galaxy-collection - Behind auth protected endpoint

[garethahealy]

What would you like help with?

I would like help with my configuration

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

I am using an Ansible collection hosted behind an auth-protected endpoint.

I have a refresh token which if you follow the auth flow manually, and enter that returned token into renovate as a secret, renovate works as expected using hostRules. The issue is that the token returned by the auth flow, only lasts for 15mins, so I need renovate to get the token for me.

Ansible allows you to set the auth_url via config:

[galaxy_server.automation_hub]
url=https://console.redhat.com/api/automation-hub/content/published/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token

• https://docs.ansible.com/ansible/latest/collections_guide/collections_installing.html#configuring-the-ansible-galaxy-client

Looking at hostRules, I cant see how you'd follow an openid auth flow, and re-use the returned token for subsequent calls.

Obviously, if I use the refresh token, the endpoint doesn't like it (see the logs)

Is this possible? or a missing feature?

Logs (if relevant)

Logs

DEBUG: hostRules: applying Bearer authentication for console.redhat.com
DEBUG: Using queue: host=console.redhat.com, concurrency=16
DEBUG: GET https://console.redhat.com/api/automation-hub/content/published/v3/plugin/ansible/content/published/collections/index/redhat/amq_broker/ = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=401 retryCount=0, duration=662)
WARN: Error fetching https://console.redhat.com/api/automation-hub/content/published/v3/plugin/ansible/content/published/collections/index/redhat/amq_broker/
{
  "datasource": "galaxy-collection"
  "packageName": "redhat.amq_broker"
  "err": {
    "name": "HTTPError",
    "code": "ERR_NON_2XX_3XX_RESPONSE",
    "timings": {
      "start": 1728382232935,
      "socket": 1728382232935,
      "lookup": 1728382232950,
      "connect": 1728382233345,
      "secureConnect": 1728382233487,
      "upload": 1728382233487,
      "response": 1728382233596,
      "end": 1728382233597,
      "phases": {
        "wait": 0,
        "dns": 15,
        "tcp": 395,
        "tls": 142,
        "request": 0,
        "firstByte": 109,
        "download": 1,
        "total": 662
      }
    },
    "message": "Response code 401 (Unauthorized)",
    "stack": "HTTPError: Response code 401 (Unauthorized)\n    at Request.<anonymous> (/usr/local/renovate/node_modules/.pnpm/[email protected]/node_modules/got/dist/source/as-promise/index.js:118:42)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)",
    "options": {
      "headers": {
        "user-agent": "RenovateBot/38.97.0 (https://github.com/renovatebot/renovate)",
        "accept": "application/json",
        "authorization": "***********",
        "accept-encoding": "gzip, deflate, br"
      },
      "url": "https://console.redhat.com/api/automation-hub/content/published/v3/plugin/ansible/content/published/collections/index/redhat/amq_broker/",
      "hostType": "galaxy-collection",
      "username": "",
      "password": "",
      "method": "GET",
      "http2": false
    },
    "response": {
      "statusCode": 401,
      "statusMessage": "Unauthorized",
      "body": {
        "errors": [
          {
            "detail": "Invalid JWT token - signature mismatch: pn4TMIhfGPAz_ATDG4w-buR74fFJPPqRhKj7bHnbp6nvIxhnmt_b9hnqMeX8w59jMFSBZ1xiTm6F2Ez0rcyN5A",
            "meta": {
              "response_by": "gateway"
            },
            "status": 401
          }
        ]
      },
      "headers": {
        "server": "openresty",
        "content-type": "application/json",
        "content-length": "199",
        "x-rh-insights-request-id": "d4131723780941e5ba66446820f6b58d",
        "x-content-type-options": "nosniff",
        "date": "Tue, 08 Oct 2024 10:10:33 GMT",
        "connection": "keep-alive",
        "set-cookie": [
          "3ba1432eca9ab72ebcff858daecadbf5=aeb46859549ae82b7edd1a7ff2068045; path=/; HttpOnly; Secure; SameSite=None"
        ],
        "x-rh-edge-request-id": "50303d5",
        "x-rh-edge-reference-id": "0.9a6bdc17.1728382233.50303d5",
        "x-rh-edge-cache-status": "NotCacheable from child",
        "x-frame-options": "SAMEORIGIN",
        "strict-transport-security": "max-age=31536000; includeSubDomains"
      },
      "httpVersion": "1.1",
      "retryCount": 0
    }
  }
}

[garethahealy]

Manual steps

$ ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN="eyJhbGci..."
$ curl https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token -d grant_type=refresh_token -d client_id="cloud-services" -d refresh_token="${ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN}" | jq -r '.access_token' > token
$ TOKEN="$(cat token)"
$ curl --header "Authorization: Bearer ${TOKEN}" -L https://console.redhat.com/api/automation-hub/content/published/v3/plugin/ansible/content/published/collections/index/redhat/amq_broker/ | jq '.'
{
  "href": "/api/automation-hub/content/published/v3/plugin/ansible/content/published/collections/index/redhat/amq_broker/",
  "namespace": "redhat",
  "name": "amq_broker",
  "deprecated": false,
  "versions_url": "/api/automation-hub/content/published/v3/plugin/ansible/content/published/collections/index/redhat/amq_broker/versions/",
  "highest_version": {
    "href": "/api/automation-hub/content/published/v3/plugin/ansible/content/published/collections/index/redhat/amq_broker/versions/2.2.5/",
    "version": "2.2.5"
  },
  "created_at": "2023-02-07T15:40:21.542312Z",
  "updated_at": "2024-10-01T15:30:15.261384Z",
  "download_count": 22760
}

[MindTooth]

I believe that Red Hat will change their way of using basic auth to token and will require process described above. Ref.: (valid subscription): https://access.redhat.com/articles/7036194

Meaning we need a way to update said access token dynamically. Guess that could either be by some pre-call via the Mend App or an API for us to update it ourself from the outside.

Not sure that it's any way for us to actually update secretes on our own. https://docs.renovatebot.com/mend-hosted/app-secrets/ has now gone away with using encrypted secrets.

[MindTooth]

@rarkins does the hosted app support to somehow update these variables? Only solution I see is that one needs a job somewhere that keeps this token updated.

Just had all my PRs closed because of expired token. 😅

[rarkins]

We are currently working on adding an API which would let users programmatically add and update "secrets" in the Mend backend

[garethahealy]

Thats good to know. As the Red Hat token only lasts 15 minutes, will/is there any way (via a webhook?) to trigger a job (i.e.: github action) that updates the secret before a renovate scan?

[rarkins]

No, that's not being planned. It would probably require a customer to request this, and then potentially be a paid-only feature depending on how it's implemented.

[github-actions[bot]]

Hi there,

This is intended as a polite, automated request that users avoid @ mentioning repository maintainers like @rarkins or @viceice. Doing so causes annoying mobile notifications and makes it harder to maintain this repository.

We know it might be common elsewhere but we participate in hundreds of discussions a week and would need to turn off GitHub mobile notifications if we were mentioned in every one.

As a general rule, we will read and respond to all discussions in this repository, so there is no need to mention us.

Thanks, the Renovate team