Skip to content

Switching Jenkins to GitLab auth from SSH keys to Group Access Tokens

Imported from Confluence

Content may be outdated. Verify before following any procedures. View original | Last updated: May 2023

Summary

Since gitlab’s “Deploy keys” are tied to particular users (namely ones who added them), your pipeline might break once someone from DevOps team goes for a vacation longer than one week. You can ask oit to unblock the key in this case, but quite obviously that doesn’t seem to be a production grade solution. Taking that into account and also considering compliance requirements we have to deprecate the usage of SSH keys when building Jenkins pipelines and integrations with GitLab. Instead we are to adopt so-called group-access tokens, which are essentially just a service user:pass pairs and following the naming can access only one particular GitLab group

Info

GitLab group is a "sub-folder" which follows $COMPANY (digitalturbine) and $ORGANISATION (appgrowthplatform): https://gitlab.com/digitalturbine/appgrowthplatform/$GROUP

See more about Group Access Tokens at user (Docs)

How to

From code perspective that means switching from git to https protocol and slightly updating the connection strings. Example:

git(url: 'git@gitlab.com:digitalturbine/appgrowthplatform/FairBid/BE/frtb.git', credentialsId: 'gitlab_jenkins_deploy_key', branch: build_branch)

git(url: 'https://gitlab.com/digitalturbine/appgrowthplatform/FairBid/BE/frtb.git', credentialsId: 'gitlab_fairbid_group_access_token', branch: build_branch)

Note slash-to-colon replacement after “gitlab.com” and different credentialsId.

Push changes via https

Sometimes you need to commit and push some changes to the remote branch from your pipeline (eg. increase the version number before deploy a new version). In that case one more step is needed: change the remote repository's URL via the following command:

git remote set-url origin https://<ACCESS_TOKEN>@<REPOSITORY_URL>

Pasting here a piece of code we use in Jenkins pipeline

stage('Git Push') {
            environment {
                ACCESS_TOKEN = credentials('gitlab_fairbid_group_access_token') // use the correct token
            }
            steps {
                script {
                    dir("fetcher") {
                        script {
                            // update the main remote URL to use https before using any git command
                            sh '''
                                git remote set-url origin https://$ACCESS_TOKEN@gitlab.com/digitalturbine/appgrowthplatform/FairBid/BE/blue-raven.git
                                ... // make some changes
                                git add ../config/deploy/helm/charts/fetcher/latest/values.yaml
                                git commit -m "build ${VERSION_TAG} [skip ci]"
                                git tag v$VERSION_TAG
                                git remote -v
                                git push --set-upstream --follow-tags origin $BRANCH_NAME
                                git push origin v$VERSION_TAG
                                '''
                        }
                    }
                }
            }
        }

Credentials

Here are the credential ids containing the tokens and respective gitlab groups:

gitlab_shared_group_access_token    -> https://gitlab.com/digitalturbine/appgrowthplatform/Shared/
gitlab_offerwall_group_access_token -> https://gitlab.com/digitalturbine/appgrowthplatform/OfferWall/
gitlab_fairbid_group_access_token   -> https://gitlab.com/digitalturbine/appgrowthplatform/FairBid/
gitlab_direct_group_access_token    -> https://gitlab.com/digitalturbine/appgrowthplatform/DTDirect/
gitlab_growth_group_access_token    -> https://gitlab.com/digitalturbine/appgrowthplatform/DTGrowth/
gitlab_adcolony_group_access_token  -> https://gitlab.com/digitalturbine/appgrowthplatform/AdColony/