Bad credentials with create quickstart

[vfarcic]

Summary

When creating a new quickstart project, Bad credentials error is popping up. That happened in a cluster set up with jx boot. It did manage to create the initial environment repos, so the issue is not in the token I passed to the process.

Steps to reproduce the behavior

git clone \
    https://github.com/jenkins-x/jenkins-x-boot-config.git \
    environment-jx-rocks-dev

cd environment-jx-rocks-dev

# Open requirements.yaml in an editor

# Set `cluster.clusterName`
# Set `cluster.environmentGitOwner`
# Set `cluster.project`
# Set `cluster.provider
# Set `cluster.zone`
# Set `secretStorage` to `vault`
# Set `storage.logs.enabled` to `true`
# Set `storage.reports.enabled` to `true`
# Set `storage.repository.enabled` to `true`

jx boot

cd ..

jx create quickstart \
    --filter golang-http \
    --project-name jx-canary

The output of the last command is as follows.

Using Git provider github.com at https://github.com
? Do you wish to use vfarcic as the Git user name? Yes
? Who should be the owner of the repository? vfarcic
X Sorry, your reply was invalid: GET https://api.github.com/repos/vfarcic/jx-canary: 401 Bad credentials []

It tried the same command with the additional --git-api-token argument and it fails with the same error.

Expected behavior

It works

Actual behavior

It doesn't work

Jx version

The output of jx version is:

NAME               VERSION
jx                 2.0.1093
Kubernetes cluster v1.15.4-gke.22
kubectl            v1.17.0
helm client        Client: v2.14.3+g0e7f3b6
git                2.20.1 (Apple Git-117)
Operating System   Mac OS X 10.14.6 build 18G2022

Jenkins type

• [X] Serverless Jenkins X Pipelines (Tekton + Prow)
• [ ] Classic Jenkins

Kubernetes cluster

GKE

Operating system / Environment

MacOS

[nehagup]

I faced the same issue. I resolved it by changing my Git token (I had missed some of the permissions), I deleted ~/.jx/ and also jx boot again and put new git token.
Btw does your jx step verify install looks ok?

[vfarcic]

In my case, the issue persists. I create a new cluster, deleted the whole ~/.jx directory, created a new GH token with all the permissions enabled, and installed jx using Boot. When I try to create a new quickstart project, I'm still getting the same error (401 Bad credentials).

[vfarcic]

The issue does not seem to be related to the way jx is installed. The same happens both with jx install and jx boot.

[jstrachan]

@vfarcic I wonder if you can reproduce without doing a clone of the git repo but letting jx boot do the fork first? e.g. doing jx boot then modifying jx-requirements.yml?

[vfarcic]

@jstrachan I'll try that later today, but I don't think that's the issue since it appears not only with the boot but also when I run jx create cluster or jx install. Since the environment repos are created successfully, I can only guess that the issue is with jx local cache since jx create quickstart does not use the credentials in the cluster. Or maybe it expects something in the local git setup...

[vfarcic]

@jstrachan I noticed something strange... During the Boot process, it asked me for the Pipeline bot Git token and I pasted one that I have from before. However, the output says Generated token xxxxxxxxxxxxxxxxxxxxxxxxxx, to use it press enter. The one from that output is not the same token as the one I pasted. Can that be a clue?

[vfarcic]

I just finish setting it up by letting jx boot do the fork and the result is the same.

[jstrachan]

creating a QuickStart uses your personal token which is stored in ~/.jx/gitAuth.yml I guess that token is stale? You could edit the file by hand or delete it and re-run the jx create QuickStart command?

Ideally if a Bad credentials message we should zap the token & ask the user to create a new one.

Btw the token needs scope to create new git repos & register webhooks

[jstrachan]

BTW in older versions of jx the create QuickStart command would incorrectly use the pipeline bot user & token to create the new git repository - which might be why you are seeing this regression - you have a stale local token (which is not used / updated when using boot)

[vfarcic]

That's the issue. I deleted ~/.jx a while ago because of some problems. Now I see that it is not being created anymore. Some of the changes to the project caused it to stop creating it.

[jstrachan]

so there is no ~/.jx/gitAuth.yml file?

[jstrachan]

note it’s not used or created via boot - but should be for jx create quickstart/ jx import

[vfarcic]

I guess this should be an urgent issue since it'll likely cause problems for all the jx newbies that will install it for the first time.

[vfarcic]

... those that do not have ~/.jx/gitAuth.yml from before.

[deanesmith]

@vfarcic I just went through a very similar exercise and resolved it - deleted all Github related entries in Keychain Access and supplied a fresh Github token by executing a git command and being prompted.

[vfarcic]

Deleting all GitHub related entries from the Keychain Access made it work. Nevertheless, I still do not think we should close this issue. I believe that there is still a problem that should be resolved, either through code or docs.

[sharepointoscar]

This happened to me yesterday and today. Same issue. However, I got past it after (erroneously recreating my SSH keys), then executing jx import on the quickstart local directory, which succeded but ONLY after the creation of QuickStart and not at the time of creation, which should work as expected.

[rvdven123]

I had the same issue: I generated a new personal access token which made the old one fail. After I updated the /root/.jx/gitAuth.yml file, everything worked again.

[vfarcic]

The same issue is happening again. I recreated GitHub entry in the key chain and I deleted the whole ~/.jx directory. What is different, this time, is that jx create quickstart is not creating ~/.jx/gitAuth.yml file.

Here's the output:

bash-3.2$ jx create quickstart --filter golang-http --project-name jx-knative \
>     --deploy-kind knative
Using Git provider github.com at https://github.com
? Do you wish to use vfarcic as the Git user name? Yes
? Who should be the owner of the repository? vfarcic
X Sorry, your reply was invalid: GET https://api.github.com/repos/vfarcic/jx-knative: 401 Bad credentials []
? Enter the new repository name:
error: interrupt
bash-3.2$ ls -la ~/.jx/
total 0
drwxr-----   6 vfarcic  staff   192 May 10 19:02 .
drwxr-xr-x+ 80 vfarcic  staff  2560 May 10 19:06 ..
drwxr-----   2 vfarcic  staff    64 May 10 18:22 bin
drwxr-----   3 vfarcic  staff    96 May 10 18:22 draft
drwxr-----  42 vfarcic  staff  1344 May 10 18:22 jenkins-x-versions
drwxr-----   3 vfarcic  staff    96 May 10 18:50 localSecrets

[vfarcic]

More info:

$ TRACE_GITHUB_API=true jx create quickstart \
    --filter golang-http --verbose
DEBUG: Current configuration dir: /Users/vfarcic/.jx
DEBUG: VersionRepository: https://github.com/jenkins-x/jenkins-x-versions.git git ref: v1.0.359
DEBUG: ? A local Jenkins X versions repository already exists, pulling the latest: Yes
DEBUG: LC_ALL=C JX_LOG_LEVEL=error git fetch https://github.com/jenkins-x/jenkins-x-versions.git --tags
DEBUG: LC_ALL=C JX_LOG_LEVEL=error git fetch https://github.com/jenkins-x/jenkins-x-versions.git v1.0.359
DEBUG: LC_ALL=C JX_LOG_LEVEL=error git branch -r
DEBUG: LC_ALL=C JX_LOG_LEVEL=error git checkout FETCH_HEAD
DEBUG: LC_ALL=C JX_LOG_LEVEL=error git fetch --tags
DEBUG: LC_ALL=C JX_LOG_LEVEL=error git describe v1.0.359 --abbrev=0 --contains
DEBUG: getting vault name for namespace jx
DEBUG: system vault name from config jx-vault-vfarcic2
DEBUG: Finding ingress url for jx-vault-vfarcic2 in namespace jx
DEBUG: found service url http://vault-jx.34.74.202.28.nip.io
DEBUG: Connecting to vault on http://vault-jx.34.74.202.28.nip.io
DEBUG: Searching for repositories in Git server https://github.com owner jenkins-x-quickstarts includes * excludes WIP-* as user vfarcic 
Using Git provider github.com at https://github.com
? Do you wish to use vfarcic as the Git user name? Yes
DEBUG: About to create repository  on server https://github.com with user vfarcic
? Who should be the owner of the repository? vfarcic
X Sorry, your reply was invalid: GET https://api.github.com/repos/vfarcic/xxx: 401 Bad credentials []
? Enter the new repository name:  

[vfarcic]

The same thing is happening again. I had to delete the ~/.jx directory because the local cache was messing up with incorrect credentials when creating new clusters. Now I cannot create a quickstart. Apart from the obvious problem with that, how are additional users expected to use JX? They will not start with pre-populated ~/.jx directory. If I'm guessing right, no one but the person who set up the cluster will be able to create quickstarts or import projects and even the person who created the cluster will not be able to do that if ~/.jx directory is removed. On top of all that, the --git-api-token argument is completely ignored so I'm not sure what is the purpose of having it.

[havenqi]

I'm failing the similar way, when import, and create quickstart. repeated from the beginning several times(creating cluster and. re-boot jx) but it didn't help. Any workaround?

$ jx import WARNING: No username defined for the current Git server! ? Git user name: havenqi trying to use draft pack: python selected pack: /Users/My/.jx/draft/packs/github.com/jenkins-x-buildpacks/jenkins-x-kubernetes/packs/python replacing placeholders in directory /Users/My/jenkins-x/playground/python-flask-docker app name: python-flask-docker, git server: github.com, org: havenqi, Docker registry org: havenqi skipping directory "/Users/My/jenkins-x/playground/python-flask-docker/.git" Draft pack python added Pushed Git repository to git@github.com:havenqi/python-flask-docker.git WARNING: Querying webhooks on havenqi/python-flask-docker: GET https://api.github.com/repos/havenqi/python-flask-docker/hooks: 401 Bad credentials [] Creating GitHub webhook for havenqi/python-flask-docker for url http://hook-jx.54.196.4.114.nip.io/hook error: POST https://api.github.com/repos/havenqi/python-flask-docker/hooks: 401 Bad credentials [] $ jx version NAME VERSION jx 2.1.59 Kubernetes cluster v1.15.11-eks-af3caf kubectl v1.13.2 helm client 2.12.2 git 2.24.3 (Apple Git-128) Operating System Mac OS X 10.15.4 build 19E287

[havenqi]

And even I explicitly append ---git-username, and --git-api-token, it still failed. I think at least two issues here,

1. why it requires for git user again? (I suppose the bot should be the one, and it was set already in "jx boot". If i'm wrong, here the prompted statement is confusing to the most, i believe)
2. why it failed the credential check, using stored secrets, and my explicitly option. Long for a quick workaround at least. Stuck here for a whole weekend and hours of Monday~~

[vfarcic]

Using a bot user sounds like a blank check to do whatever you want. I believe that every change (including the initial commits) in Git should be associated with a person.

[JorgeGuerreroTech]

I generated a new github token, this works for me!

[lcoriton-acc]

I have the same issue. jx create quickstart does not create the gitAuth.yaml file either.

[muhammadali1233ify]

Same issue persists on my end as well. During the first iteration the terminal output is as follows.

WARNING: organisation WESA detected from URL https://github.ibm.com/WESA/go-sample-jenkinx.git. '--org wesa' will be ignored
Creating GitHub webhook for WESA/go-sample-jenkinx for url http://hook.jx.wsaservice.us-east.containers.appdomain.cloud/hook
To be able to create a repository on github.com we need an API Token
Please click this URL and generate a token 
https://github.com/settings/tokens/new?scopes=repo,read:user,read:org,user:email,write:repo_hook,delete_repo

Then COPY the token and enter it below:

? API Token: ****************************************
error: failed to start pipeline build: getting branch master on WESA/go-sample-jenkinx: getting branch master on WESA/go-sample-jenkinx: GET https://api.github.com/repos/WESA/go-sample-jenkinx/branches/master: 401 Bad credentials []

here I don't understand the placement for https://github.com where I have clearly defined an enterprise account during boot and quickstart steps.

for all the consecutive runs I am getting the same message as everyone else.

WARNING: organisation WESA detected from URL https://github.ibm.com/WESA/go-sample-jenkinx4.git. '--org wesa' will be ignored
Creating GitHub webhook for WESA/go-sample-jenkinx4 for url http://hook.jx.wsaservice.us-east.containers.appdomain.cloud/hook
error: failed to start pipeline build: getting branch master on WESA/go-sample-jenkinx4: getting branch master on WESA/go-sample-jenkinx4: GET https://api.github.com/repos/WESA/go-sample-jenkinx4/branches/master: 401 Bad credentials []

Access token was also recreated. Still no results.

[soulseen]

In jx3, I resolved by update the credentials in ~/git/

[jenkins-x-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://jenkins-x.io/community. /lifecycle stale

[msvticket]

This issue refers to Jenkins X 2, which isn't supported