How to configure Jenkins to access Gitlab private repository without Gitlab plugin?

Question

I have installed latest Jenkins on ubuntu server and Jenkinsfile in my project repo on Gitlab.

I am able to connect to private repo on Gitlab using username/password credential on Jenkins configuration for the project pipeline without using Jenkins Gitlab plugin. This does not seem safe to me. How can I use Gitlab API token instead of username/password for Jenkins to access remote private Gitlab repo without using Jenkins Gitlab plugin. Another option is to set ssh private key on Jenkins server to athenticate against Gitlab repo. Is this option possible?

Jenkins Gitlab plugin is not officially supported and not well maintained because Gitlab wants customers to user their own CI/CD solution in order to tie customers to their platform for marketing reasons.

Answer 1

Jenkins connect with Private Repo User data for Jenkins[Ubuntu] #to install jenkins

curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee \/usr/share/keyrings/jenkins-keyring.asc > /dev/null echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian-stable binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update -y 
sudo apt-get install jenkins

Setp 1:- Open SSH login on Jenkins Server

sudo vim /etc/passwd 
edit -> jenkins:x:115:122:Jenkins,,,:/var/lib/jenkins:/bin/bash (false)
if false then make it bash 

Step 2:- Switch to Jenkins User

sudo su - jenkins 
          ssh-keygen 
          cd /.ssh/
          cat id_rsa.pub   #copy public key 
          add public key into gitlab/github account in ssh keys 
          try to clone private repo in Jenkins user using ssh url
          If it is successfully clone then you can proceed 
          rm -rf clonedir   #remove clone dir

Step 3:- Go to Jenkins Web UI [http://public-ip:8080]

Open manage Jenkins 
           Go to manage credentials and add new credentials 
           Select option ssh username with private key 
           username -> jenkins
           private key -> Enter Directly 
           paste jenkins user private key (sudo cat /var/lib/jenkins/.ssh/id_rsa) 

Step 3:- Go to Jenkins Web UI [http://public-ip:8080]

           Select new item [any type of job]
           Select source management -> git 
           paste your git repo 
           Select jenkins credentials 
           select branch in which you want to work on.

Note: If you are using on premises gitlab then your ssh url be like

1. ssh://git@gitlab.hostname/dir/repo.git
2. you have to whitelist you jenkins server ip into on premises firewall for gitlab.

Answer 2

A relatively safe way to handle this situation is to store your credentials is the credentials system in Jenkins (that way you do not have to include the credentials in the JenkinsFile), and using a deploy token (available for Gitlab 10.7 and later) for the relevant repository. That token allows you to provide read-only rights to the repository.

Step 1 - setup the deploy token in GitLab

From the GitLab documentation

You can create as many deploy tokens as you like from the settings of your project:

1. Log in to your GitLab account.
2. Go to the project you want to create Deploy Tokens for.
3. Go to Settings > Repository.
4. Click on “Expand” on Deploy Tokens section.
5. Choose a name and optionally an expiry date for the token.
6. Choose the desired scopes.
7. Click on Create deploy token.
8. Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.

Step 2 - Saving the deploy token in Jenkins' credentials system

Since the deploy tokens have a username and password, pick that as the type in the steps below. Write down the id you will use in this step (see below) as you will need it in your pipeline declaration.

From the Jenkins documentation

To add new global credentials to your Jenkins instance:

1. If required, ensure you are logged in to Jenkins (as a user with the Credentials > Create permission).
2. From the Jenkins home page (i.e. the Dashboard of the Jenkins classic UI), click Credentials > System on the left.
3. Under System, click the Global credentials (unrestricted) link to access this default domain.
4. Click Add Credentials on the left. Note: If there are no credentials in this default domain, you could also click the add some credentials link (which is the same as clicking the Add Credentials link).
5. From the Kind field, choose the type of credentials to add.
6. From the Scope field, choose either:

   • Global - if the credential/s to be added is/are for a Pipeline project/item. Choosing this option applies the scope of the credential/s to the Pipeline project/item "object" and all its descendent objects.
   • System - if the credential/s to be added is/are for the Jenkins instance itself to interact with system administration functions, such as email authentication, agent connection, etc. Choosing this option applies the scope of the credential/s to a single object only.

7. Add the credentials themselves into the appropriate fields for your chosen credential type:

   (...)

   • Username and password - specify the credential’s Username and Password in their respective fields. (...)

8. In the ID field, specify a meaningful credential ID value - for example, jenkins-user-for-xyz-artifact-repository. You can use upper- or lower-case letters for the credential ID, as well as any valid separator character. However, for the benefit of all users on your Jenkins instance, it is best to use a single and consistent convention for specifying credential IDs. Note: This field is optional. If you do not specify its value, Jenkins assigns a globally unique ID (GUID) value for the credential ID. Bear in mind that once a credential ID is set, it can no longer be changed.
9. Specify an optional Description for the credential/s.
10. Click OK to save the credentials.

Step 3 - Use the credentials in your pipeline declaration

You can use the credentials in your jenkinsFile like so:

pipeline {
  stages {
    stage('Clone stage') {
       steps {
         git url: 'https://gitlab.com/[username]/[my-repo].git', branch: 'master', credentialsId: 'my-gitlab-repo-creds'
       }
    }
  }    
}

In the above example I assume you picked the id my-gitlab-repo-creds in step 2.