Git basic auth fails for Kerberos-enabled GitLab

[stephan2012]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitLab

Please tell us more about your question or problem

We're running self-hosted GitLab with Kerberos authentication enabled. When Renovate attempts to access a repository, the authentication with a Personal Access Token (PAT) always fails:

{
  "name": "renovate",
  "level": 50,
  "logContext": "jde7l1hyDEEboidEwp5kq",
  "repository": "infrastructure/my/project",
  "err": {
    "task": {
      "commands": [
        "ls-remote",
        "--heads",
        "https://**redacted**@git.int.company.com/infrastructure/my/project.git"
      ],
      "format": "utf-8",
      "parser": "[function]"
    },
    "message": "remote: HTTP Basic: Access denied. If a password was provided for Git authentication, the password was incorrect or you're required to use a token instead of a password. If a token was provided, it was either incorrect, expired, or improperly scoped. See https://git.int.company.com/help/topics/git/troubleshooting_git.md#error-on-git-fetch-http-basic-access-denied\nfatal: Authentication failed for 'https://git.int.company.com/infrastructure/my/project.git/'\n",
    "stack": "Error: remote: HTTP Basic: Access denied. If a password was provided for Git authentication, the password was incorrect or you're required to use a token instead of a password. If a token was provided, it was either incorrect, expired, or improperly scoped. See https://**redacted**@3.27.0/node_modules/simple-git/src/lib/plugins/error-detection.plugin.ts:42:29)\n    at PluginStore.exec (/usr/local/renovate/node_modules/.pnpm/simple-git@3.27.0/node_modules/simple-git/src/lib/plugins/plugin-store.ts:54:29)\n    at /usr/local/renovate/node_modules/.pnpm/simple-git@3.27.0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:124:42\n    at new Promise (<anonymous>)\n    at GitExecutorChain.handleTaskData (/usr/local/renovate/node_modules/.pnpm/simple-git@3.27.0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:121:14)\n    at GitExecutorChain.<anonymous> (/usr/local/renovate/node_modules/.pnpm/simple-git@3.27.0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:97:40)\n    at Generator.next (<anonymous>)\n    at fulfilled (/usr/local/renovate/node_modules/.pnpm/simple-git@3.27.0/node_modules/simple-git/dist/cjs/index.js:52:24)\n    at processTicksAndRejections (node:internal/process/task_queues:105:5)"
  },
  "msg": "Repository has unknown error"
}

The reason is a well-known and long-standing issue in Git and its underlying libcurl, which the GitLab documentation further explains:

Because of a bug in current Git versions, the git CLI command uses only the negotiate authentication method if the HTTP server offers it, even if this method fails (such as when the client does not have a Kerberos token). It is thus not possible to fall back to an embedded username and password (also known as basic) authentication if Kerberos authentication fails.

Git shows this behavior only if the URL contains the credentials, but it works without issues when it prompts for the password.

Cross-checking against a GitLab test instance that does not have Kerberos enabled confirms there are no other issues involved.

A workaround is to configure Git to use the credentials store, and create a ~/.git-credentials file. Git (e.g., git ls-remote --heads git.int.company.com/infrastructure/my/project.git) then works as expected.

How can I make Renovate work with Kerberos-enabled GitLab? Configuring a dedicated TCP port for Kerberos authentication (as mentioned in the GitLab docs) is not an option.

Logs (if relevant)

No response

[github-actions[bot]]

Hi there,

The maintainers have labeled this discussion as a use case specific to "enterprise" users. Enterprise users typically self-host Renovate and have advanced requirements like custom certificates, HTTP proxies, private registries, air gapping, etc.

Such cases usually need a lot of back-and-forth to resolve, because the problem is related to the user's environment. Usually the user's environment can not be reproduced publicly, which means that maintainer debugging is not possible.

The maintainers decided their time is best spent on issues that help large numbers of users. This means enterprise-specific issues affecting one user (or a small number of users), are not a priority. If we can help you quickly, we will. But if you see this message, then a maintainer believes this is not a quick fix. The maintainers will not actively work on this issue, unless new information is found.

If you are an enterprise user, please consider the following options:

• Troubleshoot and contribute a fix yourself, or
• Hire a consultant to help you, or
• Consider an Enterprise support contract from Mend.io, or
• Wait for a community member to help you, if they have the same problem

If you choose to wait, then this discussion can remain open indefinitely. But please be patient, do not nudge or bump this discussion just to get attention.

Thanks, the Renovate team

[stephan2012]

I have added initial support for using the Git Credential Store in https://github.com/stephan2012/renovate/tree/feature/gitCredentialStore. When setting RENOVATE_GIT_CREDENTIAL_PASSING=store (defaults to url), the patched Renovate Bot configures Git to use the Git Credential Store, making it work with Kerberos-enabled GitLab instances.

Feedback is welcome! Please note I'm a TypeScript newbie.

Please let me know how to convert this question into an issue or pull request.

[stephan2012]

#36330