encrypted password in hostRule does not seem to work
enricojonas opened this issue · comments
Which Renovate are you using?
Renovate On-Prem 1.1.0 (OSS v23.30.2)
Which platform are you using?
GitHub Enterprise
Artifactory Maven Repo
Have you checked the logs? Don't forget to include them if relevant
"DEBUG: Dependency lookup unauthorized. Please add authentication with a hostRule (repository=xxx/xxx)"
What would you like to do?
Lookup maven dependencies from private Maven registry, Artifactory.
I have a working config, the problem is that I am not able to encrypt the password. When I encrypt the password I get the error message as shown above.
packageRules": [
{"managers": ["maven"], "registryUrls": ["https://artifactory.xxx.com/artifactory/xxx-maven-virtual"] }
]
"hostRules": [
{
"hostType": "maven",
"hostName": "artifactory.xxx.com",
"username": "my-username",
"password": "my-password"
}
]
This is working.
However, when I try to use encrypted password like this:
packageRules": [
{"managers": ["maven"], "registryUrls": ["https://artifactory.xxx.com/artifactory/xxx-maven-virtual"] }
]
"hostRules": [
{
"hostType": "maven",
"hostName": "artifactory.xxx.com",
"username": "my-username",
"encrypted": {"password": "encrypted-password"}
}
]
It is not working. I am using this URL to encrypt the password: https://app.renovatebot.com/encrypt
Maybe this is not working for the on-prem version? How can it be done?
Thank you
When you use that URL to encrypt, you are encrypting it using the public key of the hosted app, which has nothing to do with your own installation.
Your choices are:
- look up
privateKeyin the docs and generate your own encryption keys to use, or - Add the hostRules to your bot's config instead of to repo configs (so the password is not visible to repositories but is usable by them)
Bot config: a config.js or config.json file inside your on-prem container in the working directory
Repo config: the renovate.json config in repos you're probably already using
Hi,
ok so it is like I suspected. All this is already in the bots config (which itself resides in github). Since we have a lot of small repositories we went for a more central approach, no config files in the repositories, only one global config.json which is mounted from a k8s configmap when the container starts up, plus the necessary secrets for github in a k8s secret which is also mounted on container startup. So right now the password would show up in both github and in the configMap.
I guess the only way is to go for the first approach. How can I generate my own encryption key and use it?
Thank you,
@enricojonas As @rarkins suggested please read privateKey manual
@viceice Thank you, I will try this and report back, seems to be a straight forward solution!
Hi,
I have followed the manual and created the key pair. However, it seems not to work, maybe I am missing something.
openssl genrsa -out rsa_priv.pem 4096
openssl rsa -pubout -in rsa_priv.pem -out rsa_pub.pem
I have then taken the private key, exchanged all line breaks with "\n" and put it into an environment variable
RENOVATE_PRIVATEKEY
The password I tried to encrypt both using the html page (where I changed the public key part) and the command, both with failed result when I try to use it.
echo 'my-password' | openssl rsautl -encrypt -pubin -inkey rsa_pub.pem | base64
This configuration works without encrypted password:
"hostRules": [
{
"hostType": "maven",
"hostName": "artifactory.xxx.com",
"username": "my-username",
"password": "my-password"
}
]
However, this does not work:
"hostRules": [
{
"hostType": "maven",
"hostName": "artifactory.xxx.com",
"username": "my-username",
"encrypted": {"password": "my-encrypted-password"}
}
]
Maybe I am missing something. Do I set the environment variable correct?
RENOVATE_PRIVATEKEY: '-----BEGIN RSA PRIVATE KEY-----\nMIIJKAIBAAKCA.....\n.....\n....\n-----END RSA PRIVATE KEY-----'
In the logs I can see
I 2020-12-07T11:51:32.553106422Z DEBUG: Adding host rule (repository=xxx/xxx)
I 2020-12-07T11:51:32.553159199Z "config": {
I 2020-12-07T11:51:32.553168554Z "hostType": "maven",
I 2020-12-07T11:51:32.553173417Z "hostName": "artifactory.xxx.com",
I 2020-12-07T11:51:32.553178279Z "username": "my-username",
I 2020-12-07T11:51:32.553182770Z "encrypted": {"password": "***********"}
I 2020-12-07T11:51:32.553187810Z }
@enricojonas You should also see decrypting log lines from here
So please share some more log lines
After enabling trace (had debug before) I can only see this, for each repository.
I 2020-12-07T12:30:07.439692161Z TRACE: decryptConfig() (repository=xxx/xxx)
I 2020-12-07T12:30:07.439704098Z "config": {}
I 2020-12-07T12:30:07.439813928Z TRACE: decryptedConfig (repository=xxx/xxx)
I 2020-12-07T12:30:07.439824892Z "config": {}
Since we don't keep the config with the repositories it's empty I guess.
Should decryption work for encrypted objects in config.json located under /usr/src/app/config.json ?
During startup I can see following, so it seems to pick up the key at least
2020-12-07 14:07:19.749 CET "privateKey": "***********",
I can't find the logmessage in current oss renovate code, so it seems your version is out of date and the public docu no longer matches.
@rarkins can you help here? as is looks like he is using the whitesource on-prem version which is out of my scope.
I assume you typo'd here when you wrote RENOVATE_PRIVATEKEY? Because it should be RENOVATE_PRIVATE_KEY. Seems like you used the right one if you see privateKey accepted in logs.
Should decryption work for encrypted objects in config.json located under /usr/src/app/config.json ?
No, it does not work. It's for decrypting repository configs, not the bot admin config.
Hi @rarkins,
actually I used RENOVATE_PRIVATEKEY and not RENOVATE_PRIVATE_KEY so I don't know which value was picked up in that case.
However, that means we cannot use the private key approach if using a central config only. At least we cannot maintain it in github / k8s configmap. It would have been nice to have the config in a central place in github. I guess there is no way to have more than one config file either. Then we could have one with the artifactory host rule only and another one with all other configs in github.
It is not possible to use environment variables in the config.json?
"hostRules": [
{
"hostType": "maven",
"hostName": "artifactory.xxx.com",
"username": "xxx",
"password": ${env.ART_TOKEN}"
}
]
Thanks for the good work and support!
@enricojonas You can maybe use a shared preset and reference it from bot config. Not sure if it will work.
Another option is to add the passwords to a k8s secret and mount them as env to renovate pod. Then use a config.js instead of config.json to pass passwords from env:
module.exports = {
"hostRules": [
{
"hostType": "maven",
"hostName": "artifactory.xxx.com",
"username": "xxx",
"password": process.env.ART_TOKEN
}
]
}actually I used RENOVATE_PRIVATEKEY and not RENOVATE_PRIVATE_KEY so I don't know which value was picked up in that case.
Something is not right there, but of course I can't tell from here. But I also recommend you use a config.js instead and read from env.