[duplicate] problems with gitlab clone auth

apinter · August 9, 2022, 2:50am

Hi,

We’re in the process of migrating from Gitlab CI to Drone CI, but still utilizing Gitlab as the scm. We’re still in the evaluation phase, but hitting some walls with scheduled execution of builds. The Drone server is deployed with podman, the runner is in kubernetes (I understand that this runner is currently in beta). All works fine until the cron should trigger the builds. In some projects we see that the pipeline executes fine, in some it is just “spinning”, some builds fail, some builds won’t even start.

Seen this error in the runner:

Cloning with 0 retries
Initialized empty Git repository in /drone/src/.git/
+ git fetch origin +refs/heads/main:
fatal: could not read Username for 'https://gitlab.wasdxyz.com': terminal prompts disabled

Most pipeline uses the following template:

kind: pipeline
type: kubernetes
name: default
trigger:
  event:
  - cron
  cron:
    include:
    - daily-build
when:
  branch:
  - main
  - php7.3
steps:
- name: {{ .input.name }}
  image: banzaicloud/drone-kaniko
  settings:
    username:
      from_secret: CI_REGISTRY_USER
    password:
      from_secret: CI_REGISTRY_PASSWORD
    repo: {{ .input.repo }}/{{ .input.image }}
    tags: {{ .input.imagetag}}
    registry:
      from_secret: CI_REGISTRY

- name: vulnscan
  image: registry.wasdxyz.com/devops/trivy-reporter:latest
  environment:
    IMAGE: registry.wasdxyz.com/{{ .input.repo }}/{{ .input.image }}:{{ .input.imagetag}}
    DEV_PROJECT_KEY:
      from_secret: DEV_PROJECT_KEY
    DEVOPS_PROJECT_KEY: 
      from_secret: DEVOPS_PROJECT_KEY
    JIRA_PASSWORD:
      from_secret: JIRA_PASSWORD
    JIRA_USER:
      from_secret: JIRA_USER
    TRIVY_PASSWORD:
      from_secret: TRIVY_PASSWORD
    TRIVY_USERNAME:
      from_secret: TRIVY_USERNAME
  commands:
    - cd /opt/reporter
    - bash /opt/reporter/init.sh

- name: notify
  image: plugins/slack
  when:
    status:
      - success
      - failure
  settings:
    username: DroneCI
    channel: whoworksonwhat
    webhook:
      from_secret: SLACK_WEBHOOK
    icon_url: https://unsplash.it/256/256/?random

image_pull_secrets:
- dockerconfig

I have just enabled the debug logs on the server, and the runner side to see if we can get some details, should’ve done this sooner though. Anywho…
Any ideas what could potentially cause this problem? Could this be related to the GitLab refresh token implementation issue?
Also does the cron trigger actually required in the pipeline to execute the build or it would execute without it as well?

brad · August 9, 2022, 2:14pm

This error would indicate your repository requires credentials to clone, but Drone did not inject the credentials. Drone_always_ injects credentials when cloning private repositories. So the typical root cause for this error would be if your repository is public, but you configured GitLab to always require credentials to clone public repositories. If this is the case, you need to enable this setting on your Drone server DRONE_GIT_ALWAYS_AUTH | Drone

apinter · August 10, 2022, 7:31am

Right, the auth pattern is the same across every project on the Gitlab side, and some builds are executing, some are not which makes this pretty weird. Regardless I’m going to try and add the env you suggested, thank you.
Otherwise the template looks fine for running builds automatically on a cron schedule?

apinter · August 13, 2022, 5:06am

So it seem that the the template is good, however I would suggest a sweep on https://plugins.drone.io/ since there are a number of plugins that are unmaintained. I volunteer if that helps to start checking the plugins, and filter out plugins that are archived/unmaintained like the kaniko one which hasn’t been updated in the past 2ish years. Using that plugin caused some issues during our tests rendering the containers built by it unstable.

brad · August 13, 2022, 8:23pm

I agree there are probably plugins in the list that should be removed, but we should not assume that plugins are unmaintained just because they have not been recently updated. Drone has been around for almost 10 years now and we have a number of plugins that are feature-complete. For example, this plugin has not been updated in ~2 years and is heavily used.

apinter · August 14, 2022, 2:52pm

So I did try to add this env to the server, but I still see the same error:

Cloning with 0 retries
Initialized empty Git repository in /drone/src/.git/
+ git fetch origin +refs/heads/main:
fatal: could not read Username for 'https://gitlab.antavo.com': terminal prompts disabled

Any idea what I might be missing? Triggering manually works like a charm tho

brad · August 14, 2022, 3:23pm

I see you are using GitLab. GitLab broke oauth2 refresh tokens in a recent release which has caused problems for downstream systems like Drone. This needs to be fixed by GitLab.

We have an existing thread on this topic and you can see folks experience the same error. I believe they describe some immediate workarounds you can use, until such a time where GitLab has resolved the problem.

https://discuss.harness.io/t/drone-doesnt-implment-gitlab-oauth2-token-refresh-and-causes-404-and-code-change-webhook-fails/12018/14

Lets merge this thread into the above thread, since they are covering the same topic.