search

nlewo / comin

GitOps For NixOS Machines
MIT License
484 stars 16 forks source link

authentication required #57

Closed sergiofteixeira closed 2 weeks ago

sergiofteixeira commented 1 month ago 
exporter:
  listen_address: ''
  port: 4243
flake_subdirectory: .
hostname: monitoring
remotes:
- auth:
    access_token_path: /tmp/token
  branches:
    main:
      name: main
    testing:
      name: testing-monitoring
  name: origin
  poller:
    period: 60
  timeout: 300
  url: https://github.com/blabla/nix.git
state_dir: /var/lib/comin

this is my current config generated by nix, and i get Pull from remote 'origin' failed: authentication required, but i can manually use this token to clone the repo.. any clue?

nlewo commented 1 month ago

Did you try to run comin with the --debug mode? (i don't remember if it provides more logs regarding authentication).

sergiofteixeira commented 1 month ago

yeah, tried debugging it a bit and got the remote origin is skipped because of the fetch error: GitHub authentication failed for remote 'origin'

even though the token is valid and i can use it to git clone locally

itz-Jana commented 3 weeks ago

I'm having the same issue. I use ForgeJo and I've given Comin a valid access token with read_repository access, that works perfectly fine if I use it to clone with git clone with an arbitrary username.

But comin can't clone and only gives me this debug output:

ERRO[0000] Pull from remote 'origin' failed: authentication required
DEBU[0000] The remote origin is  skipped because of the fetch error: 'git fetch origin' fails: 'authentication required'
DEBU[0000] The remote origin is  skipped because of the fetch error: 'git fetch origin' fails: 'authentication required'
DEBU[0000] Fetch done with repository.RepositoryStatus{SelectedCommitId:"", SelectedCommitMsg:"", SelectedRemoteName:"", SelectedBranchName:"", SelectedBranchIsTesting:false, MainCommitId:"", MainRemoteName:"", MainBranchName:"", Remotes:[]*repository.Remote{(*repository.Remote)(0xc000118960)}, Error:(*errors.errorString)(0xc000057650), ErrorMsg:"git reset --hard 0000000000000000000000000000000000000000 fails: 'reference not found'"}
slenderq commented 3 weeks ago

Same issue on my side trying to authenticate with GitHub

sudo /nix/store/dhn7fpnr9r64nw3v8bx1chwiqw6qzk0d-comin-0.2.0/bin/comin run --config /nix/store/zzap3l6zmqw7ai6c4c9s3xr26afkdp30-comin.yaml
INFO[0000] The manager is started
INFO[0000]   hostname = selfhost1
INFO[0000]   machineId = 9e0ab4c45a004c168f2f1a79717d3c2b
INFO[0000] Starting the poller for the remote 'origin' with period 60s
INFO[0000]   repositoryPath = /var/lib/comin/repository
INFO[0000] Starting the API server on 127.0.0.1:4242
INFO[0000] Starting the metrics server on 0.0.0.0:4243
ERRO[0000] Pull from remote 'origin' failed: authentication required
  services.comin = {
    enable = true;
    remotes = [
      {
        name = "origin";
        url = "https://github.com/MyGithubOrg/infrastructure.git";
        branches.main.name = "main";
        auth.access_token_path = pathtoagenixsecret;
      }
    ];
  };

Curious if the Auth.Username setting has anything to do with this. Its set to comin by default but I'm thinking it might need to be set to MyGithubOrg?

Currently can't get ANY way to authenticate with a private repo, either with ssh or the access token.

Really excited to use this project! but I can't use it if it requires a public infrastructure repository.

itz-Jana commented 2 weeks ago

Curious if the Auth.Username setting has anything to do with this. Its set to comin by default but I'm thinking it might need to be set to MyGithubOrg?

Very unlikely, all forges I know don't care about the username when using an Access Token.

I can say this for certain with GitHub, Gitlab, Gitea and ForgeJo, because I've used them with each and the username can be whatever, just not empty.

And if you try with the Git CLI you can see that it works. It feels to me as if this is something specific to go-git.

itz-Jana commented 2 weeks ago

My theory about go-git was wrong, I made a small code test and it cloned my repo just fine:

func main() {
  url := os.Args[1]
  directory := os.Args[2]

  r, err := git.PlainClone(directory, false, &git.CloneOptions{
    URL: url,
    Auth: &http.BasicAuth{
      Username: "comin",
      Password: "xxx", # Access token with read_repository
    },
  })
  if err != nil {
    fmt.Println(err)
  }

  // ... retrieving the branch being pointed by HEAD
  ref, err := r.Head()
  commit, err := r.CommitObject(ref.Hash())

  fmt.Println(commit)
}
go run . https://git.xxx/jana/nix-config.git ./repo
itz-Jana commented 2 weeks ago

Found the issue. My access token file contained a newline character. I don't know if this is due to my editor always adding one, or due to Ragenix. Either way I think it makes sense to trim whitespaces from the token after reading it from file. I'll make a little PR.

slenderq commented 4 days ago

Thank you for taking a look!

On my end, It ended up working when I used a "(classic) personal access token" rather than the new "fine grained access token".