Adding hostRules to global config.js changes platform authentication type to Basic from Bearer

[alekskar]

What would you like help with?

I think I found a bug

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

self hosted GitLab

Please tell us more about your question or problem

Hi,
I would like to manage host rules in config.js located in repository where renovate is running to be able to keep environment variabled in CI configuration without hardcoding them in a repo.
config.js content is the following

module.exports = {
    endpoint: process.env.CI_API_V4_URL,
    hostRules: [
      {
        matchHost: 'repo.ext.company:5000',
        username: 'dev',
        password: process.env.REPO_REGISTRY_PASS,
        insecureRegistry: true,
      },
          ],
  };

after adding this config I lose connectivity to self hosted Gitlab api , and the difference I see in logs between run with config.js and without is the following:

with config.js

DEBUG: hostRules: applying Basic authentication for git-it.company.com (repositry=vw-migrations/microservices/test-msc)
DEBUG: GET https://git-it.company.com/api/v4/projects/vw-migrations%2Fmicroservices%2Ftest-msc = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=18) (repositry=vw-migrations/microservices/test-msc)

without config.js

DEBUG: hostRules: applying Bearer authentication for git-it.company.com (repository=vw-migrations/microservices/test-msc)
DEBUG: vw-migrations/microservices/test-msc default branch = development (repository=vw-migrations/microservices/test-msc)

This leads me to assumption that renovate for some reason use wrong Auth type.

Expected behaviour:

configuring hostRules in config.js does't impact on platform access.

detailed log lines provided below:

I also use environment variables:

  RENOVATE_TOKEN: xxxxxxxx
  RENOVATE_BASE_DIR: $CI_PROJECT_DIR/renovate
  RENOVATE_ENDPOINT: $CI_API_V4_URL
  RENOVATE_PLATFORM: gitlab
  RENOVATE_OPTIMIZE_FOR_DISABLED: 'true'
  RENOVATE_REPOSITORY_CACHE: 'disabled'
  RENOVATE_GIT_AUTHOR: 'Renovate Bot <[email protected]>'
  RENOVATE_LOG_FILE: renovate-log.ndjson
  RENOVATE_LOG_FILE_LEVEL: debug
  RENOVATE_PR_COMMITS_PER_RUN_LIMIT: 5
  RENOVATE_REPOSITORIES: '["vw-migrations/microservices/test-mcs"]'

Logs (if relevant)

Logs

DEBUG: Setting global hostRules
DEBUG: Adding password authentication for repo.ext.company.com:5000 (hostType=undefined) to hostRules
DEBUG: Adding token authentication for https://git-it.company.com/api/v4 (hostType=gitlab) to hostRules
DEBUG: Adding token authentication for github.com (hostType=github) to hostRules
DEBUG: hostRules: authentication already set for git-it.company.com
DEBUG: GitLab version is: 17.0.1
DEBUG: Using configured gitAuthor (Renovate Bot <[email protected]>)
DEBUG: Adding token authentication for git-it.company.com (hostType=gitlab) to hostRules
DEBUG: Initializing Renovate internal cache into /builds/vw-migrations/renovate-poc/renovate/cache/renovate/renovate-cache-v1
DEBUG: Commits limit = 5
DEBUG: Setting global hostRules
DEBUG: Adding password authentication for repo.ext.company.com:5000 (hostType=undefined) to hostRules
DEBUG: Adding token authentication for https://git-it.company.com/api/v4 (hostType=gitlab) to hostRules
DEBUG: Adding token authentication for github.com (hostType=github) to hostRules
DEBUG: Adding token authentication for git-it.company.com (hostType=gitlab) to hostRules
DEBUG: validatePresets()
DEBUG: Reinitializing hostRules for repo
DEBUG: Clearing hostRules
DEBUG: Adding password authentication for repo.ext.company.com:5000 (hostType=undefined) to hostRules
DEBUG: Adding token authentication for https://git-it.company.com/api/v4 (hostType=gitlab) to hostRules
DEBUG: Adding token authentication for github.com (hostType=github) to hostRules
DEBUG: Adding token authentication for git-it.company.com (hostType=gitlab) to hostRules
 INFO: Repositry started (repositry=vw-migrations/microservices/test-msc)
       "renovateVersion": "37.381.3"
DEBUG: Using localDir: /builds/vw-migrations/renovate-poc/renovate/repos/gitlab/vw-migrations/microservices/test-msc (repositry=vw-migrations/microservices/test-msc)
DEBUG: PackageFiles.clear() - Package files deleted (repositry=vw-migrations/microservices/test-msc)
DEBUG: hostRules: applying Basic authentication for git-it.company.com (repositry=vw-migrations/microservices/test-msc)
DEBUG: GET https://git-it.company.com/api/v4/projects/vw-migrations%2Fmicroservices%2Ftest-msc = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=18) (repositry=vw-migrations/microservices/test-msc)
DEBUG: GitLab API 404 (repositry=vw-migrations/microservices/test-msc)
       "url": "https://git-it.company.com/api/v4/projects/vw-migrations%2Fmicroservices%2Ftest-msc"
DEBUG: Caught initRepo error (repositry=vw-migrations/microservices/test-msc)
       "err": {
         "name": "HTTPError",
         "code": "ERR_NON_2XX_3XX_RESPONSE",
         },
         "message": "Response code 404 (Not Found)",
         "stack": "HTTPError: Response code 404 (Not Found)\n    at Request.<anonymous> (/usr/local/renovate/node_modules/.pnpm/[email protected]/node_modules/got/dist/source/as-promise/index.js:118:42)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)",

[rarkins]

A username/password host rule will always generate Basic authentication no matter where it is

[alekskar]

Could you provide details how configuration of private docker registry repo.ext.company:5000 with user/password ( to be able to lookup dependencies) impact on ability reaching out gitlab api at git-it.company.com which is completely different host? I haven't any username/password configured for gitlab. As far as I understand renovate uses RENOVATE_TOKEN env variable for RENOVATE_ENDPOINT env variable to be able to reach RENOVATE_PLATFORM

[rarkins]

Probably because your matchHost needs https:// before it.

[alekskar]

Wow, it works after adding schema! Thank you very much for your support. It is sincerely appreciated.