Context & Problem
I'm working on a DevOps platform for a company which wants to provide developers with tools for code versioning & automatic testing / build / deploy, using Gitlab + Jenkins + Azure (alongside other tools like Jira / Sonarqube / Grafana, but not relevant here).
For security reasons & ease of management, we want to provide users with only one account for all those tools : Azure Active Directory.
Currently, Gitlab users can connect through Azure AD, and a push to the Gitlab repository triggers a build in Jenkins.
When I configure Jenkins authentication through Azure AD, the Gitlab integration with Jenkins doesn't work anymore, since you can no longer use username / password to connect to Jenkins, and it seems the only way provided by Gitlab integrations.
Current Setup
Gitlab (14.6.0-ee) & Jenkins (2.319.1) are installed on 2 different virtual machines (CentOs 7.9) hosted on Azure
Jenkins integration is enabled on Gitlab (https://docs.gitlab.com/ee/integration/jenkins.html)
Gitlab plugin is enabled on Jenkins (https://plugins.jenkins.io/gitlab-plugin/)
Jenkins integration with Azure Active Directory works fine (https://plugins.jenkins.io/azure-ad/)
Groups & Users are configured on Azure AD to give roles on Jenkins (https://www.cloudbees.com/blog/securing-jenkins-role-based-access-control-and-azure-active-directory)
✅ When Azure AD is not enabled on Jenkins, Gitlab triggers build after each push, and you can track every step status in Gitlab
❌ When Azure AD is enabled on Jenkins, Gitlab cannot trigger Jenkins (using Webhooks or official Jenkins integration)
Questions
Is there a way for Jenkins to provide multiple auth strategies depending on the user ? (as Gitlab does)
Is there a way for Gitlab to use something else that user / password for Jenkins integration or Webhooks ?
Do we have to choose between Azure AD & Gitlab integration ? (if so, does this mean no one uses Jenkins Single Sign On & Gitlab ? Seems weird)
Leads & Ideas
Tried using webhooks instead of the Jenkins integration, but it fails since the webhooks also need username / password (and integration would probably be less "advanced")
Tried finding a way to enable multiple auth methods on Jenkins, but seems impossible right now (https://issues.jenkins.io/browse/JENKINS-15063)
Tried giving role permissions to Gitlab on Azure AD, but it won't change anything since I can't find how to make Gitlab using OAuth with Jenkins
I searched thorougly for answers, but still may have missed something trivial.
I didn't find much litterature on this specific setup, so I'm hoping someone around here did encounter this type of situation before 🙂
Thank you for your help
Related
I don't know why this issue is happening, but I am confident that the configuration was done properly.
I created an Azure VM, installed Jenkins in that, and created a freestyle project. And Then I added the git and Azure Service Principle credentials to the global unrestricted access to Jenkins credentials (system). When I try to add a post-build setup of publishing to an azure web app, I get the following errors.
I have added images, please open the links and look into them, and help me out.
As you can see, the service principle has been successfully verified.
But in the second picture, when I try to access the resource group, it says none, even though I have created a resource group, app service plan, app services etc.
I tested in my enviroment and facing the same Issue,Even after Succefully verified the service principle.
Did few reaseach and found that Azure App Service Plugin is up for adoption and under maintaiance and few of them as been deprecated and also they are looking for new maintainer. The Same issue is happing with other Azure plugin as well like Azure Storage,Azure Cosmos and many more...
Even though in the document its stated you can install the Azure App Service plugin manually before officially release but when i tried to install the maven repro its prompting for enter the credential to download the repro. Seems its private repro we can't access.
For Workaround for this issue or for more information you can reach out to Jenkins Community Team or Support.
Is it possible for GitLab project to generate "Deploy Token" remotely, via command line?
I'd like to automate creation of my projects.
Not via the GitLab API at the moment.
There is an open issue which is looking to add a set of new API endpoints that will allow administrators to create, list and revoke GitLab Deploy Tokens.
My goal is to automatically register a shared Gitlab runner on our hosted Gitlab. To do this, I need to obtain the runners token via the Gitlab API.
Unfortunately, I haven't found a point in the API to fetch the shared runners token. On the website, the token is shown in Admin area / Overview / Runners / Set up a shared Runner manually.
As far as I know, Gitlab has 3 different types of runners token:
Specific (assigned to projects)
Group (assigned to a group)
Shared (for unassigned projects)
I am able to access the runners_token in the project details and the group details but I haven't found a place to obtain the shared runners_token.
I am thankful for every help!
Without an API endpoint that supports this, here's an alternative solution. The command has to be run on the server hosting your Gitlab instance. The line below will output the current shared runner registration token.
sudo gitlab-rails runner -e production "puts Gitlab::CurrentSettings.current_application_settings.runners_registration_token"
To keep it short and sweet I am attempting to automate my CI/CD process which includes a AzureDevOps build running automatically when code is pushed in a bitbucket server repo. I have not found any documentation on how to set this up. Does anyone have any experience with this process? Keep in mind (even though i've mentioned it) I am using the server version of Bitbucket while using the PAAS version of AzureDevops.
It's fairly straightforward. When you create a pipeline, it will ask you where your repo is.
If it's hosted by Atlassian (you access it by https://bitbucket.org), select the BitBucket Cloud one and provide your login.
If it's self hosted, select "Other Git".
I am developing CD release pipeline using TFS 2015 update 2 on-prem instance. I'm relying on ARM template to setup Azure website and Azure Sql server. I'm using FTP method for deploying website bits from internal Build server to Azure website. For this website deployment I'm reading the credentials from PublsihingProfile of the newly created website.
Is this a right way or can you suggest a better way? Any comments are appreciated.
P.S. Customer wants to use FTP method and not WebDeploy.
If you really have to use FTP, and the thing you're not happy with is the process/password secret management, you could try this:
https://marketplace.visualstudio.com/items?itemName=januskamphansen.ftpupload-task
Its a VSTS extension task for release, which works with the vnext build/release system in VSTS or TFS2015 server. This task lets you put the parameters in against each environment you setup, and mark the passwords as secrets so they wont come out in logs or the UI.
The step basically wraps up the process of doing the ftp bit for you - you may want to do other steps as part of the release.