Can't setup github integration on a sentry onpremise installation

[bellini666]

Important Details

How are you running Sentry?

• [ x ] On-Premise docker [Version 9.1]
• Saas (sentry.io)
• Other [briefly describe your environment]

Description

Tried to setup github integration but nothing happened.

Steps to Reproduce

1. Go to the organization's Integrations settings
2. Click on github's Install button. A new window will be opened inside the github marketplace
3. Add the application to the organization in github
4. Go back to the sentry integration settings page
5. See that nothing happened

What you expected to happen

The repository should be linked

Possible Solution

I think it actually linked to the sentry.io installation, which created an account for me. That's not what I want.

[markstory]

The github integration requires the creation of a github-app, and a number of configuration options to be set. The options that need to be set can be found here and can be setup in you sentry.yaml file.

[bellini666]

@markstory thanks for pointing me in the right direction.

Probably there's a doc missing explaining how to do that.

[dotconnor]

@markstory What urls are needed for auth and webhook?

Edit:
Found through test files that the webhook url is /extensions/github/webhook/, still looking for the auth callback though

[markstory]

The auth callback is /extensions/github/setup/

[arizz96]

Any news here?

[markstory]

@arizz96 What kind of news are you looking for?

[arizz96]

@markstory I've encountered this issue and I'm trying to solve it.
I setup the github-app but the activation link brought me to sentry.io.

Can you please help me on that?

[dotconnor]

@arizz96 Here is what I did to set mine up:

This only enables Github App Integrations and not Github SSO

1. Create a new github app:
2. Set the following values:

Setting	Value
Homepage URL	${urlPrefix}
User authorization callback URL	${urlPrefix}/extensions/github/setup/
Setup URL (optional)	${urlPrefix}/extensions/github/setup/
Webhook URL	${urlPrefix}/extensions/github/webhook/
Webhook secret (optional)	${webhookSecret}

3. Create a private key and download it, replace all newlines with \n to ensure correct format in config.yml
4. Add the following options to your config.yml

Not sure which ones are required, but I pulled all of these from the code.

github.apps-install-url: ${urlPrefix}/extensions/github/setup/
github.integration-app-id: ${githubAppId}
github.integration-hook-secret: ${webhookSecret}
github.integration-private-key: "${privateKey}"
github-app.id: ${githubAppId}
github-app.name: ${githubAppName}
github-app.webhook-secret: ${webhookSecret}
github-app.private-key: "${privateKey}"
github-app.client-id: ${githubAppClientId}
github-app.client-secret: ${githubAppClientSecret}

5. Run docker-compose build && docker-compose run --rm web upgrade && docker-compose up -d to rebuild your installation with the new settings.
6. Go to ${urlPrefix}/settings/${organization}/integrations/
7. Remove your github integration is already added
8. Install github integration

---

PS: This should be written down somewhere not in a github issue

[markstory]

If anyone has the time on-premise docs can be found here

[dotconnor]

@markstory I'll work on it, but should I include a full guide or just list the different configuration options?

[markstory]

Some context on how to get the integration configured is probably a good start.

[chinskiy]

@dotconnor guide works for me. Thanks!
Just 1 comment what can save time for someone(because I spent half the day on it)
private-key must be in format

github-app.private-key: "-----BEGIN RSA PRIVATE KEY-----\n<PRIVATE KEY LINE 1>\n....\n<PRIVATE KEY LINE N>\n-----END RSA PRIVATE KEY-----"

[dotconnor]

@chinskiy I included removing the newlines with \n above and in the docs here: getsentry/sentry-docs@529d793#diff-55a17b3c7313e07c55f9777ef6553e1eR35

[bellini666]

I'm following the setup guide described in the issue, I just have one question: What permissions should I give to the app? It's not described anywhere

[bellini666]

Also, I don't know if that is elated to my permissions question, but after installing the integration, when I try to add a repository, nothing happens.

[dotconnor]

If you already have the official sentry app installed, you can look there for the permissions.

…

On Apr 20, 2019, at 12:25 PM, Thiago Bellini Ribeiro ***@***.***> wrote: Also, I don't know if that is elated to my permissions question, but after installing the integration, when I try to add a repository, nothing happens. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[bellini666]

Also, I don't know if that is elated to my permissions question, but after installing the integration, when I try to add a repository, nothing happens.

Regarding to this, this error is appearing in my internal project: https://sentry.zerosoft.com.br/share/issue/0e8459945c744d6a811002beb9cf43c5/

I think I have given all the required permissions to the app as the repositories appear just fine. The issue happen when I click to add one of them

[dotconnor]

@bellini666 You need the following permissions:

Permission	Setting
Repository administration	Read-only
Repository contents	Read-only
Issues	Read & write
Pull requests	Read & write
Repository webhooks	Read & write

I subscribed to all events

After you update the permissions and even if you don't, remove your github integration and then re-add it, you should be able to add repos then

[bellini666]

@dotconnor thanks, that solved my issue :)

Probably those permissions should also be added to the documentation IMO

[markstory]

Closing as the documentation guide should be live soon. Thanks everyone who helped out with this 👏

[riker09]

With the help of this guide I was able to get the GitHub integration working on my on-premises Sentry installation. Thank you!

But I cannot figure out how to turn on SSO via GitHub. Judging from the integration documentation this should be possible?

I have created a custom Sentry Docker image with my sentry.conf.py and config.yml and this requirements.txt file:

git+https://github.com/getsentry/sentry-auth-github.git@master#egg=sentry-auth-github

I can see "GitHub" listed as SSO provider in "Oorganization Settings" > "Auth", but clicking on "configure" results in a 404 at GitHub. This is the URL:

https://github.com/login/oauth/authorize?scope=user%3Aemail%2Cread%3Aorg%2Crepo&state=abcdef0123456789abcdef0123456789&redirect_uri=https%3A%2F%2Fsentry.mydomain.com%2Fauth%2Fsso%2F&response_type=code&client_id="MyGitHubAppId"

When I remove the quotes around MyGitHubAppId I am redirected to my Sentry installation and see an Invalid request. error on the top of the page. In my log I can see

"GET /extensions/github/setup/?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch&state=abcdef0123456789abcdef0123456789 HTTP/1.1" 302 392 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"

I believe that I am very close at solving it and I bet it is some stupic configuration mistake that I have made. Any help would be greatly appreciated.

[riker09]

I have managed to get one step further by changing the value of "User authorization callback URL" to https://sentry.mydomain.com/auth/sso/ in my GitHub App. (Got that idea from this issue).

Now my Sentry installation wants me to select an Organization from a drop down list, which is empty. 😕

[riker09]

Okay, I got it working, but the last piece of the puzzle is still unclear.

There were two changes that might be responsible:

1. I have added GITHUB_ORGANIZATION=MyOrgName to sentry.env when starting the container. Or in other words, I have added this environment variable to the Sentry web (worker, cron) nodes. I couldn't find any mention of this variable in the official sentry.conf.py, though.

2. I have added the "Organization members" and "Organization administration" permission to the GitHub App. A colleague has received an email from GitHub that mentioned the added permissions. He then did something to the App but couldn't exactly recall what is was. But somewhere along the way he added the App to our GitHub Organization. I strongly believe that this is what actually did the trick. In any case this should be far better documented. Maybe with some screenshot.

[omgitsbillryan]

The doc claims that github-app.webhook-secret is optional, but if you don't set one in your GH App, then Sentry will return a HTTP-400 w/ the message:

github.webhook.missing-signature

When no webhook secret is configured in GH, then the webhook requests will not include the X-Hub-Signature header, and Sentry considers this header to be required, not optional.

[riker09]

So you're saying in reality it was the missing webhook and the documentation is (slightly) wrong? Is there an issue for that, yet?

[inversion]

For anyone else struggling, make sure you have both of:

SENTRY_OPTIONS['github.integration-private-key']
SENTRY_OPTIONS['github-app.private-key']

set to the correct private key. I found it easiest to pass an environment variable with the private key containing literal newlines (unescaped) base64 encoded, then use:

# sentry.conf.py
import base64
SENTRY_OPTIONS['github.integration-private-key'] =  base64.b64decode(env('SENTRY_GITHUB_APP_PRIVATE_KEY'))
SENTRY_OPTIONS['github-app.private-key'] =  SENTRY_OPTIONS['github.integration-private-key']

and ensure there is no reference to the private key in ENV_CONFIG_MAPPING.

[ahmedspiir]

@inversion It didn't work for me!
I tried with and without a newline and i was able to print the value in my configmap

    SENTRY_OPTIONS['github.integration-private-key'] = base64.b64decode(env('SENTRY_GITHUB_APP_PRIVATE_KEY'))
    SENTRY_OPTIONS['github-app.private-key'] = base64.b64decode(env('SENTRY_GITHUB_APP_PRIVATE_KEY'))
    print(SENTRY_OPTIONS['github.integration-private-key'])
    print('value of '+SENTRY_OPTIONS['github-app.private-key'])

But with this i kept getting the same exception that it Could not deserialize key data.

[inversion]

@ahmedspiir it should look exactly like this (randomly generated) key, without leading blank lines or trailing newlines:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAuYgBqBhRmjDsMfCZba/hon9L6/VqOC78zbUJYW+YzkmHDoX87jVd
cgiLSv6tTE1ysrsby4y50TF98StnOJ8STcNYOHOZNtt36g6+nNAAuD0e5OgKqFD3flDMj2
2zgTlEQsfke9kIwyV63kqiHblsjxZr/RNlHHG8NvSHLnKU8YMxVryujOiNiPXOQsGC0SJD
P3Ljfw4scz+UZk4HMFviRztE9cfURexKPA+7d/zwsbi7K0qzwfNCYb9j21N+5OdnWiSErn
oTqVnclBsrWNFgkWatYsFr+q5i1uHN4VagvauVF2mIVVGHZnnF5Msa1yL1MAVNUlMhllke
dfUFH7j7QwAAA9gPIkM7DyJDOwAAAAdzc2gtcnNhAAABAQC5iAGoGFGaMOwx8Jltr+Gif0
vr9Wo4LvzNtQlhb5jOSYcOhfzuNV1yCItK/q1MTXKyuxvLjLnRMX3xK2c4nxJNw1g4c5k2
23fqDr6c0AC4PR7k6AqoUPd+UMyPbbOBOURCx+R72QjDJXreSqIduWyPFmv9E2Uccbw29I
cucpTxgzFWvK6M6I2I9c5CwYLRIkM/cuN/DixzP5RmTgcwW+JHO0T1x9RF7Eo8D7t3/PCx
uLsrSrPB80Jhv2PbU37k52daJISuehOpWdyUGytY0WCRZq1iwWv6rmLW4c3hVqC9q5UXaY
hVUYdmecXkyxrXIvUwBU1SUyGWWR519QUfuPtDAAAAAwEAAQAAAQBAWZ8ReZXcIDncPHJK
7CUbooFnzxBPemSuyKr/Q6DBdBlG/Uw0JwhJRBNkKJ9dBsPQoDtMx3uvxjXDj2VW6z2DAU
05D0dGEqst4H1WkIKfZHuxs5X2uVaOVmINIWSQXpeBfimOl0GFxhsuvL4sByNTIdjEx5Rb
YEuC2B+HCbEFbv7IPrB1eovUe2rqEA05kqjfYWudyRT4DLl+ZEyLVEJ64fMVVwViOkfe1t
6Rdq1dK9anyymbmDQuE51p2uTw0TBm6o6Rs+hv/QAHXqH8M1XpGKMyMyAeO324OXii+njg
4YKczHTzz/eU6P4hIh9iFnV+38+0aFMlMvkdUJWkNjNJAAAAgEeKbuA5Sm9pf114KFXfH+
9N4HVFPBvIsiMPfI7it2kNSQb7Af8DE0hq1GywujfpvdZ95rTPXc8/tiNMTkt+Ljayy9sJ
O9D5ReOvK5BOCF3opIFLQXTaR7zDGjYLnSZq7gNp91hMUvTEfM+9KdHflodokGLJ7h7us8
TLnFQKf1hWAAAAgQDuJr51Y+YqBeDwz0KvH233ogcmefDaX7aMs1kBuppgAKjtGev3gFyJ
a+qdz/3w/TzY9SPNLGTSmKXPZxnUN2BXvwGVhaLJe82ZTJRT0Bmgun+08NkR0UXBPT7AkN
EM5CiCC6fnO9fZS28kyRllCl+Ds4Keg3sg1t5kwBhm9ylrpQAAAIEAx2+s24k4yu6cGLUK
oc6asQTWgOw9ZeKMYUynb+Q6gvjqDaBwRFMNPwm1cm8Y0EsF2NKyq7g8FD5dH/EV1TT8v3
xhRqnduAe2oX6RlP/HE279zo00FisI7Q9NP0p5CHn+Sb4jBvZwjaZE4HHyu2UQNfkwuL0d
5qAIvNaJZBfTtscAAAAgYW5kcmV3QEFuZHJld3MtTWFjQm9vay1Qcm8ubG9jYWwBAgM=
-----END OPENSSH PRIVATE KEY-----