website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Installation - SSH Unable to authenticate

Open matiasmir opened this issue 3 years ago • 8 comments

Flux is not working as described in the docs, I'm trying the command:

flux bootstrap git \
  --url=ssh://[email protected]/myuser/k8s-config.git \
  --branch=master \
  --path=./

That command is supposed to:

The above command will generate an SSH key (defaults to RSA 2048 but can be changed with --ssh-key-algorithm), and it will prompt you to add the SSH public key as a deploy key to your repository.

It is not generating any ssh public key or at least is not telling me where it is being stored and is not prompting me to add the public key to my repository, this is the response I get after running the command:

► cloning branch "master" from Git repository "ssh://[email protected]/myuser/k8s-config.git"
✗ failed to clone repository: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

matiasmir avatar Feb 16 '22 15:02 matiasmir

Are you running against a cluster that already has Flux installed, or has already been bootstrapped to another repo before?

If so, then there is likely a secret called flux-system in the flux-system namespace already. Check if the secret exists in that namespace and if there is any sign of a prior installation, if you're unsure. You can use flux uninstall to get rid of them safely and prepare to install Flux again.

If the secret is already present, then flux bootstrap will leave it alone and reuse it. That is likely what has happened here.

kingdonb avatar Feb 16 '22 18:02 kingdonb

@kingdonb Nope, is a fresh install in a local cluster. I've already tried cleaning the cluster and installing again but I have the same problem, when running flux bootstrap ... it doesn't create anything in the cluster it just throws the error reported above, only if I run 'flux install' (Which is not in the "Installation" section of the docs) it installs all the deployments and secrets but still flux bootstrap doesn't work, Also I don't see any flux-system secret in the flux-system namespace after running flux install image

matiasmir avatar Feb 17 '22 13:02 matiasmir

flux bootstrap git uses SSH agent, is your private key loaded in there? Does the key have access to the repo?

stefanprodan avatar Feb 17 '22 13:02 stefanprodan

@stefanprodan I had my ssh keys generated and I was using them regularly to connect to my repos, but it seems that you have to use ssh-add <Path/to/key> in order to get flux to work, thanks for your answer Stefan. Should this be added to the docs? If it wasn't for your answer I wouldn't have been able to fix it because there is no info related to this on forums, I don't understand how I'm the first with this issue.

matiasmir avatar Feb 17 '22 13:02 matiasmir

ssh-add is how you load keys into SSH agent, if you haven't done that, then I guess you type the passphrase at every git push?

stefanprodan avatar Feb 17 '22 14:02 stefanprodan

Maybe because I've never used passphrases when creating my ssh keys, that's why I've never used ssh-add ...

matiasmir avatar Feb 17 '22 14:02 matiasmir

https://fluxcd.io/docs/installation/#generic-git-server https://fluxcd.io/docs/cmd/flux_bootstrap_git/

Both of these docs mention an SSH Agent but do not mention the SSH client's default search path.

I think that's clear, but I was still surprised by all of this behavior. I think users generally have the expectation that when an SSH agent is absent, the SSH key search path of the SSH client will be used. (Those are normal expectations, but I'm not saying Flux should implement all this... only that we should probably dispel that expectation somewhere else in the docs.)

Of course Flux never says it will follow a search path, the doc says we use keys if they are available through the SSH agent.

Flux also ~uses ssh keys with no passphrase (because the key will be stored in the cluster, where there is no human operator to answer a passphrase challenge) – so the documentation should reflect that users may have done this elsewhere also. I'm not sure if the passphrase matters~ (flux can use a passphrase, this was outdated information), because the problem is only that the key isn't loaded into the agent.

I wouldn't suggest changing Flux's behavior, as who knows what rabbit other holes are beyond that phrase "the SSH key search path of the SSH client"

Still seems like there is something we can do here to make this less fraught. Glad you have this issue sorted out!

(Should we reopen this, or open a new issue to update the doc?)

kingdonb avatar Feb 17 '22 14:02 kingdonb

Flux also uses ssh keys with no passphrase (because the key will be stored in the cluster, where there is no human operator to answer a passphrase challenge)

We don't use SSH agent in the cluster and we do accept a passphrase, it can be set in the same secret as the SSH key, docs here: https://fluxcd.io/docs/components/source/gitrepositories/#ssh-authentication

We also support passphrase at bootstrap time when you don't use SSH agent, docs here: https://fluxcd.io/docs/installation/#generic-git-server

stefanprodan avatar Feb 17 '22 16:02 stefanprodan