source-controller: Unable to clone gitlab private GitRepository with libgit2

Hello. I have a GitRepository poitning to a private repo with private keys (with write permissions) included:

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  name: cnm-dep
spec:
  interval: 24h
  url: ssh://git@my.gitlab/jj/cnm-dep.git
  secretRef:
    name: gitlab-key
  ref:
    branch: master

This works as expected, reconciles itself, no problem with updating corresponding Kustomization resource. However, image automation controller is unable to clone this repository when ImagePolicy is met. ImageUpdateAutomation resource is the following:

apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageUpdateAutomation
metadata:
  name: cnm-dep
spec:
  interval: 30s
  sourceRef:
    kind: GitRepository
    name: cnm-dep
  git:
    checkout:
      ref:
        branch: master
    commit:
      author:
        email: ml3k@interia.pl
        name: fluxcd
      messageTemplate: |
        (FluxCD) Update images
        {{range .Updated.Images}}
        - {{ . }}
        {{end}}
    push:
      branch: master
  update:
    path: ./
    strategy: Setters

Logs from image-automation-controller:

{"level":"error","ts":"2021-08-13T12:49:40.933Z","logger":"controller-runtime.manager.controller.imageupdateautomation","msg":"Reconciler error","reconciler group":"image.toolkit.fluxcd.io","reconciler kind":"ImageUpdateAutomation","name":"cnm-dep","namespace":"cnm","error":"unable to clone 'ssh://git@my.gitlab/jj/cnm-dep.git', error: Certificate"}

Identical configuration works as expected for github private repositories in the same cluster. Version i run is ghcr.io/fluxcd/image-automation-controller:v0.14.0.

Thank you in advance.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 24 (13 by maintainers)

Most upvoted comments

@pjbgf Just tested it out with the last two versions you pointed out above. It’s working fine now: flux manages to amend the k8s manifests I have on my Google Cloud source private repo - access via SSH.

Thank you for your follow-up!

+2
flelain on Jun 13, 2022

@jjlakis if your known_hosts has an ECDSA* entry, the solution is to replace this with an entry of another type, as the current version of libgit2 we make use of does not have support for ECDSA* types. Support for this will be added once we have a working libgit2 version >=1.2.0.

For other folks looking for authentication related issues: the latest release of the image-automation-controller (v0.15.0) contains libgit2 linked against OpenSSL and LibSSH2, which based on my research and extensive testing, should solve most issues around private key formats (not host keys).

+1
hiddeco on Oct 9, 2021

@squaremo Here’s the gitlab-key secret I use with gitRepository:

data:           
  identity: private_key
  identity.pub: public_key
  known_hosts: known_hosts

I just realized that I didn’t try http user/token access to GitLab. Not sure if this would make any difference though

+1
jjlakis on Aug 24, 2021

I’m going to move this to source-controller, since it fails there too (and image-automation-controller uses that code).

+1
squaremo on Aug 24, 2021
Read more comments on GitHub
← source-controller: "SSH could not read data: Error waiting on socket" when using libgit2
terraform-provider-flux: Customizing document unclear or incorrect? →