Category: quick q&a

Clone Private Repositories in GitLab Pipelines

Post author By rok
Post date May 9, 2023

Assume you want to clone a private GitLab repository in your GitLab pipeline. Let’s see how to do that. If you later find this article useful take a look at the disclaimer for information on how to thank me.

Table Of Contents

Why Clone Repositories in GitLab Pipelines?
- Clone Private Repositories in GitLab Pipelines Demo
Summary

Why Clone Repositories in GitLab Pipelines?

You probably know why you need that. You have never done it and wonder why you may need it? For example, your GitLab pipeline may run some automation (e.g. patterns replacements, version bumps) on specific repositories. To perform the changes in the repositories, you first need to clone the repository in your pipeline, do some changes, then commit and push it. However first, you need to clone it. While cloning repositories manually is straightforward either using https or ssh url, cloning in GitLab pipelines requires a bit different url. Let’s see how it looks and a demo GitLab pipeline using it.

Clone Private Repositories in GitLab Pipelines Demo

Let’s have a look at a sample GitLab pipeline which clones another private repository. In addition, it makes a sample change, commits and pushes it. Note that cloning private repository requires authentication, while clone public does not. To authenticate you’d need to generate a personal or group access token of at least read_repository scope. Add the token to the GitLab project or group masked variables.

Below is the pipeline which uses the variable GITLAB_TOKEN.

stages:         
  - update_repo    

build-job:      
  stage: update_repo
    - git config --global user.email "[email protected]"
    - git config --global user.name "Your Name"
  script:
    - echo "updating repo"
    - git clone https://oauth2:[email protected]/[your_user]/[another_project_name].git
    - cd [project_name]
    - echo 'test' > test.txt
    - git commit -am 'test'
    - git push
    - cd -

Note above that to clone the repository you need to run:

git clone https://oauth2:[email protected]/[your_user]/[another_project_name].git where GITLAB_TOKEN is defined as the GitLab project or group masked variable.

Summary

That’s it about using clone private repositories in GitLab pipelines. As always feel free to share. If you found this article useful, take a look at the disclaimer for information on how to thank me.

You can also find below articles useful:

Recommended GitLab books on Amazon.

Tags gitlab

quick q&a

Get user’s permissions using kubectl

Post author By rok
Post date March 31, 2023

Kubernetes supports RBAC authorization out of the box. In short, every Kubernetes user or a service account have permissions to perform certain actions (HTTP verbs) on certain API server resources e.g. pods. To get user’s permissions using kubectl run kubectl auth can-i --list:

Resources                                       Non-Resource URLs                     Resource Names              Verbs
selfsubjectaccessreviews.authorization.k8s.io   []                                    []                          [create]
selfsubjectrulesreviews.authorization.k8s.io    []                                    []                          [create]
persistentvolumeclaims                          []                                    []                          [get list watch create delete deletecollection patch update]
pods/exec                                       []                                    []                          [get list watch create delete deletecollection patch update]
pods                                            []                                    []                          [get list watch create delete deletecollection patch update]
events                                          []                                    []                          [get list watch]
pods/log                                        []                                    []                          [get list watch]
configmaps                                      []                                    []                          [get watch list]
                                                [/.well-known/openid-configuration]   []                          [get]
                                                [/api/*]                              []                          [get]
                                                [/api]                                []                          [get]
                                                [/apis/*]                             []                          [get]
                                                [/apis]                               []                          [get]
                                                [/healthz]                            []                          [get]
                                                [/healthz]                            []                          [get]
                                                [/livez]                              []                          [get]
                                                [/livez]                              []                          [get]
                                                [/openapi/*]                          []                          [get]
                                                [/openapi]                            []                          [get]
                                                [/openid/v1/jwks]                     []                          [get]
                                                [/readyz]                             []                          [get]
                                                [/readyz]                             []                          [get]
                                                [/version/]                           []                          [get]
                                                [/version/]                           []                          [get]
                                                [/version]                            []                          [get]
                                                [/version]                            []                          [get]
podsecuritypolicies.policy                      []                                    [global-unrestricted-psp]   [use]

To view another user’s permissions add --as=[user-name] flag. For instance: kubectl auth can-i --list --as=jenkins.

To see a real world example, you can follow my tutorial on installing Jenkins helm chart and then see the permissions of Jenkins service account. Such permissions include creating pods on demand for Jenkins jobs. Have a look at this chart’s template to get a taste of how RBAC is configured.

If you are after more granular information on roles or cluster roles per service account, have a look at this great answer on stack overflow. It suggests using rbac-tool.

Also note that Kubernetes distinguishes between user and service accounts.

Summary

That’s it about getting user’s permissions using kubectl.

If you found this article useful, take a look at the disclaimer for information on how to thank me.

You can find below articles useful:

Tags kubectl, kubernetes

DevOps quick q&a

Live reload Node.js app inside Docker container during development

Post author By rok
Post date December 7, 2022

You probably found yourself in a situation when building new docker image of Node.js web app (e.g. express) with the new changes takes a long time. All you wanted is to test your changes fast on a live system…

To achieve that, use docker volumes or bind mounts to map your source code on the workspace to source folder inside Node.js web app container. You can verify the changes reach the container by inspecting the source code inside the container after you make a change on docker host.

In order for node process inside the container to pick up the changes, it needs to reload. Use nodemon for that.

I wrote about it here as well.

When I did all of the above, I didn’t know automation for this exits. Use tilt!

You can find below articles useful:

If you found this article useful, take a look at the disclaimer for information on how to thank me.

Tags docker, node.js

DevOps quick q&a

Azure-cli in Dockerfile in Alpine

Post author By rok
Post date December 7, 2022

Today we’ll see how to install Azure-cli in Dockerfile when the base image is Alpine. If you later find this article useful take a look at the disclaimer for information on how to thank me.

As you know azure cli allows you to control azure cloud aspects from command line. This may be useful for provisioning azure resources in ci/cd pipelines or automations, for instance. If the pipelines run inside Jenkins agents (e.g. Docker in Docker Jenkins agent, Podman Jenkins agent) which are containerized, you may need to package azure-cli inside them. Let’s see how to install azure-cli in Dockerfile.

Azure-cli installation in Dockerfile

You probably found it challenging to install Azure-cli as part of Dockerfile where the base image is Alpine.

Use below command sequence to achieve that:

RUN apk add --no-cache --update python3 py3-pip 
RUN apk add --no-cache --update --virtual=build gcc musl-dev python3-dev libffi-dev openssl-dev cargo make && pip3 install --no-cache-dir --prefer-binary azure-cli && apk del build

RUN apk add --no-cache --update python3 py3-pip installed python and pip. They are needed because azure-cli is basically Python package.

Second RUN installs os packages required for successful azure-cli installation. Then, pip installs azure-cli.

See also relevant discussion on GitHub about installation of azure-cli in alpine.

Why apk add –virtual?

Note that these os packages are installed in a virtual package which is removed after azure-cli installation using apk del virtual. This trick reduces the final built image size.

Note also that Azure CLI is a Python package. That’s why it requires Python and Pip to run. Hence these packages are not removed.

See this great answer on stack overflow about apk add --virtual. Note that apk add --no-cache reduces image size as well.

Summary

That’s it about Azure-cli installation in Dockerfile when Alpine is a base image.

Find out recommended Azure books on Amazon.

Find out recommended Azure courses on Pluralsight:

Sign up using this link to get exclusive discounts like 50% off your first month or 15% off an annual subscription)

If you found this article useful, take a look at the disclaimer for information on how to thank me.

Tags alpine, docker

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	Used by PHP to to provide functions across pages.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wordpres_test_cookie		Test if cookie can be set. WordPress also sets wordpress_test_cookie cookie to check if the cookies are enabled on the browser to provide appropriate user experience to the users. This cookie is used on the front-end, even if you are not logged in.
wp_lang	session	Used by WordPress to store language settings.

Cookie	Duration	Description
_ga	2 years	Used to distinguish users by Google Analytics
_ga_*	1 year	Used by Google Analytics to store and count page views.