We have a hosted GitLab instance internally and a Nexus repository hosted internally (neither of which touches the open internet). The Nexus repository uses client certificates for authentication. We have a repository in GitLab that is accessed by many developers and we need a way to get the user's client certificate in the runner so we can access Nexus.
Is there a way to specify in the .gitlab-ci.yml a user-specific mount? Putting the user's certificate information in the repository's "variables" is not an option because we have many developers accessing the same project. We (as developers) also don't have access to the runners. I can, however, create a new container/image that the GitLab runner can execute. Any thoughts on how to get the CI pipeline to recognize the user's certificate in the pipeline would be greatly appreciated!
After reading the GitLab documentation and realizing how far behind we were in releases (a major version) I discovered that GitLab now integrates with Vault. This appears to work for exactly our use case.
https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/
Related
I am migrating primary and secondary GitLab nodes to new nodes. In order to do this, I am following the backup and restore documentation.
Do GitLab runners need to be re-registered after a migration if the external url does not change?
Thanks all!!
No, GitLab runners do not need to be re-registered following a migration / backup/restore.
The runner registration is stored in GitLab's database and is associated with the token the runner receives from the gitlab-runner register command. Those tokens will continue to be valid, so long as they were properly backed up, probably even if the GitLab URL changes.
You can use the Runners API to verify a runner token.
My goal is to automatically register a shared Gitlab runner on our hosted Gitlab. To do this, I need to obtain the runners token via the Gitlab API.
Unfortunately, I haven't found a point in the API to fetch the shared runners token. On the website, the token is shown in Admin area / Overview / Runners / Set up a shared Runner manually.
As far as I know, Gitlab has 3 different types of runners token:
Specific (assigned to projects)
Group (assigned to a group)
Shared (for unassigned projects)
I am able to access the runners_token in the project details and the group details but I haven't found a place to obtain the shared runners_token.
I am thankful for every help!
Without an API endpoint that supports this, here's an alternative solution. The command has to be run on the server hosting your Gitlab instance. The line below will output the current shared runner registration token.
sudo gitlab-rails runner -e production "puts Gitlab::CurrentSettings.current_application_settings.runners_registration_token"
To keep it short and sweet I am attempting to automate my CI/CD process which includes a AzureDevOps build running automatically when code is pushed in a bitbucket server repo. I have not found any documentation on how to set this up. Does anyone have any experience with this process? Keep in mind (even though i've mentioned it) I am using the server version of Bitbucket while using the PAAS version of AzureDevops.
It's fairly straightforward. When you create a pipeline, it will ask you where your repo is.
If it's hosted by Atlassian (you access it by https://bitbucket.org), select the BitBucket Cloud one and provide your login.
If it's self hosted, select "Other Git".
In my organization, I am setting up continuous integration with jenkins 2, and all built artifacts go to a private nexus 3 server (maven and npm modules)
I want to restrict publication to nexus on a set of fixed machines : only the jenkins slaves can publish. The rule is : all projects must be in continuous integration to be released.
I don't want developpers to be able to publish directly in the private nexus from their workstation.
Currently I achieved this by putting npm publish token in .npmrc file, in jenkins user home directory.
It works, but this token can be easily stolen by creative users (in their jenkins build, with a simple command like 'more ~.npmrc'). With this token, anybody can publish on the nexus server. Clearly my current configuration is not good.
What are the best practices ? My goal is that all npm module in my private nexus are built from jenkins and not from dev workstations.
Thank you all
Jenkins does provide a mechanism for storing and retrieving credentials via the Credentials Plugin. Would this be an option?
For example, if you are in a free style build, you can check the "Use secret text(s) or file(s)" under "Build Environment" to use a secret text/password.
If you are in a Jenkinsfile, you can use a "withCredentials" clause to provide the same information.
I am trying to create a website through Azure Resource Manager and then deploy from a private Github repository.
I have an ARM Template that works for a public repository. if I then make the repository private, connect to it through the Portal it all works fine.
If I redeploy the ARM Template it will fail with the message
"Cannot find SourceControlToken with name GitHub."
It seems that when the portal connects to a private repo it will create an ssh key that is used to authenticate.
The ssh key appears to come from kudu which can be gotten once the site is deployed.
I have also tried using access tokens, but couldn't get these to work with the repourl
So the simple question is, how do I deploy a private repo via ARM template
In order to use this via ARM template, you need to first do it at least once using the Preview Portal (https://portal.azure.com/). You can do this on any site, and with any repo. It just needs to happen once to set up the GitHub relationship. Doing it via the old portal won't work.
Then, to check that things are set up properly:
Go to https://resources.azure.com/
Go under /providers/Microsoft.Web/sourcecontrols/GitHub
Make sure the token is set
It seems that when the portal connects to a private repo it will
create an ssh key that is used to authenticate.
Thats right.
Solve same problem by changing GitHub repository to External Git.
Create new GitHub account and shared read access to private repo
Generate access token
And use next url in templates, in portal, azure rest api, etc.
https://{github-username}:{access-token}#github.com/{organisation-acount}/{repo}.git
Besides, this will help to avoid GitHub limitation for 20 connections, and you can use your repository in more than 20 Azure WebApps.
This error occurs due to connecting Github to multiple Azure accounts. To resolve it, simply revoke all Azure-related apps from the "Authorized OAuth Apps" section in Github settings (https://github.com/settings/applications), then re-authorize Github in Azure. This should allow you to save the deployment.