Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add bearer token auth #21462

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

Conversation

reggie-k
Copy link
Member

@reggie-k reggie-k commented Jan 12, 2025

Closes #9667

The PR is adding a new param, BearerToken, it can be used when the Bearer Auth is needed instead of Basic Auth, like for example for BitBucket Project token, which requires Bearer Auth.

The relevant docs, CLI and UI changes are also present, along with unit tests.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@reggie-k reggie-k requested review from a team as code owners January 12, 2025 15:56
Copy link

bunnyshell bot commented Jan 12, 2025

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@reggie-k
Copy link
Member Author

reggie-k commented Jan 12, 2025

Attaching screenshot with the new parameter visible in the UI:

Screenshot 2025-01-12 at 17 58 32

Copy link

codecov bot commented Jan 12, 2025

Codecov Report

Attention: Patch coverage is 64.89362% with 33 lines in your changes missing coverage. Please review.

Project coverage is 55.63%. Comparing base (d183d9c) to head (460cab3).

Files with missing lines Patch % Lines
cmd/argocd/commands/admin/repo.go 0.00% 11 Missing ⚠️
cmd/argocd/commands/repocreds.go 0.00% 11 Missing ⚠️
cmd/argocd/commands/repo.go 0.00% 9 Missing ⚠️
cmd/util/repo.go 0.00% 1 Missing ⚠️
server/repository/repository.go 50.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master   #21462      +/-   ##
==========================================
+ Coverage   55.58%   55.63%   +0.04%     
==========================================
  Files         339      340       +1     
  Lines       56874    56962      +88     
==========================================
+ Hits        31616    31693      +77     
- Misses      22609    22626      +17     
+ Partials     2649     2643       -6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@reggie-k
Copy link
Member Author

reggie-k commented Jan 16, 2025

Following he discussion in the contributors meeting, bearer token auth is only relevant for Git repos at this point, so I will add CLI changes that display a not supported message if used with Helm repo, and a UI change that would not display this field for Helm repo.

@reggie-k reggie-k marked this pull request as draft January 17, 2025 22:14
@reggie-k reggie-k closed this Jan 17, 2025
Signed-off-by: reggie-k <[email protected]>
@reggie-k reggie-k reopened this Jan 17, 2025
Copy link

bunnyshell bot commented Jan 17, 2025

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

  • 🔵 /bns:start to start the environment
  • 🚀 /bns:deploy to redeploy the environment
  • /bns:delete to remove the environment

@reggie-k reggie-k marked this pull request as ready for review January 17, 2025 23:37
@reggie-k
Copy link
Member Author

reggie-k commented Jan 17, 2025

CLI and UI are now enforcing that the bearer token can be passed only for Git repositories (on the backend side, there is one struct with all the possible params so impossible to separate). The field is not displayed for HTTPS Helm repos, only for Git ones.

Signed-off-by: reggie-k <[email protected]>
cmd/util/common.go Outdated Show resolved Hide resolved
cmd/util/repo.go Outdated
@@ -34,6 +34,7 @@ func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
command.Flags().StringVar(&opts.Repo.Project, "project", "", "project of the repository")
command.Flags().StringVar(&opts.Repo.Username, "username", "", "username to the repository")
command.Flags().StringVar(&opts.Repo.Password, "password", "", "password to the repository")
command.Flags().StringVar(&opts.Repo.BearerToken, "bearer-token", "", "bearer token to the Git repository")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we change it to bearer token to the repository, so it will be consistent with username and password?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is on purpose, since It is only relevant for Git, at least at the moment. When support for Helm would be added, this would be a good time to make it consistent.

@pasha-codefresh
Copy link
Member

Left few small comments, also will do manual QA and will let you know

@pasha-codefresh
Copy link
Member

Знімок екрана 2025-01-25 о 13 56 36 @reggie-k I am getting this error, but with debugger i can see that it uses new way

return &githttp.TokenAuth{Token: creds.bearerToken}, nil

Could you please check that it works for you?

@reggie-k
Copy link
Member Author

My BitBucket instance was meanwhile deleted, and now it is up again and available for testing.

@reggie-k reggie-k marked this pull request as draft January 29, 2025 13:22
@anandf
Copy link
Contributor

anandf commented Jan 31, 2025

I am able to successfully connect to a bitbucket repository using basic auth with username : x-token-auth and password: <generated_auth_token>. Do we really need another field.

Screenshot 2025-01-31 at 8 34 25 PM
Screenshot 2025-01-31 at 8 34 35 PM

when the repository auth token is first created, BB provides a clone command that looks like this.

git clone https://x-token-auth:[email protected]/anandjoseph/argocd-sample-pvt.git

There could be special chars like = which could be escaped as \= since it is part of the clone URL. We need to ensure that such escape chars are not present when we paste the auth token in the GUI.

@reggie-k
Copy link
Member Author

reggie-k commented Feb 3, 2025

@anandf Yes, this is needed.
for Bit Bucket Project token this is how the repo should be cloned: git clone -c http.extraHeader='Authorization: Bearer .....
According to this: https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html#HTTPaccesstokens-UsingHTTPaccesstokens
"For project or repository tokens, you must only use Bearer Auth without the username"

Signed-off-by: reggie-k <[email protected]>
@reggie-k reggie-k marked this pull request as ready for review February 3, 2025 12:29
Signed-off-by: reggie-k <[email protected]>
Signed-off-by: reggie-k <[email protected]>
@reggie-k
Copy link
Member Author

@pasha-codefresh I tested with BB Project + repo token - the repo gets added and the Application gets synced.
Clarified in the docs and in UI that bearer token is for BitBucket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Bearer Authentication for Git Repos (enabled Bitbucket repository HTTP access tokens)
3 participants