GithubAccessToken generator fails with "401 Bad credentials" in v0.20.3 #5471
Description
Describe the bug
After upgrading from External Secrets Operator v0.16.2 to v0.20.3, the GithubAccessToken generator fails to authenticate with GitHub API, returning 401 Bad credentials. The exact same configuration works perfectly in v0.16.2.
The error occurs when the generator attempts to create a JWT and request an installation access token from GitHub. The private key is successfully retrieved from AWS Secrets Manager and exists as a Kubernetes secret, but the generator fails during the GitHub authentication step.
To Reproduce
Setup:
- Kubernetes Version: v1.32 (AWS EKS)
- ESO Version that works: v0.16.2
- ESO Version that fails: v0.20.3
GithubAccessToken Generator (Fails in v0.20.3)
apiVersion: generators.external-secrets.io/v1alpha1
kind: GithubAccessToken
metadata:
name: jenkins-github-app-auth-token
namespace: jenkins-dev
spec:
appID: "1"
installID: "11"
auth:
privateKey:
secretRef:
name: jenkins-github-app-pem
key: key
ExternalSecret Using Generator (Fails in v0.20.3)
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: jenkins-secret-github-app-auth-token
namespace: jenkins-dev
spec:
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: GithubAccessToken
name: jenkins-github-app-auth-token
refreshInterval: 15m
secretStoreRef:
kind: ClusterSecretStore
name: aws-secrets-manager-store
target:
name: jenkins-secret-github-app-auth-token
template:
data:
password: '{{.token}}'
username: user
metadata:
annotations:
jenkins.io/credentials-description: GitHub App Auth Token for Jenkins
labels:
jenkins.io/credentials-type: usernamePassword
Error:
{
"level": "error",
"ts": 1760608700.8406956,
"msg": "Reconciler error",
"controller": "externalsecret",
"controllerGroup": "external-secrets.io",
"controllerKind": "ExternalSecret",
"ExternalSecret": {
"name": "jenkins-secret-github-app-auth-token",
"namespace": "jenkins-dev"
},
"namespace": "jenkins-dev",
"name": "jenkins-secret-github-app-auth-token",
"reconcileID": "3e93d6a5-9679-4fe5-aa0e-a9640672719d",
"error": "error processing spec.dataFrom[0].sourceRef.generatorRef, err: error using generator: error generating token: response code: 401, response: Bad credentials",
"stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:474\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:421\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:296"
}
Confirmation that private key is retrieved successfully
json{
"level": "info",
"ts": 1760612897.564513,
"logger": "provider.aws.secretsmanager",
"msg": "fetching secret value",
"key": "jenkins/github-app-pem",
"version": "AWSCURRENT",
"value": "SECRET"
}
Expected behavior
The GithubAccessToken generator should successfully:
- Read the private key from the secret
- Generate a valid JWT using the GitHub App ID and private key
- Request an installation access token from GitHub API
- Create the Kubernetes secret with the generated token