Skip to content

fix: allow separate Bitbucket REST username for API-token GitOps auth#6975

Open
atiquefiroz wants to merge 1 commit into
devtron-labs:mainfrom
atiquefiroz:fix/bitbucket-api-token-rest-username
Open

fix: allow separate Bitbucket REST username for API-token GitOps auth#6975
atiquefiroz wants to merge 1 commit into
devtron-labs:mainfrom
atiquefiroz:fix/bitbucket-api-token-rest-username

Conversation

@atiquefiroz

Copy link
Copy Markdown

Bitbucket deprecated app passwords (CHANGE-3222); git-over-HTTPS now returns HTTP 410. Their replacement, API tokens, authenticate the two surfaces Devtron uses with different usernames:

  • git-over-HTTPS (go-git): the Bitbucket username (or x-bitbucket-api-token-auth)
  • Bitbucket Cloud REST API: the Atlassian account email

A single GitOps deploy uses both -- go-git clone/push for the chart, and the REST API (WriteFileBlob) to commit values -- but gitops_config stores a single username. With an API token no single username satisfies both: the Bitbucket username fails REST with 401, and the email fails git with exit status 128. App passwords worked for both surfaces, which is why this only surfaces after the deprecation.

Add an optional BITBUCKET_REST_USERNAME env override, applied only to the Bitbucket REST client. When unset, behaviour is unchanged. When set to the Atlassian email, REST calls (repo create, WriteFileBlob, GetCommits, repo-exists) authenticate correctly while go-git keeps using the configured GitOps username, so both surfaces work with a single API token.

Description

Fixes #

Checklist:

  • The title of the PR states what changed and the related issues number (used for the release note).
  • Does this PR requires documentation updates?
  • I've updated documentation as required by this PR.
  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have tested it for all user roles.
  • I have added all the required unit/api test cases.

Does this PR introduce a user-facing change?


Bitbucket deprecated app passwords (CHANGE-3222); git-over-HTTPS now
returns HTTP 410. Their replacement, API tokens, authenticate the two
surfaces Devtron uses with different usernames:

  - git-over-HTTPS (go-git): the Bitbucket username (or
    x-bitbucket-api-token-auth)
  - Bitbucket Cloud REST API: the Atlassian account email

A single GitOps deploy uses both -- go-git clone/push for the chart, and
the REST API (WriteFileBlob) to commit values -- but gitops_config stores
a single username. With an API token no single username satisfies both:
the Bitbucket username fails REST with 401, and the email fails git with
exit status 128. App passwords worked for both surfaces, which is why
this only surfaces after the deprecation.

Add an optional BITBUCKET_REST_USERNAME env override, applied only to the
Bitbucket REST client. When unset, behaviour is unchanged. When set to
the Atlassian email, REST calls (repo create, WriteFileBlob, GetCommits,
repo-exists) authenticate correctly while go-git keeps using the
configured GitOps username, so both surfaces work with a single API token.

Signed-off-by: Atique Firoz <atiquefiroz@gmail.com>
@bito-code-review

Copy link
Copy Markdown

Bito Review Skipped - Source Branch Not Found

Bito didn't review this change because the pull request is no longer valid. It may have been merged, or the source/target branch may no longer exist.

@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant