GitRepository authentication failed using bearerToken (personal access token on GitHub)

[mcantinqc]

Hi,

I am trying to set up authentication using a bearer token (personal access token on GitHub) on a GitRepository object instead of an SSH deploy key because this allows us to use branch protection.

We are running the latest version of FluxCD (2.1.0).

My secret:

apiVersion: v1
kind: Secret
metadata:
  name: flux-config
  namespace: flux-system
data:
  bearerToken: BASE64_REDACTED
type: Opaque

My GitRepository object:

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: flux-config
  namespace: flux-system
spec:
  interval: 1m0s
  ref:
    branch: main
  secretRef:
    name: flux-config
  timeout: 60s
  url: https://github.com/example/flux-config.git

When I run the following command, I get the following error message:

flux reconcile source git flux-config

GitRepository reconciliation failed: 'failed to checkout and determine revision: unable to clone 'https://github.com/example/flux-config.git': authentication required'

I have checked the following:

• I can successfully clone the repository on the command line with the bearer token: git clone https://[email protected]/example/flux-config, so I know the token is valid.
• The GitRepository and secret are in the same namespace.
• There are no new lines or whitespace in the secret base64.
  I am not sure why I am getting this error. Do you have any ideas?

Thanks for your help!

[stefanprodan]

See the docs here: https://fluxcd.io/flux/components/source/gitrepositories/#basic-access-authentication

The secret should have username e.g. git and the password should be your token.

From docs:

Note: If you are looking to use OAuth tokens with popular servers (e.g. GitHub, Bitbucket, GitLab), you should use basic access authentication instead. These servers use basic HTTP authentication, with the OAuth token as the password. Check the documentation of your Git server for details.

[mcantinqc]

I try with this secret:

apiVersion: v1
kind: Secret
metadata:
  name: flux-config
  namespace: flux-system
data:
  password: REDACTED
  username: Z2l0
type: Opaque

Still the same error.

I can put garbage on my secret, no password, no username, no bearerToken, still the same error, as if the secret was ignored. But if the secret is missing, I had an error.

[stefanprodan]

It should be stringData if you have username and password in clear text. Also make sure to delete the secret and create it from scratch, so that it contains only those 2 keys and nothing else.

[mcantinqc]

I already try with berearToken, but I retry without success:

apiVersion: v1
kind: Secret
metadata:
  name: flux-config
  namespace: flux-system
stringData:
  password: REDACTED_NOT_IN_BASE64
  username: git

[mcantinqc]

I am trying to use a fine-grained personal access token (PAT) to authenticate with a GitRepository object in FluxCD. According to the documentation, this should be simpler than using a classic PAT, as you can use it as a bearer token or with basic auth (username must be oauth2). I have confirmed that this works from the API, git clone, and curl.

have also tried the method described in the GitHub blog post Easier builds and deployments using Git over HTTPS and OAuth: https://github.blog/2012-09-21-easier-builds-and-deployments-using-git-over-https-and-oauth/. This also did not work.

[mcantinqc]

We use SSH key on a user (instead of PAT or deploy key on repository) and everything work well, so I close, but I still think there are possibly a bug on flux.

[pitabwire]

Just for reference, when creating the base64 version of the string one should take care to avoid new lines as that was only thing that made a difference in our case.

bad : echo github_pat_11.......YG2z9ydMujS | base64 -w 0

good: echo -n github_pat_11.......YG2z9ydMujS | base64 -w 0

[stefanprodan]

We have a command in the Flux CLI to avoid all of this:

  flux -n my-ns create secret git my-git-auth \
    --url=https://github.com/my-org/my-repo \
    --username=git \
    --password=my-gh-token

[gabrieladeniji]

Thanks @pitabwire @stefanprodan, this works perfectly for me

username: echo -n git | base64
password: echo -n ghp_BYiAF..........3uWnod | base64

[boris-veriti]

• getting clear work after several days of looking 4 migrate to HTTPS

• using a fine-grained personal access token (PAT) in read-only mode for organization private repos - work
  with:

   --username=git \
   --password=my-gh-token

Thanks @stefanprodan for hint with stringData

[benjimin]

I have the same issue.

I can create the secret with:

flux create secret git foo --export --bearer-token xxxxx --url https://bitbucket.org/org/repo.git

The token is created as a BitBucket repo-level Access Token with Read scope. Note when creating the token, BitBucket explicitly provides an example of using it as a bearer token (so I don't understand why the flux docs seem to advise only using basic auth with all the major git hosts.)

The secret is applied into the cluster and referenced in a flux gitrepo object, resulting in events with the message: failed to checkout and determine revision: unable to clone 'https://bitbucket.org/org/repo.git': authentication required. There seems to be no additional detail in the source controller logs.

[benjimin]

When I looked in more detail at the Bitbucket docs, I noticed that the bearer token examples were only for Bitbucket API (which handles things like PR creation and comments, not cloning and pushing). The example for git commands appeared to be using basic auth (with the intended bearer token supplied as a password, and the special username "x-token-auth").

In other words, I failed to establish that this is actually a fluxcd problem (rather than a provider limitation). And the same token absolutely does work in fluxcd when provided as the combination of the dummy-username and password (just not if configured for use as a bearer token). I tested this after creating the secret (as a yaml manifest) with the token pasted into a "stringData" field, to avoid any need to re-encode it manually.

[mateusvtt]

I had this issue as well, I create my Secret using external secrets like that:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: github-auth-template
  namespace: my-ns
spec:
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: GithubAccessToken
        name: my-github-app-bot-token
  refreshInterval: "15m"
  target:
    template:
      data:
        bearerToken: "{{ .token }}"

Note I followed this doc here and it didn't work.
Then I changed my target as suggested in this thread and it worked:

  target:
    template:
      data:
        username: git
        password: "{{ .token }}"