Access private repositories with a personal access token
This page is for developers who create and use cloud development environments. To learn more about common roles and example tasks referenced in Che documentation, see Common user roles and tasks.
OAuth for GitHub, GitLab, Bitbucket, or Microsoft Azure Repos needs to be configured by the administrator of your organization’s Che instance. If your administrator could not configure it for Che users, the workaround is for you to use a personal access token. You can configure personal access tokens on the User Preferences page of your Che dashboard: https://<che_fqdn>/dashboard/#/user-preferences?tab=personal-access-tokens, or apply it manually as a Kubernetes Secret in the namespace.
Mounting your access token as a Secret enables the Che Server to access the remote repository that is cloned during workspace creation, including access to the repository’s /.che and /.vscode folders.
Apply the Secret in your user namespace of the Kubernetes cluster of your organization’s Che instance.
After applying the Secret, you can create workspaces with clones of private Git repositories that are hosted on GitHub, GitLab, Bitbucket Server, or Microsoft Azure Repos.
You can create and apply multiple access-token Secrets per Git provider. You must apply each of those Secrets in your user namespace.
-
You have logged in to the cluster.
On OpenShift, you can use the
occommand-line tool to log in to the cluster:$ oc login https://<che_fqdn> --username=<my_user>
-
Generate your access token on your Git provider’s website.
Personal access tokens are sensitive information. Treat them like passwords. If you are having trouble with authentication, verify the token locally before applying it as a Secret:
$ git clone https://<PAT>@github.com/username/repo.gitReplace
<PAT>with your personal access token, andusername/repowith the appropriate repository path. If cloning succeeds, the token is valid and has the necessary permissions.For GitHub Enterprise Cloud, verify that the token is authorized for use within your organization with SAML single sign-on.
-
Go to
https://<che_fqdn>/api/user/idin the web browser to get your Che user ID. -
Prepare a new Kubernetes Secret.
kind: Secret apiVersion: v1 metadata: name: personal-access-token-<git_provider> labels: app.kubernetes.io/component: scm-personal-access-token app.kubernetes.io/part-of: che.eclipse.org annotations: che.eclipse.org/che-userid: <che_user_id> che.eclipse.org/scm-personal-access-token-name: <git_provider_name> che.eclipse.org/scm-url: <git_provider_endpoint> che.eclipse.org/scm-organization: <git_provider_organization> type: Opaque stringData: token: <your_personal_access_token>where:
- che.eclipse.org/che-userid
-
Your Che user ID.
- che.eclipse.org/scm-personal-access-token-name
-
The Git provider name (
github,gitlab,bitbucket-server, orazure-devops). - che.eclipse.org/scm-url
-
The Git provider URL endpoint, for example
https://github.comorhttps://gitlab.com. - che.eclipse.org/scm-organization
-
Required only for Azure DevOps: your Git provider user organization, or collection if Azure DevOps Server is used.
- token
-
Your personal access token.
Example for GitHub:
kind: Secret apiVersion: v1 metadata: name: personal-access-token-github labels: app.kubernetes.io/component: scm-personal-access-token app.kubernetes.io/part-of: che.eclipse.org annotations: che.eclipse.org/che-userid: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p che.eclipse.org/scm-personal-access-token-name: github che.eclipse.org/scm-url: https://github.com type: Opaque stringData: token: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-
Visit
https://<che_fqdn>/api/kubernetes/namespaceto get your Che user namespace asname. -
Switch to your Che user namespace in the cluster.
On OpenShift:
-
The
occommand-line tool can return the namespace you are currently on in the cluster, which you can use to check your current namespace:$ oc project -
You can switch to your Che user namespace on a command line if needed:
$ oc project <your_user_namespace>
-
-
Apply the Secret.
On OpenShift, you can use the
occommand-line tool:$ oc apply -f - <<EOF <Secret_prepared_in_step_5> EOF
|
If you are using Azure DevOps Server, you must also modify the workspace’s gitconfig with the following section:
To generate the key-value pair, use the following command:
see the documentation page for more information. The |
-
Start a new workspace by using the URL of a remote Git repository that the Git provider hosts.
-
Make some changes and push to the remote Git repository from the workspace.