Provide git credential storage mechanism

[l0rd]

Is your enhancement related to a problem? Please describe.

When using git with HTTPS protocol all the connection needs a username and password. To avoid prompting for credential at every connection git allows to configure a credential storage mechanism:

cache with timeout

$ git config --global credential.helper 'cache --timeout=3600'

local file with cleartext username/password (never expires)

git config --global credential.helper 'store --file ~/.git-store/credentials'

This is described here.

That can be done manually on che workspaces but requires a manual step (git config command) that needs to be repeated at every restart of the workspace.

Describe the solution you'd like

We should document how to use the secret injection mechanism to inject a file with the username and password and set the git config credential.helper accordingly:

apiVersion: v1
kind: Secret
metadata:
  name: git-credentials-secret
  annotations:
    che.eclipse.org/automount-workspace-secret: true
    che.eclipse.org/mount-path: /home/user/.git-store/
    che.eclipse.org/mount-as: file
  data:
     credentials: <base64 encoded file>

And in the git configuration:

[credential]
        helper = store --file ~/.git-store/credentials

[l0rd]

The problem here is how to set the credential.helper to match the secret che.eclipse.org/mount-path:. I see a few options:

1. Set git configuration credential.helper to store --file ~/.git-store/credentials by default: if a secret exists and its mount path is ~/.git-store/ and data credentials then the user won't be prompted for username/password. It will be prompted otherwise.

2. Use 2 secrets: one to mount the credentials file in a given path, and another one to mount the global git config file (~/.gitconfig) that points to the path where the credential file will be mounted.

3. Use a custom credential storage as described at the end of https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage#_credential_caching

@davidfestal @ericwill @sunix

[sunix]

Some thoughts: #13611

[sunix]

also if we have #14217, we could reuse the token as the password ... for GH at least.

[mshaposhnik]

Yes it seems we didn't have much choice - mount whole .gitconfig or execute git config credential.helper <...> either with file or own script. As a fluent idea, i have in mind to run this command via devfile commands, adding it into required component and add like autorun flag to make it executed without any user action (like we have post-load actions in factories), wdyt ?

[sunix]

We could also alias or wrap the git command so it does what we want in our container at least

[sunix]

But finally i think it would be good to let the user store with credential storage from git and keep that in a secret. (1. from Mario) https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage

[sunix]

we could patch, in the containers where we would use git, /etc/gitconfig and set credential.helper where it is usually mounted. Then use secrets to mount the credential storage file.

[nickboldt]

Please treat this as a highly important P1 for the current 7.17 sprint, per Parag's comments on https://issues.redhat.com/browse/CRW-1025?focusedCommentId=14177136&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14177136

[skabashnyuk]

on it.

[skabashnyuk]

we could patch, in the containers where we would use git, /etc/gitconfig and set credential.helper where it is usually mounted. Then use secrets to mount the credential storage file.

What if we add new annotation che.eclipse.org/git-credential: true that gives us a hint that we should add
credential.helper to /etc/gitconfig in https://github.com/eclipse/che/blob/master/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/GitConfigProvisioner.java or we can use the predefined secret name git-credentials-secret?

apiVersion: v1
kind: Secret
metadata:
  name: git-credentials-secret
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspace-secret
  annotations:
    che.eclipse.org/git-credential: true
    che.eclipse.org/mount-path: /home/theia/.git-credentials
    che.eclipse.org/mount-as: file
data:
  credentials: .... 

@l0rd @mshaposhnik @sunix wdyt?

[mshaposhnik]

i am ok with dedicated annotation

[skabashnyuk]

FYI

• git config --system credential.helper 'store --file ~/.git-credentials/credentials is problematic to execute because /etc/gitconfig is read-only
• git config --global credential.helper 'store --file ~/.git-credentials/credentials is problematic to set because I think it is somehow synced with the /etc/gitconfig

[sunix]

so if we are building /etc/gitconfig we could patch it with

[credential]
        helper = store --file ~/.git-credentials/credentials

(the result of the git config --system credential.helper 'store --file ~/.git-credentials/credentials as far as I understand)

[sunix]

I think we could patch /etc/gitconfig always with the git-credentials section. I don't think it is failing if we don't have any file mounted.

[l0rd]

@sunix yes that's what I meant in my comment above.

Currently, when I start a workspace in Che, there are some git config that are already injected:

bash-5.0 /projects $ git config -l
user.name=mariolet
user.email=mario.loriedo@gmail.com

In addition to user.name and user.email we should inject credential.helper="--file ~/.git-store/credentials" as well.