out above. It's working fine now: flux manages to amend the k8s manifests I have on my Google Cloud source private repo - access via SSH. Thank you for your follow-up! |
@flelain thank you for confirming. 🙇 |
Hello.
I have a GitRepository poitning to a private repo with private keys (with write permissions) included:
This works as expected, reconciles itself, no problem with updating corresponding Kustomization resource. However, image automation controller is unable to clone this repository when ImagePolicy is met. ImageUpdateAutomation resource is the following:
Logs from image-automation-controller:
Identical configuration works as expected for github private repositories in the same cluster. Version i run is
ghcr.io/fluxcd/image-automation-controller:v0.14.0
.Thank you in advance.
The text was updated successfully, but these errors were encountered: