Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workspace creation failed from private github repository with personal access token from secret #20212

Closed
17 tasks
Tracked by #20218
disaster37 opened this issue Jul 27, 2021 · 3 comments
Closed
17 tasks
Tracked by #20218

Workspace creation failed from private github repository with personal access token from secret #20212

disaster37 opened this issue Jul 27, 2021 · 3 comments
Labels
area/factory/server Server side of factory implementation kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.

Comments

@disaster37
Copy link

Describe the bug

I follow the doc https://www.eclipse.org/che/docs/che-7/end-user-guide/authenticating-on-scm-server-with-a-personal-access-token/#configuring_github_authentication_che to create workspace from private github repository.

It's work fine for the first workspace, but it failed on all case for all the next.

Eclipse che UI display Failed to request factory resolver: Internal Server Error occurred, error time: 2021-07-27 13:34:53"
Eclipse che server logs:

2021-07-27 13:34:53,293[nio-8080-exec-5] [ERROR] [c.a.c.r.RuntimeExceptionMapper 47] - Internal Server Error occurred, error time: 2021-07-27 13:34:53
--
Tue, Jul 27 2021 3:34:53 pm | io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.43.0.1/api/v1/namespaces/che-disaster37/secrets/git-credentials-secret-7bl58. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. secrets "git-credentials-secret-7bl58" is forbidden: User "system:serviceaccount:che-prd:che" cannot get resource "secrets" in API group "" in the namespace "che-disaster37".
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:639)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:576)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:543)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:504)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:471)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:453)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:947)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:221)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:187)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:86)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.HasMetadataOperation.replace(HasMetadataOperation.java:118)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.HasMetadataOperation.replace(HasMetadataOperation.java:97)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.utils.CreateOrReplaceHelper.replace(CreateOrReplaceHelper.java:96)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.utils.CreateOrReplaceHelper.createOrReplace(CreateOrReplaceHelper.java:69)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.BaseOperation.createOrReplace(BaseOperation.java:419)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.BaseOperation.createOrReplace(BaseOperation.java:86)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.BaseOperation.createOrReplace(BaseOperation.java:401)
Tue, Jul 27 2021 3:34:53 pm | at io.fabric8.kubernetes.client.dsl.base.BaseOperation.createOrReplace(BaseOperation.java:86)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.api.factory.server.scm.kubernetes.KubernetesGitCredentialManager.createOrReplace(KubernetesGitCredentialManager.java:151)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.api.factory.server.scm.AuthorizingFileContentProvider.fetchContent(AuthorizingFileContentProvider.java:73)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.api.factory.server.urlfactory.URLFactoryBuilder.createFactoryFromDevfile(URLFactoryBuilder.java:103)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.api.factory.server.github.GithubFactoryParametersResolver.createFactory(GithubFactoryParametersResolver.java:106)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.api.factory.server.FactoryService.resolveFactory(FactoryService.java:102)
Tue, Jul 27 2021 3:34:53 pm | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Tue, Jul 27 2021 3:34:53 pm | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
Tue, Jul 27 2021 3:34:53 pm | at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
Tue, Jul 27 2021 3:34:53 pm | at java.base/java.lang.reflect.Method.invoke(Unknown Source)
Tue, Jul 27 2021 3:34:53 pm | at org.everrest.core.impl.method.DefaultMethodInvoker.invokeMethod(DefaultMethodInvoker.java:141)
Tue, Jul 27 2021 3:34:53 pm | at org.everrest.core.impl.method.DefaultMethodInvoker.invokeMethod(DefaultMethodInvoker.java:61)
Tue, Jul 27 2021 3:34:53 pm | at org.everrest.core.impl.RequestDispatcher.doInvokeResource(RequestDispatcher.java:307)
Tue, Jul 27 2021 3:34:53 pm | at org.everrest.core.impl.RequestDispatcher.invokeSubResourceMethod(RequestDispatcher.java:298)
Tue, Jul 27 2021 3:34:53 pm | at org.everrest.core.impl.RequestDispatcher.dispatch(RequestDispatcher.java:234)
Tue, Jul 27 2021 3:34:53 pm | at org.everrest.core.impl.RequestDispatcher.dispatch(RequestDispatcher.java:129)
Tue, Jul 27 2021 3:34:53 pm | at org.everrest.core.impl.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:63)
Tue, Jul 27 2021 3:34:53 pm | at org.everrest.core.impl.EverrestProcessor.process(EverrestProcessor.java:121)
Tue, Jul 27 2021 3:34:53 pm | at org.everrest.core.servlet.EverrestServlet.service(EverrestServlet.java:62)
Tue, Jul 27 2021 3:34:53 pm | at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:290)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:280)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:184)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:89)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.core.metrics.ApiResponseMetricFilter.doFilter(ApiResponseMetricFilter.java:46)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.commons.logback.filter.IdentityIdLoggerFilter.doFilter(IdentityIdLoggerFilter.java:49)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:142)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.multiuser.keycloak.server.KeycloakEnvironmentInitializationFilter.doFilter(KeycloakEnvironmentInitializationFilter.java:99)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.multiuser.machine.authentication.server.MachineLoginFilter.doFilter(MachineLoginFilter.java:76)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
Tue, Jul 27 2021 3:34:53 pm | at org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
Tue, Jul 27 2021 3:34:53 pm | at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:194)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1651)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
Tue, Jul 27 2021 3:34:53 pm | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
Tue, Jul 27 2021 3:34:53 pm | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
Tue, Jul 27 2021 3:34:53 pm | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Tue, Jul 27 2021 3:34:53 pm | at java.base/java.lang.Thread.run(Unknown Source)

Note: after that che server create the secret git-credentials-secret-7bl58, it failed to create new workspace from private gihtub repository. If I remove the secret, it work again for 1 time, and need the delete it again and again.

Che version

7.33.1

Steps to reproduce

  1. Create personal access token secret on your namespace to auth on github: https://www.eclipse.org/che/docs/che-7/end-user-guide/authenticating-on-scm-server-with-a-personal-access-token/#configuring_github_authentication_che
apiVersion: v1
data:
  token: XXX
kind: Secret
metadata:
  annotations:
    che.eclipse.org/che-userid: f4b19c91-fb97-4257-8d1f-bc2ffa9aa07e
    che.eclipse.org/expired-after: "-1"
    che.eclipse.org/scm-url: https://github.com
    che.eclipse.org/scm-userid: ""
    che.eclipse.org/scm-username: ""
  labels:
    app.kubernetes.io/component: scm-personal-access-token
    app.kubernetes.io/part-of: che.eclipse.org
  name: github-personal-token
type: Opaque
  1. Create private github repository with devfile.yaml on root.
  2. Go on eclpise che UI and create new workspace from github URL (your private github repository).
    It's work fine, and in your kubernetes namespace, you can look eclpise che has created new secret called git-credentials-secret-XXXXX
  3. Create again new worspace from github URL (your private github repository).
    You get error on UI "Failed to request factory resolver: Internal Server Error occurred, error time: 2021-07-27 13:34:53"
    You get error on Eclipse che server:
2021-07-27 13:34:53,293[nio-8080-exec-5] [ERROR] [c.a.c.r.RuntimeExceptionMapper 47] - Internal Server Error occurred, error time: 2021-07-27 13:34:53
--
Tue, Jul 27 2021 3:34:53 pm | io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.43.0.1/api/v1/namespaces/che-disaster37/secrets/git-credentials-secret-7bl58. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. secrets "git-credentials-secret-7bl58" is forbidden: User "system:serviceaccount:che-prd:che" cannot get resource "secrets" in API group "" in the namespace "che-disaster37".

Expected behavior

It create workspace wihtout error.

Runtime

  • [ X] kubernetes 1.18.20
  • Openshift (include output of oc version)
  • minikube (include output of minikube version and kubectl version)
  • minishift (include output of minishift version and oc version)
  • docker-desktop + K8S (include output of docker version and kubectl version)
  • other: (please specify)

Screenshots

Installation method

  • [ X] chectl
    • provide a full command that was used to deploy Eclipse Che (including the output)
    • provide an output of chectl version command
  • OperatorHub
  • I don't know

Environment

  • my computer
    • Windows
    • [ X] Linux
    • macOS
  • Cloud
    • Amazon
    • Azure
    • GCE
    • other (please specify)
  • Dev Sandbox (workspaces.openshift.com)
  • other: please specify

Eclipse Che Logs

Additional context
@disaster37 disaster37 added the kind/bug Outline of a bug - must adhere to the bug report template. label Jul 27, 2021
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jul 27, 2021
@skabashnyuk
Copy link
Contributor

provide a full command that was used to deploy Eclipse Che (including the output)

How did you install Che? Is this helm or operator on k8s?

@disaster37
Copy link
Author

operator on k8s from chectl

@vzhukovs vzhukovs added area/factory/server Server side of factory implementation severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Jul 27, 2021
@mshaposhnik mshaposhnik mentioned this issue Jul 28, 2021
Merged
11 tasks
@skabashnyuk skabashnyuk mentioned this issue Jul 28, 2021
Closed
11 tasks
@mshaposhnik
Copy link
Contributor

PR merged, will be fixed in newer chectl and operator versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/factory/server Server side of factory implementation kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@skabashnyuk @mshaposhnik @vzhukovs @disaster37 @che-bot