Deploy TAP workload failed with "authentication required" error in creating gitrepository resource
search cancel

Deploy TAP workload failed with "authentication required" error in creating gitrepository resource

book

Article ID: 396626

calendar_today

Updated On:

Products

VMware Tanzu Application Platform

Issue/Introduction

When deploying workload onto Tanzu Application Platform (TAP), it got error "authentication required" when creating the gitrepository resource, as shown below.

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  annotations:
    apps.tanzu.vmware.com/correlationid: https://github.com/example/tanzu-java-web-app?sub_path=/
  creationTimestamp: "2025-05-05T03:41:29Z"
  finalizers:
  - finalizers.fluxcd.io
  generation: 1
  labels:
    app.kubernetes.io/component: source
    app.kubernetes.io/part-of: tanzu-java-web-app
    apps.tanzu.vmware.com/auto-configure-actuators: "true"
    apps.tanzu.vmware.com/has-tests: "true"
    apps.tanzu.vmware.com/workload-type: web
    carto.run/cluster-template-name: source-template
    carto.run/resource-name: source-provider
    carto.run/supply-chain-name: source-to-url
    carto.run/template-kind: ClusterSourceTemplate
    carto.run/template-lifecycle: mutable
    carto.run/workload-name: tanzu-java-web-app
    carto.run/workload-namespace: tap-work
  name: tanzu-java-web-app
  namespace: tap-work
  ownerReferences:
  - apiVersion: carto.run/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Workload
    name: tanzu-java-web-app
    uid: 3e4fb666-b13f-4575-98f0-e2a51c03c3c1
  resourceVersion: "13595211"
  uid: e5d8752f-80e0-45a0-a452-fa89ad817432
spec:
  ignore: |
    !.git
  interval: 1m0s
  ref:
    branch: main
  timeout: 60s
  url: https://github.com/example/tanzu-java-web-app
status:
  conditions:
  - lastTransitionTime: "2025-05-05T03:42:19Z"
    message: building artifact
    observedGeneration: 1
    reason: ProgressingWithRetry
    status: "True"
    type: Reconciling
  - lastTransitionTime: "2025-05-05T03:42:19Z"
    message: 'failed to checkout and determine revision: unable to clone ''https://github.com/example/tanzu-java-web-app'':
      authentication required'
    observedGeneration: 1
    reason: GitOperationFailed
    status: "False"
    type: Ready

The workload manifest was configured with a source URL on GitHub.

$ cat workload.yaml
apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
  name: tanzu-java-web-app
  labels:
    apps.tanzu.vmware.com/workload-type: web
    apps.tanzu.vmware.com/has-tests: "true"
    apps.tanzu.vmware.com/auto-configure-actuators: "true"
    app.kubernetes.io/part-of: tanzu-java-web-app
spec:
  build:
    env:
      - name: BP_JVM_VERSION
        value: "17"
  params:
  - name: annotations
    value:
      autoscaling.knative.dev/minScale: "1"
  source:
    git:
      url: https://github.com/example/tanzu-java-web-app
      ref:
        branch: main

 

Environment

  • Tanzu Application Platform

Cause

Error "authentication required" clearly indicates that TAP supply chain component needs to authenticate with Git repository first before it could clone the source. However, there is no Git credentials provided to fulfil authentication. 

Some repository on remote Git system (e.g. Github, Gitlab) might be marked as public, which means there is no need to do authentication to clone the source. In such case, no Git credentials is required for TAP supply chain to pull source from Git system. 

However, in many cases the remote Git repository is private or set to be accessed with credentials. For example, a private Github repository will require credential to be pulled by remote client. If no proper credentials are provided in these cases, TAP supply chain will get "authentication required" error when attempting to clone source from Git system.

Resolution

As stated in the TAP document a secret with Git credentials should be provided to supply chain either as a tap-value or as a workload parameter. This solution is to provide supply chain with a Git credential as a workload parameter. 

1) Prepare a manifest for secret in workload namespace. For example,

$ cat github-secret.yml
apiVersion: v1
kind: Secret
metadata:
  name: git-secret
  namespace: dev
  annotations:
    tekton.dev/git-0: https://github.com
type: kubernetes.io/basic-auth
stringData:
  username: ####
  password: ####

2) Deploy the secret

$ kubectl apply -f github-secret.yml

$ kubectl -n dev get secret git-secret -o yaml
apiVersion: v1
data:
  password: ####
  username: ####
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{"tekton.dev/git-0":"https://github.com"},"name":"git-secret","namespace":"dev"},"stringData":{"password":"####","username":"####"},"type":"kubernetes.io/basic-auth"}
    tekton.dev/git-0: https://github.com
  creationTimestamp: "2025-05-07T06:22:22Z"
  name: git-secret
  namespace: tap-work
  resourceVersion: "16477383"
  uid: f5a3b7dd-cc0e-418c-9e83-706172190141
type: kubernetes.io/basic-auth

3) Configure the secret in workload manifest

$ cat workload.yaml
apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
  name: tanzu-java-web-app
  labels:
    apps.tanzu.vmware.com/workload-type: web
    apps.tanzu.vmware.com/has-tests: "true"
    apps.tanzu.vmware.com/auto-configure-actuators: "true"
    app.kubernetes.io/part-of: tanzu-java-web-app
spec:
  build:
    env:
      - name: BP_JVM_VERSION
        value: "17"
  params:
  - name: annotations
    value:
      autoscaling.knative.dev/minScale: "1"
  - name: source_credentials_secret
    value: git-secret
  source:
    git:
      url: https://github.com/example/tanzu-java-web-app
      ref:
        branch: main

 

Powered by Wolken Software