How to configure bitrise to access an internally hosted git repository

#1

In general you have a couple of options to securely connect to a private repository:

  1. Only allow SSH login on the repository server; SSH keys are fully supported on bitrise.io
  2. Restrict by IP: configure your server to only allow connections from certain IP addresses. We don’t recommend this solution, as even if you restrict the IP range to bitrise.io build machine IPs, that means that anyone who runs builds on bitrise.io will be allowed to communicate with your servers. Additionally, we only have fix IPs for our Mac build machines, the Linux stacks are hosted on Google Compute Engine and we use emphemeral IPs there, so the range is GCE’s ephemeral IP range.
  3. Use a VPN: VPNs are in general a good solution to connect to private networks, although in most cases limiting logins on the servers to SSH keys is an easier solution. You can find a guide here: http://devcenter.bitrise.io/tutorials/vpn-configuration/

If anyone have any other idea / solution, please share it with us, we’d be happy to provide the required features / changes, or to highlight the option here!

1 Like

White list IP
Whitelistable IP range for build containers
Whitelisting ip addresses
Want ip address for whitelist in private organization
Whitelistable IP range for build containers
Whitelisting ip addresses
How to register a GitHub Enterprise repository
Build aborted with "Lost connection to build agent" when setting up VPN
#2

We have a gitlab repository hosted internally, in other words it can only be accessed when connected to our company network, than bitrise can not access our gitlab repo projects. Said that, how to provide just to bitrise the rights to access our gitlab repo? Is that possible? There is some alternative solution for that?

0 Likes

#4

Because you mentioned that:

in other words it can only be accessed when connected to our company network, than bitrise can not access our gitlab repo projects.

You most likely need a VPN, to connect the build environment (virtual machine) to your own private / company network, so that it can access the repository. For this you can follow the guide http://devcenter.bitrise.io/tutorials/vpn-configuration/

A couple of notes / highlights:

  • You have to install and configure the VPN before the Git Clone step if you need the VPN to access the repository.
  • You can use a simple Script step to install and configure the VPN access
  • Setup note: Unfortunately you can’t customize the scanner to activate a VPN session, but you can use a sample app repository or any other non VPN protected repository during the Add New App process, and then change the repository to the VPN protected one on the app’s Settings tab.

Let us know if you have any questions!

0 Likes

#5

A macOS only solution, which works with the macOS built in vpn was also reported:

0 Likes

#6

i understand that #2 is a generally a bad idea, but how would one go about obtaining the static IPs of the mac build machines? I have the need for part of a PoC for a client and don’t want to go though the hassle of setting up VPNs, etc until the project gets the green light proper

0 Likes

#7

@nhammond run a script on the stack you want to get its IP, e.g.

#!/bin/bash
set -ex

curl ipinfo.io/ip

Please note that we can’t guarantee that the IP will not change! On the Linux stacks we use ephemeral IPs so that does change for pretty much every build. On macOS the IP will be the same for every build (as it’s the network’s IP, not the specific host/VM’s IP), but it might change any time if we have to change the related hardware for example!

2 Likes

#8

@viktorbenei thanks for that. it’s only iOS for now, and we’ll be looking at other solution going forward but this will get us started.

0 Likes

#9

@nhammond As a temporary solution this should be fine, just don’t forget that the IP might change in the future :wink:

1 Like

#10

These a new step in the StepLib, that implements OpenVPN connection as a simple step: https://www.bitrise.io/integrations/steps/open-vpn

Can be a nice alternative to script based solution if you use OpenVPN.

0 Likes

#11

I get this when following step 1

Failed, error: ssh_exchange_identification: Connection closed by remote host

fatal: Could not read from remote repository.
0 Likes

#13

Could you please send us a build URL, preferably on our on-site chat or in a different issue thread?

0 Likes

#14

Hi @viktorbenei, @bitce,

Actually my company use Bitrise with Bitbucket, it works fine :+1: . But we move our source code in a Self Hosted Gitlab. So I try to use Bitrise with this Gitlab and I have some troubles :

Context :

  • I have a Bitrise Org Standard account.
  • Our Gitlab hosting infrastructure filter all the access by IP.

1st (resolved) problem :

  • We have whitelisted the Bitrise Mac Runner IP, so the Bitrise runner can pull/push my project. After this test we could use a VPN instead of whitelist this IP.

2nd problem :

  • Our Gitlab is not notified by Bitrise to update the state of the builds (for the PR status) :
  • I suppose :
    • that Bitrise try to do that using the Gitlab API (that correct ?)
    • but this requests are not made by the Bitrise Mac Runner, so the IP is different from the one I added in the whitelist (that correct ?)
  • Somes questions :
    • Is there a way to use the Bitrise Self Hosted Gitlab integration with a IP filtering on Gitlab ? To know the IP of the machine how call the Gitlab API ? To use a VPN on that part of Bitrise ?
    • How do businesses that have a Self Hosted Gitlab usually work to use Bitrise with?

3rd problem :

  • On our Gitlab, the HTTPS domain is gitlab.xxxx.com but the SSH domain is different (ssh-gitlab.xxxx.com). When I try to create a new app on Bitrise with the Self Hosted Gitlab integration, the resolved Git address by Bitrise is git@gitlab.xxxx.com and not git@ssh-gitlab.xxxx.com. And I can’t edit it, so I cant’ setup the app on Bitrise.
    For example on the Tower Mac app, if I try to clone a repo from that Gitlab Self Hosted with my account logged in Tower, the resolved Git address is git@ssh-gitlab.xxxx.com
0 Likes

#15

Hi @alexandreraulin!

Glad to hear you were able to work through most of these obstacles! :slight_smile:

About your status updates, you can simply search for the “GitLab Status” step in our step library and you can use that to communicate between the services!

As for the 3rd problem, we’ve discussed this briefly and the easiest workaround is, while Adding the new app you provide the git address manually instead of selecting the default Bitrise GitLab integration.

0 Likes

#16

Updated IPs for Public cloud no longer require a range when using GCE.

See: https://devcenter.bitrise.io/infrastructure/virtual-machines/#whitelisting-build-machine-ips

0 Likes

#17

HI there, we have an internally hosted gitlab instance that uses an alternate port other than standard 22. How can I set the config for bitrise to use an alternate port?

0 Likes

#18

Hi @lvthn-devops! Please see: Configuring SSH port of self-hosted Gitlab

0 Likes