Obtain and persist Bitbucket personal access token as k8s secret

[skabashnyuk]

What does this PR do?

Obtain and persist Bitbucket personal access token as k8s secret
This pr include changes from #18709

Screenshot/screencast of this PR

TODO

What issues does this PR fix or reference?

Fixes #18388
Docs eclipse-che/che-docs#1807

How to test this PR?

Deploy Bitbucket server 5.15.2 or newer.

Helm deployment can be found here
https://github.com/skabashnyuk/gitsrv/tree/main/bitbucket.

helm install --create-namespace --namespace bitbucket  bitbucket --values values.yaml .
oc rollout status deployment/bitbucket -n bitbucket

Generation keys.

1. Generation of RSA Private Key.

openssl genrsa -out ./certs/private.pem 1024

2. Generate public key

openssl rsa -in ./certs/private.pem -pubout > ./certs/public.pub

3. To convert the private key from PKCS#1 to PKCS#8 with openssl:

openssl pkcs8 -topk8 -inform pem -outform pem -nocrypt -in ./certs/private.pem -out ./certs/privatepkcs8.pem 

4. Generate random consumer name

openssl rand -base64 24 > ./certs/bitbucket_server_consumer_key

Configure links

CHE_ROUTE=$(oc get route/che --namespace=$NS -o=jsonpath={'.spec.host'})
BITBUCKET_ROUTE=$(oc get route/bitbucket --namespace=bitbucket -o=jsonpath={'.spec.host'})
CHE_SERVER_URL='https://'${CHE_ROUTE}
PUB_KEY=$(cat ./certs/public.pub | sed 's/-----BEGIN PUBLIC KEY-----//g' |  sed 's/-----END PUBLIC KEY-----//g' | tr -d '\n')
CONSUMER_KEY=$(cat ./certs/bitbucket_server_consumer_key)
SHARED_SECRET=$(openssl rand -base64 24)
echo '     '
echo ' Open https://'$BITBUCKET_ROUTE
echo '     '
echo '     '
echo ' Go to Administration -> Application Links'
echo ' Enter ->>  '$CHE_SERVER_URL'/dashboard/ in the 'application url' field and press the 'Create new link' button and `Continue`.'
echo ' After that in `Link applications` window'
echo ' Application Name:      Che'
echo ' Application Type:      Generic Application'
echo ' Service Provider Name: Che'
echo ' Consumer key:          '$CONSUMER_KEY
echo ' Shared secret:         '$SHARED_SECRET
echo ' Request Token URL:     '$CHE_SERVER_URL'/plugins/servlet/oauth/request-token'
echo ' Access token URL:      '$CHE_SERVER_URL'/plugins/servlet/oauth/access-token'
echo ' Authorize URL:         '$CHE_SERVER_URL'/plugins/servlet/oauth/authorize'
echo ' Create incoming link:  true'
echo '    '
echo ' Next screen   '
echo '    '
echo ' Consumer Key:          '$CONSUMER_KEY
echo ' Consumer Name:         Che'
echo ' Public Key :           '$PUB_KEY

Setup Che

CONSUMER_KEY=$(cat ./certs/bitbucket_server_consumer_key)
oc project $NS
oc patch checluster/eclipse-che --patch "{\"spec\":{\"server\":{\"customCheProperties\": {\"CHE_OAUTH1_BITBUCKET_CONSUMERKEYPATH\": \"/home/user/eclipse-che/conf/oauth1/bitbucket/consumer.key\"}}}}" --type=merge -n $NS
PRIVATE_KEY=$(cat ./certs/privatepkcs8.pem | sed 's/-----BEGIN PRIVATE KEY-----//g' |  sed 's/----END PRIVATE KEY-----//g' | tr -d '\n')
oc patch checluster/eclipse-che --patch "{\"spec\":{\"server\":{\"customCheProperties\": {\"CHE_OAUTH1_BITBUCKET_PRIVATEKEYPATH\": \"/home/user/eclipse-che/conf/oauth1/bitbucket/private.key\"}}}}" --type=merge -n $NS
BITBUCKET_HOST=$(oc get routes -n bitbucket -o json | jq -r '.items[0].spec.host')
oc patch checluster/eclipse-che --patch "{\"spec\":{\"server\":{\"customCheProperties\": {\"CHE_OAUTH1_BITBUCKET_ENDPOINT\": \"https://$BITBUCKET_HOST\"}}}}" --type=merge -n $NS
oc patch checluster/eclipse-che --patch "{\"spec\":{\"server\":{\"customCheProperties\": {\"CHE_INTEGRATION_BITBUCKET_SERVER__ENDPOINTS\": \"https://$BITBUCKET_HOST\"}}}}" --type=merge -n $NS
oc delete secret bitbucket-oauth1-config --ignore-not-found=false

cat <<EOF | oc apply -n $NS -f -
apiVersion: v1
kind: Secret
metadata:
  name: bitbucket-oauth1-config
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: che-secret
  annotations:
    che.eclipse.org/mount-path: /home/user/eclipse-che/conf/oauth1/bitbucket
    che.eclipse.org/mount-as: file
type: Opaque
data:
  private.key: $(echo -n $PRIVATE_KEY | base64) 
  consumer.key: $(echo -n $CONSUMER_KEY | base64) 
EOF

Create a private Bitbucket repository.

• Create project che
• Create repository che-server

Link Che and Bitbucket

Open Link in browser

open $CHE_SERVER_URL'/api/oauth/1.0/authenticate?oauth_provider=bitbucket-server&request_method=POST&signature_method=rsa&redirect_after_login=/dashboard&token='$KEYCLOAK_TOKEN

Run the factory with a private repository

open $CHE_SERVER_URL'/f?url=https://'$BITBUCKET_ROUTE'/scm/che/che-server.git'

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18726

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18726

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

[skabashnyuk]

On today's call @l0rd suggest me to try to sync Bitbucket OAuth config with
Github OAuth config

kubectl apply -f - <<EOF
kind: Secret
apiVersion: v1
metadata:
  name: github-oauth-credentials
  namespace: <...> 
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: keycloak-secret
  annotations:
    che.eclipse.org/github-oauth-credentials: 'true'
    che.eclipse.org/mount-as: env
    che.eclipse.org/id_env-name: GITHUB_CLIENT_ID
    che.eclipse.org/secret_env-name: GITHUB_SECRET
data:
  id: <...> 
  secret: <...> 
type: Opaque
EOF

See more https://www.eclipse.org/che/docs/che-7/administration-guide/configuring-authorization/#configuring-github-oauth_che

So I can suggest such a format:

kubectl apply -f - <<EOF
kind: Secret
apiVersion: v1
metadata:
  name: bitbucket-oauth1-config
   namespace: <...> 
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: che-secret
  annotations:
    che.eclipse.org/bitbucket-server-oauth-credentials: 'true'
    che.eclipse.org/mount-path: /home/user/eclipse-che/conf/oauth1/bitbucket
    che.eclipse.org/mount-as: file
    che.eclipse.org/bitbucket-server-endpoint: http://bitbucket-bitbucket.apps.cluster-2d6e.2d6e.example.opentlc.com/
type: Opaque
data:
  private.key: <...> 
  consumer.key: <...> 
EOF

With such a secret che-operator will mount it to che-server container with path /home/user/eclipse-che/conf/oauth1/bitbucket.
And also add such environment variables.

 CHE_OAUTH1_BITBUCKET_CONSUMERKEYPATH=/home/user/eclipse-che/conf/oauth1/bitbucket/consumer.key
 CHE_OAUTH1_BITBUCKET_PRIVATEKEYPATH=/home/user/eclipse-che/conf/oauth1/bitbucket/private.key
 CHE_OAUTH1_BITBUCKET_ENDPOINT=http://bitbucket-bitbucket.apps.cluster-2d6e.2d6e.example.opentlc.com/
 CHE_INTEGRATION_BITBUCKET_SERVER__ENDPOINTS=http://bitbucket-bitbucket.apps.cluster-2d6e.2d6e.example.opentlc.com/

[l0rd]

I like that @skabashnyuk. A couple of suggestions:

- che.eclipse.org/bitbucket-server-oauth-credentials: 'true'
+ che.eclipse.org/oauth-credentials-git-server: 'bitbucket' # can be github or bitbucket, in the future gitlab too

and

- che.eclipse.org/bitbucket-server-endpoint: (...)
- che.eclipse.org/git-server-endpoint: (...)

because for github/gitlab hosted in enterprise we probably would need that too.

[skabashnyuk]

• che.eclipse.org/oauth-credentials-git-server: 'bitbucket' # can be github or bitbucket, in the future gitlab too

1. Do you want to deprecate che.eclipse.org/github-oauth-credentials: 'true'?
2. Are you sure that git in the name is a good thing. Maybe we should use something more neutral like SCM. What about che.eclipse.org/oauth-scm-server:
3. I believe we need to distinct SAAS and On-Prem. So: github or bitbucket, gitlab - for SAAS, bitbucket-server - for on-prem.

• che.eclipse.org/bitbucket-server-endpoint: (...)
• che.eclipse.org/git-server-endpoint: (...)

Do you want to rename the attribute from che.eclipse.org/bitbucket-server-endpoint to che.eclipse.org/git-server-endpoint?

[l0rd]

• che.eclipse.org/oauth-credentials-git-server: 'bitbucket' # can be github or bitbucket, in the future gitlab too

1. Do you want to deprecate che.eclipse.org/github-oauth-credentials: 'true'?

yes

2. Are you sure that git in the name is a good thing. Maybe we should use something more neutral like SCM. What about che.eclipse.org/oauth-scm-server:

that's better, you are right

3. I believe we need to distinct SAAS and On-Prem. So: github or bitbucket, gitlab - for SAAS, bitbucket-server - for on-prem.

• che.eclipse.org/bitbucket-server-endpoint: (...)
• che.eclipse.org/git-server-endpoint: (...)

Do you want to rename the attribute from che.eclipse.org/bitbucket-server-endpoint to che.eclipse.org/git-server-endpoint?

Why do you want to consider SAAS and On-Prem as different? I mean SAAS is just one instance for which the endpoint is publicly available, but it still has an endpoint.

[skabashnyuk]

@l0rd I didn't get your point about che.eclipse.org/bitbucket-server-endpoint: (...)che.eclipse.org/git-server-endpoint: (...)

About SAAS vs On-Prem. They are different because:

• URL is different.
• API/Authorisation can be different. For example, it's different for bitbucket.org(support OAuth2) and bitbucket server - support OAuth1 only.

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18726

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

[skabashnyuk]

@l0rd just to sum up what we have at this point.

kind: Secret
apiVersion: v1
metadata:
  name: <scm-provider-id>-oaut-config
   namespace: <...> 
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: <?>-secret (variants: che or keycloak)
  annotations:
    che.eclipse.org/oauth-scm-server: bitbucket-server (variants: github, bitbucket, gitlab, gitlab-server)
    che.eclipse.org/mount-path: /home/user/eclipse-che/conf/oauth1/bitbucket
    che.eclipse.org/mount-as: file
    che.eclipse.org/scm-server-endpoint: http://bitbucket-bitbucket.apps.cluster-2d6e.2d6e.example.opentlc.com/
type: Opaque
data:
  private.key: <...> 
  consumer.key: <...> 
EOF

[l0rd]

bitbucket-server is on-prem and bitbucket is SAAS? Are you doing the distinction to figure out if it's OAuth2/OAuth1? Just wondering because it's probably clearer if we are more explicit. For example splitting that in 2 annotations che.eclipse.org/oauth-version and che.eclipse.org/scm-server.

[skabashnyuk]

bitbucket-server is on-prem and bitbucket is SAAS?

Yes

Are you doing the distinction to figure out if it's OAuth2/OAuth1?

At this moment Butbucket Server is the last known to me service that is using OAuth1. If this product continues evolving I'm do not exclude the probability that they will use OAuth2.

[skabashnyuk]

@l0rd I've summarised our conversation about configuration as a secret here #18932. Would you like to make it a prerequisite for this pr? (looks like they are not hard coupled and we can merge them asynchronously )

[l0rd]

@l0rd I've summarised our conversation about configuration as a secret here #18932. Would you like to make it a prerequisite for this pr? (looks like they are not hard coupled and we can merge them asynchronously )

Sure we could have 2 separate PRs. But the second PR should be merged before next release. Otherwise we would introduce something that will be deprecated after a few weeks.

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18726

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:18726

Tested with Eclipse Che Multiuser User on K8S (minikube v1.1.1)

• Use comment "[crw-ci-test]" to rerun happy path E2E test.
• Use comment "[crw-ci-test --rebuild]" to re-build the images and rerun happy path E2E test.