search

redhat-developer / kam

GitOps Application Manager: An opinionated CLI that generates the Kubernetes resources for managing your Tekton-based CI manifests, ArgoCD-based CD manifests and Application manifests in Git.
Apache License 2.0
145 stars 83 forks source link

Cannot connect to Gitlab #176

Closed pbriet closed 3 years ago

pbriet commented 3 years ago

Describe the bug

Not sure if this a bug or a bad usage. It looks like connecting to Gitlab using the token is not working correctly.

kam bootstrap fails with Please enter a valid access token for --save-token-keyring: The token passed is incorrect for repository myorg/app

To Reproduce kam bootstrap --gitops-repo-url=https://gitlab.com/myorg/gitops.git --service-repo-url=https://gitlab.com/myorg/app.git --git-host-access-token $TOKEN

Additional context

I generated a personal access token with "read_repository, write_repository" rights. I tried giving the following values to $TOKEN (not sure which one is expected) :

Manually cloning the repo with this token works correctly (with any username). I can also push modifications.

git clone https://ANYTHING:$TOKEN@gitlab.com/myorg/app.git

Cloning into 'app'...
remote: Enumerating objects: 214, done.
remote: Counting objects: 100% (214/214), done.
remote: Compressing objects: 100% (153/153), done.
remote: Total 532 (delta 89), reused 173 (delta 58), pack-reused 318
Receiving objects: 100% (532/532), 71.60 KiB | 2.47 MiB/s, done.
Resolving deltas: 100% (243/243), done

Thanks for your help.

bigkevmcd commented 3 years ago

@pbriet Hi there, sorry you're having a problem with this.

I think that error message could be improved, but the token will need API access, GitLab's "read_repository, write_repository" are not for API access, they allow Git-over-HTTP access, https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#limiting-scopes-of-a-personal-access-token

The access check is performing an API check to ensure access, and so this will fail.

For GitLab access, you will want to grant API access, it might be possible to downgrade this access-level, especially if you don't want to send commit-status notifications to GitLab, but currently it's doing an API check.

pbriet commented 3 years ago

Hi, thanks for the feedback.

I will try and get back to you ASAP.

It might be a good to idea to update the following doc : https://github.com/redhat-developer/kam/blob/master/docs/journey/day1/prerequisites/gitlab_access_token_steps.md the last screenshot leads to some confusion :) (NB : there is also a typo in the title : GitHub -> GitLab)

pbriet commented 3 years ago

Hi,

I confirm this was the issue (thanks for the PR). However, I now struggle with a new error : repo must be org/repo: /myorg/my-project-subgroup/myproject.

I do understand the message, but why is there such a constraint on the repo structure? Is it a limitation, or is there a good reason for that? Thanks,

bigkevmcd commented 3 years ago

@pbriet We are working to remove this limitation, it's down to a complication between how we create repositories in the upstream (GitHub and GitLab have a slightly different way of doing this).

There is a way forward, and we'll prioritise a fix.