Check for Kubernetes secret name in oAuthSecret, fallback to plain text (#1836)

* Check for Kubernetes secret name in oAuthSecret, fallback to plain text

* Removed logging, added test cases

* Update documentation

* cleaning up formatting

* update-dev-resources

api/v2/checluster_types.go

@@ -500,6 +500,9 @@ type Auth struct {
 	// +optional
 	OAuthClientName string `json:"oAuthClientName,omitempty"`
 	// Name of the secret set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+	// For Kubernetes, this can either be the plain text oAuthSecret value, or the name of a kubernetes secret which contains a
+	// key `oAuthSecret` and the value is the secret. NOTE: this secret must exist in the same namespace as the `CheCluster`
+	// resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.
 	// +optional
 	OAuthSecret string `json:"oAuthSecret,omitempty"`
 	// Access Token Scope.

config/crd/bases/org.eclipse.che_checlusters.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -8075,9 +8063,13 @@ spec:
                           OpenShift.
                         type: string
                       oAuthSecret:
-                        description: Name of the secret set in the OpenShift `OAuthClient`
+                        description: 'Name of the secret set in the OpenShift `OAuthClient`
                           resource used to set up identity federation on the OpenShift
-                          side.
+                          side. For Kubernetes, this can either be the plain text
+                          oAuthSecret value, or the name of a kubernetes secret which
+                          contains a key `oAuthSecret` and the value is the secret.
+                          NOTE: this secret must exist in the same namespace as the
+                          `CheCluster` resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.'
                         type: string
                     type: object
                   domain:

deploy/deployment/kubernetes/combined.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -8094,9 +8082,13 @@ spec:
                           OpenShift.
                         type: string
                       oAuthSecret:
-                        description: Name of the secret set in the OpenShift `OAuthClient`
+                        description: 'Name of the secret set in the OpenShift `OAuthClient`
                           resource used to set up identity federation on the OpenShift
-                          side.
+                          side. For Kubernetes, this can either be the plain text
+                          oAuthSecret value, or the name of a kubernetes secret which
+                          contains a key `oAuthSecret` and the value is the secret.
+                          NOTE: this secret must exist in the same namespace as the
+                          `CheCluster` resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.'
                         type: string
                     type: object
                   domain:

deploy/deployment/kubernetes/objects/che-operator-selfsigned-issuer.Issuer.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:

deploy/deployment/kubernetes/objects/che-operator-service.Service.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: Service
 metadata:

deploy/deployment/kubernetes/objects/che-operator-serving-cert.Certificate.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

deploy/deployment/kubernetes/objects/che-operator.ClusterRoleBinding.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

deploy/deployment/kubernetes/objects/che-operator.Deployment.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:

deploy/deployment/kubernetes/objects/che-operator.Role.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

deploy/deployment/kubernetes/objects/che-operator.RoleBinding.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

deploy/deployment/kubernetes/objects/che-operator.ServiceAccount.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: ServiceAccount
 metadata:

deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -8089,9 +8077,13 @@ spec:
                           OpenShift.
                         type: string
                       oAuthSecret:
-                        description: Name of the secret set in the OpenShift `OAuthClient`
+                        description: 'Name of the secret set in the OpenShift `OAuthClient`
                           resource used to set up identity federation on the OpenShift
-                          side.
+                          side. For Kubernetes, this can either be the plain text
+                          oAuthSecret value, or the name of a kubernetes secret which
+                          contains a key `oAuthSecret` and the value is the secret.
+                          NOTE: this secret must exist in the same namespace as the
+                          `CheCluster` resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.'
                         type: string
                     type: object
                   domain:

deploy/deployment/kubernetes/objects/eclipse-che.Namespace.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: Namespace
 metadata:

deploy/deployment/kubernetes/objects/org.eclipse.che.MutatingWebhookConfiguration.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:

deploy/deployment/kubernetes/objects/org.eclipse.che.ValidatingWebhookConfiguration.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:

deploy/deployment/openshift/combined.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -8094,9 +8082,13 @@ spec:
                           OpenShift.
                         type: string
                       oAuthSecret:
-                        description: Name of the secret set in the OpenShift `OAuthClient`
+                        description: 'Name of the secret set in the OpenShift `OAuthClient`
                           resource used to set up identity federation on the OpenShift
-                          side.
+                          side. For Kubernetes, this can either be the plain text
+                          oAuthSecret value, or the name of a kubernetes secret which
+                          contains a key `oAuthSecret` and the value is the secret.
+                          NOTE: this secret must exist in the same namespace as the
+                          `CheCluster` resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.'
                         type: string
                     type: object
                   domain:

deploy/deployment/openshift/objects/che-operator-service.Service.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: Service
 metadata:

deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

deploy/deployment/openshift/objects/che-operator.ClusterRoleBinding.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

deploy/deployment/openshift/objects/che-operator.Deployment.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:

deploy/deployment/openshift/objects/che-operator.Role.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

deploy/deployment/openshift/objects/che-operator.RoleBinding.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

deploy/deployment/openshift/objects/che-operator.ServiceAccount.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: ServiceAccount
 metadata:

deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -8089,9 +8077,13 @@ spec:
                           OpenShift.
                         type: string
                       oAuthSecret:
-                        description: Name of the secret set in the OpenShift `OAuthClient`
+                        description: 'Name of the secret set in the OpenShift `OAuthClient`
                           resource used to set up identity federation on the OpenShift
-                          side.
+                          side. For Kubernetes, this can either be the plain text
+                          oAuthSecret value, or the name of a kubernetes secret which
+                          contains a key `oAuthSecret` and the value is the secret.
+                          NOTE: this secret must exist in the same namespace as the
+                          `CheCluster` resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.'
                         type: string
                     type: object
                   domain:

deploy/deployment/openshift/objects/eclipse-che.Namespace.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: Namespace
 metadata:

deploy/deployment/openshift/objects/org.eclipse.che.MutatingWebhookConfiguration.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:

deploy/deployment/openshift/objects/org.eclipse.che.ValidatingWebhookConfiguration.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:

helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -8089,9 +8077,13 @@ spec:
                           OpenShift.
                         type: string
                       oAuthSecret:
-                        description: Name of the secret set in the OpenShift `OAuthClient`
+                        description: 'Name of the secret set in the OpenShift `OAuthClient`
                           resource used to set up identity federation on the OpenShift
-                          side.
+                          side. For Kubernetes, this can either be the plain text
+                          oAuthSecret value, or the name of a kubernetes secret which
+                          contains a key `oAuthSecret` and the value is the secret.
+                          NOTE: this secret must exist in the same namespace as the
+                          `CheCluster` resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.'
                         type: string
                     type: object
                   domain:

helmcharts/next/templates/che-operator-selfsigned-issuer.Issuer.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:

helmcharts/next/templates/che-operator-service.Service.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: Service
 metadata:

helmcharts/next/templates/che-operator-serving-cert.Certificate.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

helmcharts/next/templates/che-operator.ClusterRole.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

helmcharts/next/templates/che-operator.ClusterRoleBinding.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

helmcharts/next/templates/che-operator.Deployment.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:

helmcharts/next/templates/che-operator.Role.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

helmcharts/next/templates/che-operator.RoleBinding.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

helmcharts/next/templates/che-operator.ServiceAccount.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: v1
 kind: ServiceAccount
 metadata:

helmcharts/next/templates/org.eclipse.che.MutatingWebhookConfiguration.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:

helmcharts/next/templates/org.eclipse.che.ValidatingWebhookConfiguration.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:

helmcharts/next/templates/org_v2_checluster.yaml

@@ -1,15 +1,3 @@
-#
-# Copyright (c) 2019-2023 Red Hat, Inc.
-# This program and the accompanying materials are made
-# available under the terms of the Eclipse Public License 2.0
-# which is available at https://www.eclipse.org/legal/epl-2.0/
-#
-# SPDX-License-Identifier: EPL-2.0
-#
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
-#
-
 apiVersion: org.eclipse.che/v2
 kind: CheCluster
 metadata:

pkg/deploy/gateway/oauth_proxy.go

@@ -99,6 +99,26 @@ skip_provider_button = false
 		skipAuthConfig(ctx.CheCluster))
 }
 
+func getSecretValue(ctx *chetypes.DeployContext) string {
+	secret := &corev1.Secret{}
+	exists, _ := deploy.GetNamespacedObject(ctx, ctx.CheCluster.Spec.Networking.Auth.OAuthSecret, secret)
+	if !exists {
+		// Kubernetes secret provided name not found. Assuming oAuthSecret provided is the actual secret.
+		return ctx.CheCluster.Spec.Networking.Auth.OAuthSecret
+	}
+
+	// Retrieve the value associated with the key "oAuthSecret"
+	value, found := secret.Data["oAuthSecret"]
+	if !found {
+		// Key 'oAuthSecret' not found. Assuming oAuthSecret provided is the actual secret.
+		return ctx.CheCluster.Spec.Networking.Auth.OAuthSecret
+	}
+
+	// Convert the byte slice to a string
+	secretValue := string(value)
+	return secretValue
+}
+
 func kubernetesOauthProxyConfig(ctx *chetypes.DeployContext, cookieSecret string) string {
 	return fmt.Sprintf(`
 proxy_prefix = "/oauth"
@@ -128,7 +148,7 @@ cookie_domains = "%s"
 		ctx.CheHost,
 		ctx.CheCluster.Spec.Networking.Auth.IdentityProviderURL,
 		ctx.CheCluster.Spec.Networking.Auth.OAuthClientName,
-		ctx.CheCluster.Spec.Networking.Auth.OAuthSecret,
+		getSecretValue(ctx),
 		cookieSecret,
 		cookieExpireAsString(ctx.CheCluster),
 		utils.Whitelist(ctx.CheHost),

pkg/deploy/gateway/oauth_proxy_test.go

@@ -17,8 +17,13 @@ import (
 
 	"k8s.io/utils/pointer"
 
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+
 	"github.com/devfile/devworkspace-operator/pkg/infrastructure"
 	chev2 "github.com/eclipse-che/che-operator/api/v2"
+	"github.com/eclipse-che/che-operator/pkg/common/constants"
 	"github.com/eclipse-che/che-operator/pkg/common/test"
 	"github.com/stretchr/testify/assert"
 )
@@ -63,6 +68,135 @@ func TestCookieExpireKubernetesOauthProxyConfig(t *testing.T) {
 	assert.Contains(t, config, "cookie_expire = \"1h1m5s\"")
 }
 
+func TestKubernetesOauthProxySecretSecretFoundWithKey(t *testing.T) {
+	ctx := test.GetDeployContext(
+		&chev2.CheCluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "eclipse-che",
+			},
+			Spec: chev2.CheClusterSpec{
+				Networking: chev2.CheClusterSpecNetworking{
+					Auth: chev2.Auth{
+						OAuthSecret: "my-secret",
+					},
+				}},
+		},
+		[]runtime.Object{
+			&corev1.Secret{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Secret",
+					APIVersion: "v1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-secret",
+					Namespace: "eclipse-che",
+					Labels:    map[string]string{constants.KubernetesPartOfLabelKey: constants.CheEclipseOrg},
+				},
+				Type: corev1.SecretTypeOpaque,
+				Data: map[string][]byte{"oAuthSecret": []byte("my")},
+			},
+		})
+	ctx.CheHost = "che-site.che-domain.com"
+	infrastructure.InitializeForTesting(infrastructure.Kubernetes)
+
+	config := kubernetesOauthProxyConfig(ctx, "blabol")
+	assert.Contains(t, config, "client_secret = \"my\"")
+}
+
+func TestKubernetesOauthProxySecretSecretFoundWithWrongKey(t *testing.T) {
+	ctx := test.GetDeployContext(
+		&chev2.CheCluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "eclipse-che",
+			},
+			Spec: chev2.CheClusterSpec{
+				Networking: chev2.CheClusterSpecNetworking{
+					Auth: chev2.Auth{
+						OAuthSecret: "my-secret",
+					},
+				}},
+		},
+		[]runtime.Object{
+			&corev1.Secret{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Secret",
+					APIVersion: "v1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-secret",
+					Namespace: "eclipse-che",
+					Labels:    map[string]string{constants.KubernetesPartOfLabelKey: constants.CheEclipseOrg},
+				},
+				Type: corev1.SecretTypeOpaque,
+				Data: map[string][]byte{"keyIsNotoAuthSecret": []byte("my")},
+			},
+		})
+	ctx.CheHost = "che-site.che-domain.com"
+	infrastructure.InitializeForTesting(infrastructure.Kubernetes)
+
+	config := kubernetesOauthProxyConfig(ctx, "blabol")
+	//expect interpret as literal secret
+	assert.Contains(t, config, "client_secret = \"my-secret\"")
+}
+
+func TestKubernetesOauthProxySecretSecretFoundWithWrongSecretName(t *testing.T) {
+	ctx := test.GetDeployContext(
+		&chev2.CheCluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "eclipse-che",
+			},
+			Spec: chev2.CheClusterSpec{
+				Networking: chev2.CheClusterSpecNetworking{
+					Auth: chev2.Auth{
+						OAuthSecret: "wrong-secret-name",
+					},
+				}},
+		},
+		[]runtime.Object{
+			&corev1.Secret{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Secret",
+					APIVersion: "v1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-secret",
+					Namespace: "eclipse-che",
+					Labels:    map[string]string{constants.KubernetesPartOfLabelKey: constants.CheEclipseOrg},
+				},
+				Type: corev1.SecretTypeOpaque,
+				Data: map[string][]byte{"oAuthSecret": []byte("my")},
+			},
+		})
+	ctx.CheHost = "che-site.che-domain.com"
+	infrastructure.InitializeForTesting(infrastructure.Kubernetes)
+
+	config := kubernetesOauthProxyConfig(ctx, "blabol")
+	//expect interpret as literal secret
+	assert.Contains(t, config, "client_secret = \"wrong-secret-name\"")
+}
+
+func TestKubernetesOauthProxySecretLegacyPlaintextSecretName(t *testing.T) {
+	ctx := test.GetDeployContext(
+		&chev2.CheCluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "eclipse-che",
+			},
+			Spec: chev2.CheClusterSpec{
+				Networking: chev2.CheClusterSpecNetworking{
+					Auth: chev2.Auth{
+						OAuthSecret: "abcdefPlainTextSecret",
+					},
+				},
+			},
+		}, nil)
+	ctx.CheHost = "che-site.che-domain.com"
+	infrastructure.InitializeForTesting(infrastructure.Kubernetes)
+
+	config := kubernetesOauthProxyConfig(ctx, "blabol")
+	//expect interpret as literal secret
+	assert.Contains(t, config, "client_secret = \"abcdefPlainTextSecret\"")
+}
+
 func TestKubernetesOauthProxyConfig(t *testing.T) {
 	ctx := test.GetDeployContext(
 		&chev2.CheCluster{