Wrap git credential helper to ignore 'store' and 'erase' operations

[amisevsk]

What does this PR do?

Since the credentials file is mounted read-only to the filesystem, we need to configure a git credential helper that ignores 'store' and 'erase' operations in order to avoid printing error messages around getting a lock on the credentials file:

fatal: unable to get credential storage lock in 1000 ms: Read-only file system

In order to do this, we wrap the existing 'store' credential helper to effectively be read-only.

What issues does this PR fix or reference?

Closes #1121

Is it tested? How?

To test:

1. Configure a personal access token secret in the test namespace
2. Start a workspace that clones a project that uses that token

Verify:

1. Project clone container logs do not contain error message above
2. Execing into the container and running git commands that require credentials (e.g. git pull) do not show the error message.

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: +0.04 🎉

Comparison is base (3906e0c) 52.33% compared to head (d59827e) 52.37%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1145      +/-   ##
==========================================
+ Coverage   52.33%   52.37%   +0.04%     
==========================================
  Files          81       81              
  Lines        7381     7381              
==========================================
+ Hits         3863     3866       +3     
+ Misses       3237     3234       -3     
  Partials      281      281              

Impacted Files	Coverage Δ
pkg/provision/automount/templates.go	91.78% <ø> (ø)

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[AObuchow]

Looks good to me. I setup a PAT secret and created a devworkspace that was using a private repo with an HTTPS git URL.

Before the patch, this resulted in fatal: unable to get credential storage lock in 1000 ms: Read-only file system appearing in the project-clone logs, and pulling a branch from my repo also gave that error.

With the patch applied, the error no longer occurs in the project-clone logs or when doing a git pull on the repo.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amisevsk, AObuchow

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [amisevsk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lobanov]

I stumbled on this issue in a completely different context. I'm running JupyterHub on Kubernetes and mounting git credentials to pods running user notebooks, so the users could use git commands. The credentials were mounted as secrets, so the are read-only, and this error message was a nuisance. Thank you for neat workaround!