My goal is to automatically register a shared Gitlab runner on our hosted Gitlab. To do this, I need to obtain the runners token via the Gitlab API.
Unfortunately, I haven't found a point in the API to fetch the shared runners token. On the website, the token is shown in Admin area / Overview / Runners / Set up a shared Runner manually.
As far as I know, Gitlab has 3 different types of runners token:
Specific (assigned to projects)
Group (assigned to a group)
Shared (for unassigned projects)
I am able to access the runners_token in the project details and the group details but I haven't found a place to obtain the shared runners_token.
I am thankful for every help!
Without an API endpoint that supports this, here's an alternative solution. The command has to be run on the server hosting your Gitlab instance. The line below will output the current shared runner registration token.
sudo gitlab-rails runner -e production "puts Gitlab::CurrentSettings.current_application_settings.runners_registration_token"
Related
In my Gitlab Repo, I have to run a scheduled JOB which triggers a Pipeline. And this pipeline deletes the old JOB Logs using Gitlab API.
But this API calls needs the Gitlab AccessToken to perform the operation. Initially I though of using CI_JOB_TOKEN variable, which is auto-generated token, but it has no access to Gitlab APIs.
Alternatively I can store Project AccessToken as a Variable in my Schedule Job. But it will be visible to other people also in Project with Maintainer or Owners roles.
Is there any other way, where either I can store my tokens without reveling it to others? Or some mechanism where I can make it run without passing my Project AccessTokens?
Your best bet would be to store the secret in a vault/cloud service, such as HashiCorp Vault, AWS Secrets Manager, Azure Vault, etc. GitLab has the CI_JOB_JWT_V2 token, which can be used to authenticate to cloud services. With this method, you do not need to store any secrets in GitLab at all.
You can also see the Vault integration as another option.
The only other option might be to use a runner that has the secret on the system and lock that runner to your project.
Context & Problem
I'm working on a DevOps platform for a company which wants to provide developers with tools for code versioning & automatic testing / build / deploy, using Gitlab + Jenkins + Azure (alongside other tools like Jira / Sonarqube / Grafana, but not relevant here).
For security reasons & ease of management, we want to provide users with only one account for all those tools : Azure Active Directory.
Currently, Gitlab users can connect through Azure AD, and a push to the Gitlab repository triggers a build in Jenkins.
When I configure Jenkins authentication through Azure AD, the Gitlab integration with Jenkins doesn't work anymore, since you can no longer use username / password to connect to Jenkins, and it seems the only way provided by Gitlab integrations.
Current Setup
Gitlab (14.6.0-ee) & Jenkins (2.319.1) are installed on 2 different virtual machines (CentOs 7.9) hosted on Azure
Jenkins integration is enabled on Gitlab (https://docs.gitlab.com/ee/integration/jenkins.html)
Gitlab plugin is enabled on Jenkins (https://plugins.jenkins.io/gitlab-plugin/)
Jenkins integration with Azure Active Directory works fine (https://plugins.jenkins.io/azure-ad/)
Groups & Users are configured on Azure AD to give roles on Jenkins (https://www.cloudbees.com/blog/securing-jenkins-role-based-access-control-and-azure-active-directory)
✅ When Azure AD is not enabled on Jenkins, Gitlab triggers build after each push, and you can track every step status in Gitlab
❌ When Azure AD is enabled on Jenkins, Gitlab cannot trigger Jenkins (using Webhooks or official Jenkins integration)
Questions
Is there a way for Jenkins to provide multiple auth strategies depending on the user ? (as Gitlab does)
Is there a way for Gitlab to use something else that user / password for Jenkins integration or Webhooks ?
Do we have to choose between Azure AD & Gitlab integration ? (if so, does this mean no one uses Jenkins Single Sign On & Gitlab ? Seems weird)
Leads & Ideas
Tried using webhooks instead of the Jenkins integration, but it fails since the webhooks also need username / password (and integration would probably be less "advanced")
Tried finding a way to enable multiple auth methods on Jenkins, but seems impossible right now (https://issues.jenkins.io/browse/JENKINS-15063)
Tried giving role permissions to Gitlab on Azure AD, but it won't change anything since I can't find how to make Gitlab using OAuth with Jenkins
I searched thorougly for answers, but still may have missed something trivial.
I didn't find much litterature on this specific setup, so I'm hoping someone around here did encounter this type of situation before 🙂
Thank you for your help
I am migrating primary and secondary GitLab nodes to new nodes. In order to do this, I am following the backup and restore documentation.
Do GitLab runners need to be re-registered after a migration if the external url does not change?
Thanks all!!
No, GitLab runners do not need to be re-registered following a migration / backup/restore.
The runner registration is stored in GitLab's database and is associated with the token the runner receives from the gitlab-runner register command. Those tokens will continue to be valid, so long as they were properly backed up, probably even if the GitLab URL changes.
You can use the Runners API to verify a runner token.
We have a hosted GitLab instance internally and a Nexus repository hosted internally (neither of which touches the open internet). The Nexus repository uses client certificates for authentication. We have a repository in GitLab that is accessed by many developers and we need a way to get the user's client certificate in the runner so we can access Nexus.
Is there a way to specify in the .gitlab-ci.yml a user-specific mount? Putting the user's certificate information in the repository's "variables" is not an option because we have many developers accessing the same project. We (as developers) also don't have access to the runners. I can, however, create a new container/image that the GitLab runner can execute. Any thoughts on how to get the CI pipeline to recognize the user's certificate in the pipeline would be greatly appreciated!
After reading the GitLab documentation and realizing how far behind we were in releases (a major version) I discovered that GitLab now integrates with Vault. This appears to work for exactly our use case.
https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/
Is it possible for GitLab project to generate "Deploy Token" remotely, via command line?
I'd like to automate creation of my projects.
Not via the GitLab API at the moment.
There is an open issue which is looking to add a set of new API endpoints that will allow administrators to create, list and revoke GitLab Deploy Tokens.