"Authorization failed" and nothing else

Question

"Authorization failed" and nothing else

GTorreil opened this issue a year ago · 4 comments

Hello.

First of all i'm sorry if this turns out to be a "support" issue. I reached out on Slack but could not get help.

ImageRepository and ImagePolicy works :

➜  flux-config git:(main) flux get images policy       
NAME                            LATEST IMAGE                                READY   MESSAGE                                                                                                                                         
frontend-next-integration       registry.gitlab.com/<correct image tag>     True    Latest image tag for 'registry.gitlab.com/<image>' updated from <old tag> to <new tag>

ImageUpdateAutomation fails :

➜  flux-config git:(main) flux get images update
NAME            LAST RUN        SUSPENDED       READY   MESSAGE              
flux-system                     False           False   authorization failed

ImageUpdateAutomation manifest :

apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageUpdateAutomation
metadata:
  name: flux-system
  namespace: flux-system
spec:
  interval: 1m0s # TODO : 5m0s
  sourceRef:
    kind: GitRepository
    name: flux-system
    namespace: flux-system
  git:
    checkout:
      ref:
        branch: main
    commit:
      author:
        email: fluxcdbot@example.com
        name: fluxcdbot
      messageTemplate: "{{range .Updated.Images}}{{println .}}{{end}}"
    push:
      branch: main
  update:
    path: ./apps
    strategy: Setters

I think the message is a bit broad : is it referring to authorization for git push ? or something else ?
I checked git repo access and protected branches, everything seems fine.
I don't know what to look for next.

Answer 1 · 2023-11-06T06:51:57.000Z

I agree the message doesn't help much. You should be able to get a little more info from the image-automation-controller pod's logs.

The message "authorization failed" is raised when the controller can't clone the repository referred to by the GitRepository in .spec.sourceRef because the repo doesn't exist (i.e. it received a 404 from the HTTP server). This might hint at insufficient permissions.

Answer 2 · 2023-11-06T17:06:32.000Z

Here's the log from the Pod: image-automation-controller

{"level":"error","ts":"2023-11-06T16:14:33.543Z","msg":"Reconciler error","controller":"imageupdateautomation","controllerGroup":"image.toolkit.fluxcd.io","controllerKind":"ImageUpdateAutomation","ImageUpdateAutomation":{"name":"flux-system","namespace":"flux-system"},"namespace":"flux-system","name":"flux-system","reconcileID":"9f2ee461-6637-4e68-a79a-bfb46406c92d","error":"authorization failed"}

As far as permissions are concerned, how can I provide git authentication to the controller ? I can't seem to find that in the docs.

Thanks again,

Answer 3 · 2023-11-06T17:45:59.000Z

Authentication data is retrieved from the GitRepository's .spec.secretRef.

Answer 4 · 2023-11-07T20:21:53.000Z

Oh, of course, sorry.

For future reference : I had bootstrapped my cluster with a Gitlab Deploy Token. Deploy tokens can't commit to repositories.

After re-bootstraping with a Gitlab PAT, everything works !

Thanks again @makkes :)