Access private repositories with a personal access token

Set up a personal access token so that you can clone private repositories and push code from your cloud development environment when your administrator has not configured OAuth for your Git provider. You can also configure personal access tokens on the User Preferences page of your Che dashboard: https://<che_fqdn>/dashboard/#/user-preferences?tab=personal-access-tokens.

Mounting your access token as a Secret enables the Che Server to access the remote repository that is cloned during cloud development environment creation, including access to the repository’s /.che and /.vscode folders.

You can create and apply multiple access-token Secrets per Git provider. You must apply each Secret in your user namespace.

Prerequisites
Procedure
  1. Open https://<che_fqdn>/api/user/id in a browser to get your Che user ID.

  2. Create a Kubernetes Secret with your access token:

    kind: Secret
    apiVersion: v1
    metadata:
      name: personal-access-token-<git_provider>
      labels:
        app.kubernetes.io/component: scm-personal-access-token
        app.kubernetes.io/part-of: che.eclipse.org
      annotations:
        che.eclipse.org/che-userid: <che_user_id>
        che.eclipse.org/scm-personal-access-token-name: <git_provider_name>
        che.eclipse.org/scm-url: <git_provider_endpoint>
        che.eclipse.org/scm-organization: <git_provider_organization>
    type: Opaque
    stringData:
      token: <your_personal_access_token>

    where:

    che.eclipse.org/che-userid

    Your Che user ID.

    che.eclipse.org/scm-personal-access-token-name

    The Git provider name (github, gitlab, bitbucket-server, or azure-devops).

    che.eclipse.org/scm-url

    The Git provider URL endpoint, for example https://github.com or https://gitlab.com.

    che.eclipse.org/scm-organization

    Required only for Azure DevOps: your Git provider user organization, or collection if Azure DevOps Server is used.

    token

    Your personal access token.

    Example for GitHub:

kind: Secret
apiVersion: v1
metadata:
  name: personal-access-token-github
  labels:
    app.kubernetes.io/component: scm-personal-access-token
    app.kubernetes.io/part-of: che.eclipse.org
  annotations:
    che.eclipse.org/che-userid: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
    che.eclipse.org/scm-personal-access-token-name: github
    che.eclipse.org/scm-url: https://github.com
type: Opaque
stringData:
  token: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  1. Open https://<che_fqdn>/api/kubernetes/namespace to get your Che user namespace as name.

  2. Apply the Secret to your Che user namespace:

    $ kubectl apply -f personal-access-token.yaml -n <your_user_namespace>

    If you are using Azure DevOps Server, you must also modify the cloud development environment gitconfig with the following section:

    extraheader = "Authorization: Basic <base64-encoded(:personal-access-token)>"

    To generate the key-value pair, use the following command:

    echo -n "extraheader = \"Authorization: Basic "$(printf ":%s" <personal access token> | base64)\"

    The extraheader configuration is needed for remote git operations to Azure DevOps Server, for example git clone. This authorization method has a higher priority over the git credentials store, and as a result, remote operations to other Git providers will fail.

  3. Start or restart your cloud development environment.

Verification
  1. Open a terminal in your cloud development environment.

  2. Clone a private repository or push to a repository to verify authentication:

$ git clone https://github.com/__<org>__/__<private-repo>__.git