renovatebot / config-help

Please use the Discussions feature of https://github.com/renovatebot/renovate instead
https://github.com/renovatebot/renovate/discussions
MIT License
27 stars 16 forks source link

encrypted password in hostRule does not seem to work #1017

Closed enricojonas closed 3 years ago

enricojonas commented 3 years ago

Which Renovate are you using?

Renovate On-Prem 1.1.0 (OSS v23.30.2)

Which platform are you using?

GitHub Enterprise Artifactory Maven Repo

Have you checked the logs? Don't forget to include them if relevant

"DEBUG: Dependency lookup unauthorized. Please add authentication with a hostRule (repository=xxx/xxx)"

What would you like to do?

Lookup maven dependencies from private Maven registry, Artifactory.

I have a working config, the problem is that I am not able to encrypt the password. When I encrypt the password I get the error message as shown above.

packageRules": [
        {"managers": ["maven"], "registryUrls": ["https://artifactory.xxx.com/artifactory/xxx-maven-virtual"] }
]

    "hostRules": [
        {
            "hostType": "maven",
            "hostName": "artifactory.xxx.com",
            "username": "my-username",
            "password": "my-password"
        }
    ]

This is working.

However, when I try to use encrypted password like this:

packageRules": [
        {"managers": ["maven"], "registryUrls": ["https://artifactory.xxx.com/artifactory/xxx-maven-virtual"] }
]

    "hostRules": [
        {
            "hostType": "maven",
            "hostName": "artifactory.xxx.com",
            "username": "my-username",
            "encrypted": {"password": "encrypted-password"}
        }
    ]

It is not working. I am using this URL to encrypt the password: https://app.renovatebot.com/encrypt

Maybe this is not working for the on-prem version? How can it be done?

Thank you

rarkins commented 3 years ago

When you use that URL to encrypt, you are encrypting it using the public key of the hosted app, which has nothing to do with your own installation.

Your choices are:

Bot config: a config.js or config.json file inside your on-prem container in the working directory Repo config: the renovate.json config in repos you're probably already using

enricojonas commented 3 years ago

Hi,

ok so it is like I suspected. All this is already in the bots config (which itself resides in github). Since we have a lot of small repositories we went for a more central approach, no config files in the repositories, only one global config.json which is mounted from a k8s configmap when the container starts up, plus the necessary secrets for github in a k8s secret which is also mounted on container startup. So right now the password would show up in both github and in the configMap.

I guess the only way is to go for the first approach. How can I generate my own encryption key and use it?

Thank you,

viceice commented 3 years ago

@enricojonas As @rarkins suggested please read privateKey manual

enricojonas commented 3 years ago

@viceice Thank you, I will try this and report back, seems to be a straight forward solution!

enricojonas commented 3 years ago

Hi,

I have followed the manual and created the key pair. However, it seems not to work, maybe I am missing something.

openssl genrsa -out rsa_priv.pem 4096
openssl rsa -pubout -in rsa_priv.pem -out rsa_pub.pem

I have then taken the private key, exchanged all line breaks with "\n" and put it into an environment variable

RENOVATE_PRIVATEKEY

The password I tried to encrypt both using the html page (where I changed the public key part) and the command, both with failed result when I try to use it.

echo 'my-password' | openssl rsautl -encrypt -pubin -inkey rsa_pub.pem | base64

This configuration works without encrypted password:

    "hostRules": [
        {
            "hostType": "maven",
            "hostName": "artifactory.xxx.com",
            "username": "my-username",
            "password": "my-password"
        }
    ]

However, this does not work:

    "hostRules": [
        {
            "hostType": "maven",
            "hostName": "artifactory.xxx.com",
            "username": "my-username",
            "encrypted": {"password": "my-encrypted-password"}
        }
    ]

Maybe I am missing something. Do I set the environment variable correct?

RENOVATE_PRIVATEKEY: '-----BEGIN RSA PRIVATE KEY-----\nMIIJKAIBAAKCA.....\n.....\n....\n-----END RSA PRIVATE KEY-----'

In the logs I can see

I 2020-12-07T11:51:32.553106422Z DEBUG: Adding host rule (repository=xxx/xxx)
I 2020-12-07T11:51:32.553159199Z        "config": {
I 2020-12-07T11:51:32.553168554Z          "hostType": "maven",
I 2020-12-07T11:51:32.553173417Z          "hostName": "artifactory.xxx.com",
I 2020-12-07T11:51:32.553178279Z          "username": "my-username",
I 2020-12-07T11:51:32.553182770Z          "encrypted": {"password": "***********"}
I 2020-12-07T11:51:32.553187810Z        }
viceice commented 3 years ago

@enricojonas You should also see decrypting log lines from here

So please share some more log lines

enricojonas commented 3 years ago

@viceice

After enabling trace (had debug before) I can only see this, for each repository.

I 2020-12-07T12:30:07.439692161Z TRACE: decryptConfig() (repository=xxx/xxx)
I 2020-12-07T12:30:07.439704098Z        "config": {}
I 2020-12-07T12:30:07.439813928Z TRACE: decryptedConfig (repository=xxx/xxx)
I 2020-12-07T12:30:07.439824892Z        "config": {}

Since we don't keep the config with the repositories it's empty I guess.

Should decryption work for encrypted objects in config.json located under /usr/src/app/config.json ?

During startup I can see following, so it seems to pick up the key at least

2020-12-07 14:07:19.749 CET "privateKey": "***********",

viceice commented 3 years ago

I can't find the logmessage in current oss renovate code, so it seems your version is out of date and the public docu no longer matches.

@rarkins can you help here? as is looks like he is using the whitesource on-prem version which is out of my scope.

rarkins commented 3 years ago

I assume you typo'd here when you wrote RENOVATE_PRIVATEKEY? Because it should be RENOVATE_PRIVATE_KEY. Seems like you used the right one if you see privateKey accepted in logs.

Should decryption work for encrypted objects in config.json located under /usr/src/app/config.json ?

No, it does not work. It's for decrypting repository configs, not the bot admin config.

enricojonas commented 3 years ago

Hi @rarkins,

actually I used RENOVATE_PRIVATEKEY and not RENOVATE_PRIVATE_KEY so I don't know which value was picked up in that case.

However, that means we cannot use the private key approach if using a central config only. At least we cannot maintain it in github / k8s configmap. It would have been nice to have the config in a central place in github. I guess there is no way to have more than one config file either. Then we could have one with the artifactory host rule only and another one with all other configs in github.

It is not possible to use environment variables in the config.json?

"hostRules": [
        {
            "hostType": "maven",
            "hostName": "artifactory.xxx.com",
            "username": "xxx",
            "password": ${env.ART_TOKEN}"
        }
    ]

Thanks for the good work and support!

viceice commented 3 years ago

@enricojonas You can maybe use a shared preset and reference it from bot config. Not sure if it will work.

viceice commented 3 years ago

Another option is to add the passwords to a k8s secret and mount them as env to renovate pod. Then use a config.js instead of config.json to pass passwords from env:

module.exports = {
"hostRules": [
        {
            "hostType": "maven",
            "hostName": "artifactory.xxx.com",
            "username": "xxx",
            "password": process.env.ART_TOKEN
        }
    ]
}
rarkins commented 3 years ago

actually I used RENOVATE_PRIVATEKEY and not RENOVATE_PRIVATE_KEY so I don't know which value was picked up in that case.

Something is not right there, but of course I can't tell from here. But I also recommend you use a config.js instead and read from env.

enricojonas commented 3 years ago

@rarkins @viceice I have switched to config.js and environment variables managed by a k8s secret instead. It's a good workaround and I can skip the encryption part entirely.

Thank you for your help!