Allow Che 7 Git + SSH Flow

[l0rd]

The problem

As mentioned in #12850 git+ssh is currently not working (cloning a project). A user is able to generate an SSH key pair with the ssh plugin (even if currently this plugin doesn't seems to be included in che-theia) but:

• cloning may happen at IDE startup (a user won't be able to generate the keys)
• git in che-theia doesn't support SSH
• ssh keys are only available in che-theia container

The proposed flow

Here is a list of steps/task of a git+ssh flow that I have splitted in 3 priority levels:

🦄critical for the GA: allow SSH key persistence and usage
🐴nice to have for the GA: automate for a better UX and get rid of the SSH plugin
🐮postponed after the GA: leverage GitHub token when available to automate even more

First time user login

• 🐴Generate SSH keys when the user login for the first time and store them in user preferences Generate SSH keys when the user login for the first time #14411
• 🐮If a GitHub token is available upload the SSH key to GitHub

At workspace creation:

• 🦄mount the SSH keys as secrets in all workspace containers Mount the SSH keys as secrets in all workspace containers #13520
• 🐴setup (or mount?) git config (name and email) Preconfigure git user information from Che user's profile/preferences #13874

At workspace cloning with git+ssh:

• 🐴Check if the user can authenticate
• 🐴If the user cannot be auth but it's a GitHub URL
  • 🐮If we have his GitHub token: automatically upload the SSH key
  • 🐴If we don't have his GH token prompt him to upload the key manually
• 🐴If the user cannot be authenticated and it's not GitHub prompt the user to do the following steps after the workspace is started 1) generate the key using the addon if that hasn't been done yet 2) add its SSH public key to the git server 3) clone the project or restart the workspace

Misc

• 🦄Add git+ssh support in che-theia container Che 7 ssh git is not working #12850
• 🦄Enable the SSH plugin
• 🐴Make sure that current Che 7 stacks have git+ssh support
• 🐴Add git+ssh scenario in e2e happy path tests

[l0rd]

@vparfonov @evidolob can you please review and split up the critical tasks (🦄) amongst your teams?
cc @slemeur @sunix @benoitf please review as well

[benoitf]

@l0rd I thought git+ssh was working on che-theia. What are the steps used to have it "not working" ?

[l0rd]

@l0rd I thought git+ssh was working on che-theia. What are the steps used to have it "not working" ?

@benoitf that's described here #12850

[benoitf]

@l0rd OK somehow the previous fix has been lost, will fix it.

[vparfonov]

FYI SSH plugin for shh key management use wsagent at the moment

[l0rd]

@vparfonov as a first step a user need to be able to:

• add an SSH key-pair to the user preferences (it can be through the SSH plugin or another plugin)
• use his SSH key-pair with the git client (mount it as a secret in che-theia and other containers)

Adding a command to generate the key-pair is something that can be done as second step: initially we can request users to generate the key pair manually.

[l0rd]

We have reviewed this with @vparfonov and we are not going to address the problem of the git+ssh within a container where the user doesn't exist (arbitrary user). @vparfonov is going to create an issue instead that is going to be added to the known issue section in the documentation.

[l0rd]

We have discussed that the current behavior of the SSH plugin should be changed.

1. There should be 2 generate commands: SSH: generate key pair... and SSH: generate key pair for particular host...
2. SSH: generate key pair for particular host... works as the currently implemented in https://github.com/eclipse/che-theia/pull/352/files
3. SSH: generate key pair... instead would add a key for the generic host

Host *
  IdentityFile <path>

4. SSH: generate key pair... would send a request the the SSH manager with parameters { "service" : "vcs", "name": "default-<timestamp>"}
5. When a user call SSH: generate key pair... a second time a new key will be generated and added, the previous keys won't be deleted.

[l0rd]

@ericwill what is currently missing is checking if the user has privileges to clone at the startup of the workspace. Current UX is not ideal if you click on a factory link of a devfile with a git+ssh URL and you do not have the SSH key uploaded on the git server yet.

[l0rd]

@ericwill what is currently missing is checking if the user has privileges to clone at the startup of the workspace. Current UX is not ideal if you click on a factory link of a devfile with a git+ssh URL and you do not have the SSH key uploaded on the git server yet.

@ericwill in this sprint and next one platform team is working on something that is related to that

[vitaliy-guliy]

What flow we can implement at the moment:

If the devfile does not contain projects with git+ssh URLs, we clone the projects as we are doing now.

In case of git+ssh we will:

• test the ssh connection to the repository with ssh -T git@github.com or ssh -T git@bitbucket.org or ...
  -> If the authentication successful, clone projects.
• generate new or select an existing ssh key and upload it to GitHub (in case with GitHub projects)
  -> in case when non GitHub is used, it's possible to give the user the key to add it to the server by hands
• test the ssh connection again and start cloning.

We can implement everything in Workspace plugin. To operate with keys, it's possible to reuse the SSH plugin API can, which is also used in SSH plugin.

[sunix]

To me it is quite unclear what flow we want to implement.

Github and bitbucket as far as I know could have https.
we could

1. keep the https url in the devfile
2. check if we have ssh key and then use the github or bitbucket api to get the ssh url
3. clone either https, but could add an additional remote with ssh
   That way, user may choose

or we want to just support ssh in the devfile sources?

[jnach]

I found figuring out how to set up SSH extremely difficult, and I'm still not sure my method is supposed to be allowed. With firefox latest, any click will mess up the flow for adding a key pair (e.g, no copy paste), and it's very difficult if not impossible to really use.

But, there is vi, and there is ssh-agent in the IDE container so - what I do at this point is manually add my keys, lock down permissions, and then add them to the running agent, and am then able to work on private repositories without issue. This is a huge opportunity for adoption if it can be solved

[sunix]

@jnach completly agree. The problem we have is that we have almost all the piece to have a proper git flow that works for standalone git or github projects (and maybe bitbucket). The current flow is not simple. I would nice that we put all the pieces together.

[vitaliy-guliy]

The UX when cloning of Git repositories with SSH uri was improved and merged.

[vitaliy-guliy]

A video demonstrating the current state https://www.youtube.com/watch?v=1Ki--hfqISs