How to configure bitrise to access an internally hosted git repository

In general you have a couple of options to securely connect to a private repository:

  1. Only allow SSH login on the repository server; SSH keys are fully supported on bitrise.io
  2. Restrict by IP: configure your server to only allow connections from certain IP addresses. We donā€™t recommend this solution, as even if you restrict the IP range to bitrise.io build machine IPs, that means that anyone who runs builds on bitrise.io will be allowed to communicate with your servers. Additionally, we only have fix IPs for our Mac build machines, the Linux stacks are hosted on Google Compute Engine and we use emphemeral IPs there, so the range is GCEā€™s ephemeral IP range.
  3. Use a VPN: VPNs are in general a good solution to connect to private networks, although in most cases limiting logins on the servers to SSH keys is an easier solution. You can find a guide here: http://devcenter.bitrise.io/tutorials/vpn-configuration/

If anyone have any other idea / solution, please share it with us, weā€™d be happy to provide the required features / changes, or to highlight the option here!

1 Like

We have a gitlab repository hosted internally, in other words it can only be accessed when connected to our company network, than bitrise can not access our gitlab repo projects. Said that, how to provide just to bitrise the rights to access our gitlab repo? Is that possible? There is some alternative solution for that?

Because you mentioned that:

in other words it can only be accessed when connected to our company network, than bitrise can not access our gitlab repo projects.

You most likely need a VPN, to connect the build environment (virtual machine) to your own private / company network, so that it can access the repository. For this you can follow the guide Redirectingā€¦ - Bitrise Docs

A couple of notes / highlights:

  • You have to install and configure the VPN before the Git Clone step if you need the VPN to access the repository.
  • You can use a simple Script step to install and configure the VPN access
  • Setup note: Unfortunately you canā€™t customize the scanner to activate a VPN session, but you can use a sample app repository or any other non VPN protected repository during the Add New App process, and then change the repository to the VPN protected one on the appā€™s Settings tab.

Let us know if you have any questions!

A macOS only solution, which works with the macOS built in vpn was also reported:

i understand that #2 is a generally a bad idea, but how would one go about obtaining the static IPs of the mac build machines? I have the need for part of a PoC for a client and donā€™t want to go though the hassle of setting up VPNs, etc until the project gets the green light proper

@nhammond run a script on the stack you want to get its IP, e.g.

#!/bin/bash
set -ex

curl ipinfo.io/ip

Please note that we canā€™t guarantee that the IP will not change! On the Linux stacks we use ephemeral IPs so that does change for pretty much every build. On macOS the IP will be the same for every build (as itā€™s the networkā€™s IP, not the specific host/VMā€™s IP), but it might change any time if we have to change the related hardware for example!

2 Likes

@viktorbenei thanks for that. itā€™s only iOS for now, and weā€™ll be looking at other solution going forward but this will get us started.

@nhammond As a temporary solution this should be fine, just donā€™t forget that the IP might change in the future :wink:

1 Like

These a new step in the StepLib, that implements OpenVPN connection as a simple step: https://www.bitrise.io/integrations/steps/open-vpn

Can be a nice alternative to script based solution if you use OpenVPN.

I get this when following step 1

Failed, error: ssh_exchange_identification: Connection closed by remote host

fatal: Could not read from remote repository.

Could you please send us a build URL, preferably on our on-site chat or in a different issue thread?

Hi @viktorbenei, @bitce,

Actually my company use Bitrise with Bitbucket, it works fine :+1: . But we move our source code in a Self Hosted Gitlab. So I try to use Bitrise with this Gitlab and I have some troubles :

Context :

  • I have a Bitrise Org Standard account.
  • Our Gitlab hosting infrastructure filter all the access by IP.

1st (resolved) problem :

  • We have whitelisted the Bitrise Mac Runner IP, so the Bitrise runner can pull/push my project. After this test we could use a VPN instead of whitelist this IP.

2nd problem :

  • Our Gitlab is not notified by Bitrise to update the state of the builds (for the PR status) :
  • I suppose :
    • that Bitrise try to do that using the Gitlab API (that correct ?)
    • but this requests are not made by the Bitrise Mac Runner, so the IP is different from the one I added in the whitelist (that correct ?)
  • Somes questions :
    • Is there a way to use the Bitrise Self Hosted Gitlab integration with a IP filtering on Gitlab ? To know the IP of the machine how call the Gitlab API ? To use a VPN on that part of Bitrise ?
    • How do businesses that have a Self Hosted Gitlab usually work to use Bitrise with?

3rd problem :

  • On our Gitlab, the HTTPS domain is gitlab.xxxx.com but the SSH domain is different (ssh-gitlab.xxxx.com). When I try to create a new app on Bitrise with the Self Hosted Gitlab integration, the resolved Git address by Bitrise is git@gitlab.xxxx.com and not git@ssh-gitlab.xxxx.com. And I canā€™t edit it, so I cantā€™ setup the app on Bitrise.
    For example on the Tower Mac app, if I try to clone a repo from that Gitlab Self Hosted with my account logged in Tower, the resolved Git address is git@ssh-gitlab.xxxx.com

Hi @alexandreraulin!

Glad to hear you were able to work through most of these obstacles! :slight_smile:

About your status updates, you can simply search for the ā€œGitLab Statusā€ step in our step library and you can use that to communicate between the services!

As for the 3rd problem, weā€™ve discussed this briefly and the easiest workaround is, while Adding the new app you provide the git address manually instead of selecting the default Bitrise GitLab integration.

Updated IPs for Public cloud no longer require a range when using GCE.

See: https://devcenter.bitrise.io/infrastructure/virtual-machines/#whitelisting-build-machine-ips

HI there, we have an internally hosted gitlab instance that uses an alternate port other than standard 22. How can I set the config for bitrise to use an alternate port?

Hi @lvthn-devops! Please see: Configuring SSH port of self-hosted Gitlab

hello, I know this is an old thread but since I am not getting any where with my VPN connection setup, I thought I will take my chances here. Up front apologize for that.

Is VPN connectivity well documented some where? I am asking because I am seeing a lot of old posts, dating 3-5 years back showing steps but I donā€™t know if there are relevant anymore.

I am simply looking for a document which shows how VPN configuration is being achieved as of today & how to include the step, what to write in step.yml or step.sh.

I am reading a lot of old posts & completely out of my depths here.

Any help will be deeply appreciated.

Hello,

Have you reviewed the section ā€œConnecting to a VPN during a buildā€ in the devcenter? This might be a good place to start.

One thing to note, the ā€œConnect to OpenVPN Serverā€ step uses a basic configuration and does not provide for a way to alter this configuration. If your VPN configuration differs, we typically suggest using the script from the step as a sample for you to create a custom step using your VPN configuration. (GitHub - bitrise-steplib/bitrise-step-open-vpn: Bitrise step to establish a VPN connection with the specified OpenVPN server.)
If you have specific questions or run into problems, please open a ticket with support.

Thanks,
Cathy