feat: Support Azure DevOps Service OAuth (#1622)

* feat: Support Azure DevOps Service OAuth2 config

Signed-off-by: Anatolii Bazko <[email protected]>

api/v2/checluster_types.go

@@ -609,6 +609,10 @@ type CheClusterGitServices struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Bitbucket"
 	BitBucket []BitBucketService `json:"bitbucket,omitempty"`
+	// Enables users to work with repositories hosted on Azure DevOps Service (dev.azure.com).
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Azure"
+	AzureDevOps []AzureDevOpsService `json:"azure,omitempty"`
 }
 
 // GitHubService enables users to work with repositories hosted on GitHub (GitHub.com or GitHub Enterprise).
@@ -659,6 +663,15 @@ type BitBucketService struct {
 	Endpoint string `json:"endpoint,omitempty"`
 }
 
+// AzureDevOpsService enables users to work with repositories hosted on Azure DevOps Service (dev.azure.com).
+type AzureDevOpsService struct {
+	// Kubernetes secret, that contains Base64-encoded Azure DevOps Service Application ID and Client Secret.
+	// See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services
+	// +kubebuilder:validation:Required
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:io.kubernetes:Secret"
+	SecretName string `json:"secretName"`
+}
+
 // Container build configuration.
 type ContainerBuildConfiguration struct {
 	// OpenShift security context constraint to build containers.

api/v2/checluster_webhook.go

@@ -144,6 +144,12 @@ func validate(checluster *CheCluster) error {
 		}
 	}
 
+	for _, azure := range checluster.Spec.GitServices.AzureDevOps {
+		if err := validateOAuthSecret(azure.SecretName, constants.AzureDevOpsOAuth, "", nil, checluster.Namespace); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -178,11 +184,20 @@ func validateOAuthSecret(secretName string, scmProvider string, serverEndpoint s
 		if err := validateBitBucketOAuthSecretDataKeys(secret); err != nil {
 			return err
 		}
+	case constants.AzureDevOpsOAuth:
+		if err := validateAzureDevOpsSecretDataKeys(secret); err != nil {
+			return err
+		}
 	}
 
 	return nil
 }
 
+func validateAzureDevOpsSecretDataKeys(secret *corev1.Secret) error {
+	keys2validate := []string{constants.GitHubOAuthConfigClientIdFileName, constants.GitHubOAuthConfigClientSecretFileName}
+	return validateOAuthSecretDataKeys(secret, keys2validate)
+}
+
 func validateGitHubOAuthSecretDataKeys(secret *corev1.Secret) error {
 	keys2validate := []string{constants.GitHubOAuthConfigClientIdFileName, constants.GitHubOAuthConfigClientSecretFileName}
 	return validateOAuthSecretDataKeys(secret, keys2validate)

bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml

@@ -77,7 +77,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che.v7.61.0-761.next
+  name: eclipse-che.v7.61.0-764.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -141,6 +141,16 @@ spec:
               images.
             displayName: Container registry
             path: containerRegistry
+          - description: Enables users to work with repositories hosted on Azure DevOps
+              Service (dev.azure.com).
+            displayName: Azure
+            path: gitServices.azure
+          - description: 'Kubernetes secret, that contains Base64-encoded Azure DevOps
+              Service Application ID and Client Secret. See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services'
+            displayName: Secret Name
+            path: gitServices.azure[0].secretName
+            x-descriptors:
+              - urn:alm:descriptor:io.kubernetes:Secret
           - description: Enables users to work with repositories hosted on Bitbucket
               (bitbucket.org or self-hosted).
             displayName: Bitbucket
@@ -1221,7 +1231,7 @@ spec:
   minKubeVersion: 1.19.0
   provider:
     name: Eclipse Foundation
-  version: 7.61.0-761.next
+  version: 7.61.0-764.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml

@@ -7134,6 +7134,22 @@ spec:
                   description: A configuration that allows users to work with remote
                     Git repositories.
                   properties:
+                    azure:
+                      description: Enables users to work with repositories hosted
+                        on Azure DevOps Service (dev.azure.com).
+                      items:
+                        description: AzureDevOpsService enables users to work with
+                          repositories hosted on Azure DevOps Service (dev.azure.com).
+                        properties:
+                          secretName:
+                            description: 'Kubernetes secret, that contains Base64-encoded
+                              Azure DevOps Service Application ID and Client Secret.
+                              See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services'
+                            type: string
+                        required:
+                          - secretName
+                        type: object
+                      type: array
                     bitbucket:
                       description: Enables users to work with repositories hosted
                         on Bitbucket (bitbucket.org or self-hosted).

config/crd/bases/org.eclipse.che_checlusters.yaml

@@ -6941,6 +6941,22 @@ spec:
                 description: A configuration that allows users to work with remote
                   Git repositories.
                 properties:
+                  azure:
+                    description: Enables users to work with repositories hosted on
+                      Azure DevOps Service (dev.azure.com).
+                    items:
+                      description: AzureDevOpsService enables users to work with repositories
+                        hosted on Azure DevOps Service (dev.azure.com).
+                      properties:
+                        secretName:
+                          description: 'Kubernetes secret, that contains Base64-encoded
+                            Azure DevOps Service Application ID and Client Secret.
+                            See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services'
+                          type: string
+                      required:
+                      - secretName
+                      type: object
+                    type: array
                   bitbucket:
                     description: Enables users to work with repositories hosted on
                       Bitbucket (bitbucket.org or self-hosted).

config/manifests/bases/che-operator.clusterserviceversion.yaml

@@ -88,6 +88,16 @@ spec:
       - description: Configuration of an alternative registry that stores Che images.
         displayName: Container registry
         path: containerRegistry
+      - description: Enables users to work with repositories hosted on Azure DevOps
+          Service (dev.azure.com).
+        displayName: Azure
+        path: gitServices.azure
+      - description: 'Kubernetes secret, that contains Base64-encoded Azure DevOps
+          Service Application ID and Client Secret. See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services'
+        displayName: Secret Name
+        path: gitServices.azure[0].secretName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
       - description: Enables users to work with repositories hosted on Bitbucket (bitbucket.org
           or self-hosted).
         displayName: Bitbucket

deploy/deployment/kubernetes/combined.yaml

@@ -6960,6 +6960,22 @@ spec:
                 description: A configuration that allows users to work with remote
                   Git repositories.
                 properties:
+                  azure:
+                    description: Enables users to work with repositories hosted on
+                      Azure DevOps Service (dev.azure.com).
+                    items:
+                      description: AzureDevOpsService enables users to work with repositories
+                        hosted on Azure DevOps Service (dev.azure.com).
+                      properties:
+                        secretName:
+                          description: 'Kubernetes secret, that contains Base64-encoded
+                            Azure DevOps Service Application ID and Client Secret.
+                            See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services'
+                          type: string
+                      required:
+                      - secretName
+                      type: object
+                    type: array
                   bitbucket:
                     description: Enables users to work with repositories hosted on
                       Bitbucket (bitbucket.org or self-hosted).

deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -6955,6 +6955,22 @@ spec:
                 description: A configuration that allows users to work with remote
                   Git repositories.
                 properties:
+                  azure:
+                    description: Enables users to work with repositories hosted on
+                      Azure DevOps Service (dev.azure.com).
+                    items:
+                      description: AzureDevOpsService enables users to work with repositories
+                        hosted on Azure DevOps Service (dev.azure.com).
+                      properties:
+                        secretName:
+                          description: 'Kubernetes secret, that contains Base64-encoded
+                            Azure DevOps Service Application ID and Client Secret.
+                            See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services'
+                          type: string
+                      required:
+                      - secretName
+                      type: object
+                    type: array
                   bitbucket:
                     description: Enables users to work with repositories hosted on
                       Bitbucket (bitbucket.org or self-hosted).

deploy/deployment/openshift/combined.yaml

@@ -6960,6 +6960,22 @@ spec:
                 description: A configuration that allows users to work with remote
                   Git repositories.
                 properties:
+                  azure:
+                    description: Enables users to work with repositories hosted on
+                      Azure DevOps Service (dev.azure.com).
+                    items:
+                      description: AzureDevOpsService enables users to work with repositories
+                        hosted on Azure DevOps Service (dev.azure.com).
+                      properties:
+                        secretName:
+                          description: 'Kubernetes secret, that contains Base64-encoded
+                            Azure DevOps Service Application ID and Client Secret.
+                            See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services'
+                          type: string
+                      required:
+                      - secretName
+                      type: object
+                    type: array
                   bitbucket:
                     description: Enables users to work with repositories hosted on
                       Bitbucket (bitbucket.org or self-hosted).

deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -6955,6 +6955,22 @@ spec:
                 description: A configuration that allows users to work with remote
                   Git repositories.
                 properties:
+                  azure:
+                    description: Enables users to work with repositories hosted on
+                      Azure DevOps Service (dev.azure.com).
+                    items:
+                      description: AzureDevOpsService enables users to work with repositories
+                        hosted on Azure DevOps Service (dev.azure.com).
+                      properties:
+                        secretName:
+                          description: 'Kubernetes secret, that contains Base64-encoded
+                            Azure DevOps Service Application ID and Client Secret.
+                            See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services'
+                          type: string
+                      required:
+                      - secretName
+                      type: object
+                    type: array
                   bitbucket:
                     description: Enables users to work with repositories hosted on
                       Bitbucket (bitbucket.org or self-hosted).

helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -6955,6 +6955,22 @@ spec:
                 description: A configuration that allows users to work with remote
                   Git repositories.
                 properties:
+                  azure:
+                    description: Enables users to work with repositories hosted on
+                      Azure DevOps Service (dev.azure.com).
+                    items:
+                      description: AzureDevOpsService enables users to work with repositories
+                        hosted on Azure DevOps Service (dev.azure.com).
+                      properties:
+                        secretName:
+                          description: 'Kubernetes secret, that contains Base64-encoded
+                            Azure DevOps Service Application ID and Client Secret.
+                            See the following page: https://www.eclipse.org/che/docs/stable/administration-guide/configuring-oauth-2-for-microsoft-azure-devops-services'
+                          type: string
+                      required:
+                      - secretName
+                      type: object
+                    type: array
                   bitbucket:
                     description: Enables users to work with repositories hosted on
                       Bitbucket (bitbucket.org or self-hosted).

pkg/common/constants/constants.go

@@ -71,20 +71,24 @@ const (
 	DefaultCheServiceAccountName    = "che"
 
 	// OAuth
-	BitBucketOAuthConfigClientIdFileName     = "id"
-	BitBucketOAuthConfigClientSecretFileName = "secret"
-	BitBucketOAuthConfigMountPath            = "/che-conf/oauth/bitbucket"
-	BitBucketOAuthConfigPrivateKeyFileName   = "private.key"
-	BitBucketOAuthConfigConsumerKeyFileName  = "consumer.key"
-	GitHubOAuthConfigMountPath               = "/che-conf/oauth/github"
-	GitHubOAuthConfigClientIdFileName        = "id"
-	GitHubOAuthConfigClientSecretFileName    = "secret"
-	GitLabOAuthConfigMountPath               = "/che-conf/oauth/gitlab"
-	GitLabOAuthConfigClientIdFileName        = "id"
-	GitLabOAuthConfigClientSecretFileName    = "secret"
-	OAuthScmConfiguration                    = "oauth-scm-configuration"
-	AccessToken                              = "access_token"
-	IdToken                                  = "id_token"
+	BitBucketOAuthConfigClientIdFileName       = "id"
+	BitBucketOAuthConfigClientSecretFileName   = "secret"
+	BitBucketOAuthConfigMountPath              = "/che-conf/oauth/bitbucket"
+	BitBucketOAuthConfigPrivateKeyFileName     = "private.key"
+	BitBucketOAuthConfigConsumerKeyFileName    = "consumer.key"
+	GitHubOAuthConfigMountPath                 = "/che-conf/oauth/github"
+	GitHubOAuthConfigClientIdFileName          = "id"
+	GitHubOAuthConfigClientSecretFileName      = "secret"
+	AzureDevOpsOAuth                           = "azure-devops"
+	AzureDevOpsOAuthConfigMountPath            = "/che-conf/oauth/azure-devops"
+	AzureDevOpsOAuthConfigClientIdFileName     = "id"
+	AzureDevOpsOAuthConfigClientSecretFileName = "secret"
+	GitLabOAuthConfigMountPath                 = "/che-conf/oauth/gitlab"
+	GitLabOAuthConfigClientIdFileName          = "id"
+	GitLabOAuthConfigClientSecretFileName      = "secret"
+	OAuthScmConfiguration                      = "oauth-scm-configuration"
+	AccessToken                                = "access_token"
+	IdToken                                    = "id_token"
 
 	// Labels
 	KubernetesComponentLabelKey = "app.kubernetes.io/component"

pkg/deploy/server/server_configmap.go

@@ -289,7 +289,7 @@ func (s *CheServerReconciler) getCheConfigMapData(ctx *chetypes.DeployContext) (
 
 	addMap(cheEnv, ctx.CheCluster.Spec.Components.CheServer.ExtraProperties)
 
-	for _, oauthProvider := range []string{"bitbucket", "gitlab", "github"} {
+	for _, oauthProvider := range []string{"bitbucket", "gitlab", "github", constants.AzureDevOpsOAuth} {
 		err := updateIntegrationServerEndpoints(ctx, cheEnv, oauthProvider)
 		if err != nil {
 			return nil, err
@@ -305,7 +305,7 @@ func updateIntegrationServerEndpoints(ctx *chetypes.DeployContext, cheEnv map[st
 		return err
 	}
 
-	envName := fmt.Sprintf("CHE_INTEGRATION_%s_SERVER__ENDPOINTS", strings.ToUpper(oauthProvider))
+	envName := fmt.Sprintf("CHE_INTEGRATION_%s_SERVER__ENDPOINTS", strings.ReplaceAll(strings.ToUpper(oauthProvider), "-", "_"))
 	if err != nil {
 		return err
 	}

pkg/deploy/server/server_deployment.go

@@ -224,6 +224,10 @@ func (s CheServerReconciler) getDeploymentSpec(ctx *chetypes.DeployContext) (*ap
 		return nil, err
 	}
 
+	if err := MountAzureDevOpsOAuthConfig(ctx, deployment); err != nil {
+		return nil, err
+	}
+
 	container := &deployment.Spec.Template.Spec.Containers[0]
 
 	chePostgresCredentialsSecret := utils.GetValue(ctx.CheCluster.Spec.Components.Database.CredentialsSecretName, constants.DefaultPostgresCredentialsSecret)
@@ -352,6 +356,19 @@ func MountGitHubOAuthConfig(ctx *chetypes.DeployContext, deployment *appsv1.Depl
 	return nil
 }
 
+func MountAzureDevOpsOAuthConfig(ctx *chetypes.DeployContext, deployment *appsv1.Deployment) error {
+	secret, err := getOAuthConfig(ctx, constants.AzureDevOpsOAuth)
+	if secret == nil {
+		return err
+	}
+
+	mountVolumes(deployment, secret, constants.AzureDevOpsOAuthConfigMountPath)
+	mountEnv(deployment, "CHE_OAUTH2_AZURE_DEVOPS_CLIENTID__FILEPATH", constants.AzureDevOpsOAuthConfigMountPath+"/"+constants.AzureDevOpsOAuthConfigClientIdFileName)
+	mountEnv(deployment, "CHE_OAUTH2_AZURE_DEVOPS_CLIENTSECRET__FILEPATH", constants.AzureDevOpsOAuthConfigMountPath+"/"+constants.AzureDevOpsOAuthConfigClientSecretFileName)
+
+	return nil
+}
+
 func MountGitLabOAuthConfig(ctx *chetypes.DeployContext, deployment *appsv1.Deployment) error {
 	secret, err := getOAuthConfig(ctx, "gitlab")
 	if secret == nil {