Skip to content

Add Bearer auth support for BitBucket (cloud) SCM provider #26929

Open
#27585
Open
Add Bearer auth support for BitBucket (cloud) SCM provider#26929
#27585
Labels
enhancementNew feature or requesttriage/pendingThis issue needs further triage to be correctly classified
@Sean-Michael

Description

@Sean-Michael
Sean-Michael
opened on Mar 20, 2026

Summary

The problem is ArgoCD's scmProvider.bitbucket only supports Basic auth (user + appPasswordRef), but Workspace access tokens utilize Bearer token auth.

Motivation

Workspace access tokens are Bitbucket's recommended approach over user-tied App Passwords, and ArgoCD doesn't support them for SCM providers.

Proposal

The fix would be to add Bearer token auth as an alternative to Basic auth.

There is already a case of BearerToken auth integration with Bitbucket in the PR Generator:

  func NewBitbucketCloudServiceBearerToken(baseURL, bearerToken, ...) {
      bitbucketClient, err := bitbucket.NewOAuthbearerToken(bearerToken)
  }

While the SCM provider as mentioned only supports basic auth:

  func NewBitBucketCloudProvider(owner, user, password string, ...) {
      bitbucketClient, err := bitbucket.NewBasicAuth(user, password)
  }

Implementation approach

Follow the existing Bitbucket Server SCM provider and Bitbucket Cloud PR generator patterns by adding an explicit bearerToken.

Files to change:

  1. pkg/apis/application/v1alpha1/applicationset_types.go

Add BearerToken field to SCMProviderGeneratorBitbucket, mirroring how Bitbucket Server and the PR generator already do it:

  type SCMProviderGeneratorBitbucket struct {
      Owner          string                     `json:"owner" protobuf:"bytes,1,opt,name=owner"`
      User           string                     `json:"user" protobuf:"bytes,2,opt,name=user"`
      AppPasswordRef *SecretRef                 `json:"appPasswordRef" protobuf:"bytes,3,opt,name=appPasswordRef"`
      AllBranches    bool                       `json:"allBranches,omitempty" protobuf:"varint,4,opt,name=allBranches"`
      // NEW: Bearer token auth for workspace access tokens
      BearerToken    *BearerTokenBitbucketCloud `json:"bearerToken,omitempty" protobuf:"bytes,5,opt,name=bearerToken"`
  }
  1. applicationset/services/scm_provider/bitbucket_cloud.go

Add a bearer token constructor (mirrors PR generator's NewBitbucketCloudServiceBearerToken):

  func NewBitBucketCloudProviderBearerToken(owner string, token string, allBranches bool) (*BitBucketCloudProvider, error) {
      bitbucketClient, err := bitbucket.NewOAuthbearerToken(token)
      if err != nil {
          return nil, fmt.Errorf("error creating BitBucket Cloud client with bearer token: %w", err)
      }
      // ...
  }

Also update ExtendedClient currently hardcodes req.SetBasicAuth() in GetContents(). Needs to conditionally use req.Header.Set("Authorization", "Bearer "+token) when bearer auth is configured.

  1. applicationset/generators/scm_provider.go

Add the bearer token branch in the Bitbucket Cloud case, same pattern as Bitbucket Server:

  case providerConfig.Bitbucket != nil:
      if providerConfig.Bitbucket.BearerToken != nil {
          token, err := utils.GetSecretRef(ctx, g.client, providerConfig.Bitbucket.BearerToken.TokenRef, ...)
          provider, err = scm_provider.NewBitBucketCloudProviderBearerToken(providerConfig.Bitbucket.Owner, token, ...)
      } else {
          appPassword, err := utils.GetSecretRef(ctx, g.client, providerConfig.Bitbucket.AppPasswordRef, ...)
          provider, err = scm_provider.NewBitBucketCloudProvider(...)
      }

User-facing YAML:

  generators:
    - scmProvider:
        bitbucket:
          owner: my_workspace
          bearerToken:
            tokenRef:
              secretName: bitbucket-credentials
              key: password
          allBranches: true

The gist is to keep it backward compatible and add the Bearer Token Auth as an option which already has precedence in existing functions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesttriage/pendingThis issue needs further triage to be correctly classified

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions