Red Hat has published an excellent 5 part blog series of best practices when dealing with private Git repositories that covers this as well as related topics in detail.
Authenticating to Private Repositories
It is often useful to set up a GitLab deployment key within your OpenShift project. Avoid using personal SSH keys, which are dependent on a specific individual's credentials.
In order to set up automated image builds for gitlab.umich.edu and containers.it.umich.edu, do the following:
Create an SSH keypair specific to the OpenShift project and GitLab repo. NOTE: Don't set a passphrase (just press Return twice when prompted)
ssh-keygen -f myproject-gitlab-key -t ed25519 -o -a 100 -C "containers.it.umich.edu:$(oc project -q)"
Create an OpenShift secret containing the SSH private key.
oc create secret generic myproject-gitlab-secret \
In the GitLab repo, go to Settings -> Repository -> Deploy Keys. Use the SSH key comment (`clustername:projectname`) as the title, and for the key paste the contents of the public key (the file `myproject-gitlab-key.pub`. Leave the write access checkbox unchecked since this key will only be used to trigger an OpenShift image build via a webhook.
Create the build configuration:
oc new-build [email protected]:my-gitlab-group/my-gitlab-project.git \
Setting up Webhooks for gitlab Repos
It is frequently useful to set up a webhook so that pushes to your gitlab.umich.edu repository automatically trigger image builds in your OpenShift project.
OpenShift documentation on webhooks can be found here.
Perform the following steps to setup a webhook:
In your OpenShift project, open the build configuration for your application, then choose Actions -> Edit from the upper right corner of the screen.
Under the 'Git Repository URL', click on Advanced Options.
Scroll down to the section labeled Triggers.
Click on Create New Webhook Secret, provide a name for the secret, and click on Generate to create a new unique secret value for your webhook.
Click Add Webhook, choose a type of GitLab and choose the secret name you created in the previous step.
Click Save at the bottom of the screen to save the creation of the webhook.
Click on the Configuration tab of the build configuration, and copy the Gitlab Webhook URL from the right side of the form.
In the GitLab repo, go to Settings -> Integrations. Set up a new webhook using the Generic Webhook URL obtained.
In the GitLab repo, Click Test -> Push events to make sure the hook executes successfully. Then in the OpenShift console, check the build logs to make sure everything succeeded (Builds -> Builds -> my-application -> #2 -> Logs).
Wednesday, June 3, 2020