Connect to GitLab Enterprise repositories in a private network (original) (raw)

This page describes how to connect to GitLab Enterprise repositories hosted in a private network by using Developer Connect and Service Directory. You can complete these tasks using the Google Cloud console, or the Google Cloud CLI.

These instructions are for application developers, platform administrators, and security managers who want to use GitLab Enterprise source code repositories with Google. Specifically, you can use GitLab Enterprise repositories withGemini Code Assist.

To learn more about Developer Connect, seeDeveloper Connect overview.

Before you begin

1. Sign in to your Google Account.
   If you don't already have one, sign up for a new account.
2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
   Go to project selector
3. Make sure that billing is enabled for your Google Cloud project.
4. Enable the Developer Connect and Service Directory APIs.
   Enable the APIs
5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
   Go to project selector
6. Make sure that billing is enabled for your Google Cloud project.
7. Enable the Developer Connect and Service Directory APIs.
   Enable the APIs

Enabling Developer Connect also enables theSecret Manager API.

1. Ensure that you have access to an account on GitLab Enterprise.
   To help keep your team's work secure, we recommend that you complete the tasks in this guide using a service account or an account shared by your team, not a personal account.
2. Ensure that you own a GitLab Enterprise repository, or have admin-level permissions on a shared repository.
3. Ensure that you have a Service Directory service resource for connecting to private networks, orcreate a Service Directory service resource. You can create the Service Directory service resource in the same project that you're using with Developer Connect, or you can use a different project.
   For connections to networks outside of Google Cloud, you might need to configure Service Directory differently. SeeUse Service Directory to reach hosts outside Google Cloud.
4. Optional: Create a customer-managed encryption key (CMEK) for encrypting the authentication secrets that Developer Connect creates.
5. Optional: To use the command-line instructions in this guide, complete the following steps:
6. Install the Google Cloud CLI. If you've installed gcloud CLI previously, make sure you have the latest available version by runninggcloud components update.
7. Create a Developer Connect service account by running the following command, where PROJECT_ID is your Google Cloud project ID:
   gcloud beta services identity create \
   --service=developerconnect.googleapis.com \
   --project=PROJECT_ID

Required roles

To get the permissions that you need to create connections and links, ask your administrator to grant you the following IAM roles:

• If you aren't the project owner:Developer Connect Admin (roles/developerconnect.admin) on your user account
• If you plan to use a CMEK to encrypt the secrets that Developer Connect creates:Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the Secret Manager Service Account
• If you plan to use the gcloud CLI steps in this guide:Secret Manager Admin role (roles/secretmanager.admin) on the Developer Connect Service Account
• If you plan to allow Developer Connect to act as a proxy for running Git calls: Developer Connect Git Proxy Reader (developerconnect.gitProxyReader) and Developer Connect Git Proxy User (developerconnect.gitProxyUser) on the account you use to make Git calls. The Git proxy feature is required for Gemini Code Assist code customization.

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Grant permissions to use Service Directory

Complete the following steps to let Developer Connect use Service Directory, and to let Service Directory access your VPC network resource.

1. Grant permissions for the Developer Connect service account to use Service Directory by running the following commands:

PROJECT_NUMBER=$(gcloud projects describe PROJECT_ID --format="value(projectNumber)")  
SERVICE_ACCOUNT="service-${PROJECT_NUMBER}@gcp-sa-devconnect.iam.gserviceaccount.com"  
gcloud projects add-iam-policy-binding SERVICE_DIRECTORY_RESOURCE_PROJECT_ID \  
    --member="serviceAccount:${SERVICE_ACCOUNT}" \  
    --role="roles/servicedirectory.viewer"  

Replace the following:

• PROJECT_ID: your Google Cloud project ID.
• SERVICE_DIRECTORY_RESOURCE_PROJECT_ID: the project ID for the Google Cloud project that contains your Service Directory service resource.

1. Grant permissions for Service Directory to access your VPC network resource. The network resource can be in a different project.

gcloud projects add-iam-policy-binding NETWORK_RESOURCE_PROJECT_ID \  
    --member="serviceAccount:${SERVICE_ACCOUNT}" \  
    --role="roles/servicedirectory.pscAuthorizedService"  

Replace NETWORK_RESOURCE_PROJECT_ID with the project ID for the project that contains your VPC network resource.

Use Service Directory to reach hosts outside Google Cloud

Service Directory uses the IP address range 35.199.192.0/19 to connect your host outside of Google Cloud. You must add this range to an allowlist in your firewall. Additionally, your private network needs to be configured to route this range through the Cloud VPN or Cloud Interconnect connection.

If your connection uses a Cloud Router, you can configure your connection tocommunicatethe range to your private network.

To learn more, see Configure private network access.

Use Cloud Load Balancing to reach hosts outside Google Cloud

If your network configuration does not allow you to route the Service Directory IP address range 35.199.192.0/19 to the Cloud VPN or Cloud Interconnect, you cancreate a load balancer using Cloud Load Balancing that directs traffic to your host.

When you create the Service Directory endpoint, make sure to use the IP address of the forwarding rule of the load balancer instead of the IP address of your host. You can use an internal HTTPS load balanceror aninternal transmission control protocol (TCP) load balancerwhen creating your endpoint.

When creating your TCP load balancer, consider the following:

• Only a hybrid connectivity network endpoint group (NEG) is required to reach your host.
• The TCP load balancer does not require the unencrypted private key for your SSL certificate.
• Your Cloud VPN setup needs to use Cloud Router with global dynamic routing. If your Cloud VPN uses static routing, you can use a proxy that uses Cloud Service Mesh instead. To learn more, see Set up network edge services for hybrid deployments.

To learn more about creating an HTTPS load balancer, see Set up an internal Application Load Balancer with hybrid connectivity. To learn more about creating a TCP load balancer, see Set up a regional internal proxy Network Load Balancer with hybrid connectivity.

Create access tokens

Create personal access tokens in GitLab by completing the following steps:

1. Sign in to GitLab.
2. Follow the instructions in the GitLab documentation tocreate personal access tokens with the following permissions:
   • One token with api scope for connecting and disconnecting repositories.
   • One token with read_api scope to allow Developer Connect to read source code in your repositories.

Create a connection

This section describes how to create a connection between Developer Connect and GitLab Enterprise. If you're using the Google Cloud console, then you can also start adding links to repositories as you finish setting up your connection.

To create a new GitLab Enterprise connection, select one of the following options:

Console

Initiate a connection by completing the following steps:

1. In the Google Cloud console, open Developer Connect.
   Go to Developer Connect
   Developer Connect displays the Git repositories page.
   • If you see a list of source code management providers: Start configuring your first connection by selecting a source code management provider. Click Connect on the GitLab Enterprise card.
   • If you see a table listing existing connections: Set the source code management provider by clicking Create connection >GitLab Enterprise.
     The Create Connection page opens.
2. For Region, choose a regionfor your connection resources.
   1. For Name, enter a name for your new connection.
3. Activate the Enable data residency checkbox to make this connection compliant withdata residency requirements.
   GitHub connections created using the Google Cloud console are data-residency compliant if you activate this checkbox when you create the connection. When you do this, Developer Connectcreates a GitHub app
   When you create a GitHub connections using Google Cloud CLI, those connections are not data-residency compliant. All other connection types are data-residency compliant.
4. In the Personal Access Tokens section, enter the tokensfor your account:
   • API access token: Enter the personal access token with apiscope.
   • Read API access token: Enter the personal access token withread_api scope.
     You are responsible for ensuring your GitLab tokens remain valid. GitLab tokens have a maximum lifetime of 365 days, unless otherwise specified by the token creator or an administrator. To learn how to manage token expiration settings and notifications, see the GitLab documentation on personal access tokens.
     For more information, see GitLab's documentation onpersonal access token expiration.
5. For Host URL, enter the URL of the host you want to connect to.
6. Click Show more to see optional configuration settings.
   1. Optional: To let Developer Connect act as a proxy for Git calls to GitLab Enterprise, select Enable git proxy. This feature is required when runningGemini Code Assist code customizationon GitLab Enterprise source code repositories hosted in private networks.
   2. In the Networking section, for Network type, choose Private network.
   3. For CA Certificate, click Browse to upload your self-signed certificate.
      Your certificate must not exceed 10 KB in size and should be in PEM format (.pem, .cer, or .crt). If this section is left blank, a default set of certificates will be used in place.
   4. In the Service Directory service section, select the location of your service:
      • In project your-project
      • In another project
      • Enter manually
        If you select In another project or Enter manually, specify your Google Cloud project ID. Select the project in the drop-down menu, or enter the project ID manually.
   5. Region: Select the region of your Service Directory service. The region specified for your service must match the region associated with your connection.
   6. Namespace: Select the namespace of your Service Directory service.
   7. Service: Select the Service Directory service name in your namespace.
   8. Optional: In the Encryption section, select aCMEK key to encrypt Secret Manager secrets that Developer Connect creates.
7. Click Continue.

Once the connection is created, the Link repositories page appears.

Complete the following steps to link repositories to your connection:

1. In the list of available repositories, select the repositories you want to use.
2. Click OK.
3. Click Link.

Your connection is added to the Connections page and your repository links are added to the Repositories page in the Google Cloud console. You can add more links to existing connections at any time.

If you're setting up Gemini Code Assist, continue the process by following the steps inConfigure and use Gemini Code Assist code customization.

gcloud

1. Create a webhook secret in Secret Manager by running the following command, where WEBHOOK_SECRET_NAMEis a name for your webhook secret:

     cat /proc/sys/kernel/random/uuid | tr -d '\n' | gcloud secrets create WEBHOOK_SECRET_NAME  

1. Store your personal access tokens in Secret Manager by running the following commands:

gcloud secrets create API_SECRET_NAME  
echo -n API_SECRET_DATA | gcloud secrets versions add API_SECRET_NAME --data-file=-  
gcloud secrets create READ_SECRET_NAME  
echo -n READ_SECRET_DATA | gcloud secrets versions add READ_SECRET_NAME --data-file=-  

Replace the following:

• API_SECRET_NAME: a name for the secret that stores the token with api scope.
• API_SECRET_DATA: the token with apiscope, similar to glpat-XXXXXXXXXXXXXXXX.
• READ_SECRET_NAME: a name for the secret that stores the token with read_api scope.
• READ_SECRET_DATA: the token with read_apiscope, similar to glpat-XXXXXXXXXXXXXXXX.

1. Run thegcloud developer-connect connections create command to create a connection to GitLab Enterprise:

gcloud beta developer-connect connections create CONNECTION_NAME \  
    --location=REGION \  
    --gitlab-config-read-authorizer-credential-user-token-secret-version=projects/PROJECT_ID/secrets/READ_SECRET_NAME/versions/VERSION \  
    --gitlab-config-authorizer-credential-user-token-secret-version=projects/PROJECT_ID/secrets/API_SECRET_NAME/versions/VERSION \  
    --gitlab-enterprise-config-host-uri=HOST_URI  
    --gitlab-enterprise-config-webhook-secret-version=projects/PROJECT_ID/secrets/WEBHOOK_SECRET_NAME/versions/VERSION  
    --git-proxy-config-enabled  

Replace the following:

• CONNECTION_NAME: the name of your connection.
• REGION: the region for your connection.
• PROJECT_ID: your Google Cloudproject ID.
• READ_SECRET_NAME: the name of the Secret Manager secret that contains the token with read_api scope.
• API_SECRET_NAME: the name of the Secret Manager secret that contains the token with api scope.
• VERSION: the version number of each secret. This can be latest to use the most recent version number.
• HOST_URI: the URI for the host you want to connect to.
• WEBHOOK_SECRET_NAME: the name of the Secret Manager secret that contains your webhook secret.
• --git-proxy-config-enabled is an optional flag that allows Developer Connect to as a proxy for Git calls to GitLab Enterprise. You must enable this feature when runningGemini Code Assist code customizationon GitLab Enterprise source code repositories hosted in private networks.
• --gitlab-enterprise-config-ssl-ca-certificate is an optional flag to add an SSL certificate, in the format $HOME/my-ssl-ca.txt.
  Developer Connect completes the connection to GitLab. Next,link to repositories.

Link to repositories using an existing connection

Once you have established a connection to GitLab Enterprise, you can link to repositories. You can repeat these steps later to link additional repositories as needed.

To create repository links on an existing GitLab Enterprise connection, select one of the following options:

Console

Create links to repositories by completing the following steps:

1. Open the Repositories page in the Google Cloud console.
   Open the Repositoriespage
2. Click Link repository.
   The Link Git repositories pane opens.
3. In the connections list, choose a connection.
4. Click Continue.
5. In the repositories list, select the repositories you want to link to.
   Developer Connect displays suggested names for your repository resources.
6. Select a repository resource naming option:
   • Generated: Use the generated repository resource names.
   • Manual: Input names of your own.
7. Click Create.

Developer Connect creates the repository links and displays them in the Google Cloud console.

gcloud

Link to a GitLab repository by running the following command:

gcloud beta developer-connect connections git-repository-links create REPO_NAME \
    --clone-uri=REPO_URI \
    --connection=CONNECTION_NAME \
    --location=REGION

Replace the following:

• REPO_NAME: the name for your repository link.
• REPO_URI: the link to your repository, similar to https://gitlab.com/my-project/test-repo.git.
• CONNECTION_NAME: the name of your connection.
• REGION: the region of your connection.

Developer Connect creates the repository links.

To list linked repositories, run thedeveloper-connect connections git-repository-links list command.

If you're setting up Gemini Code Assist, continue the process by following the steps inConfigure and use Gemini Code Assist code customization.

What's next

• Finish setting up Gemini Code Assist code customization.
• Learn how Gemini Code Assist helps you accelerate software development.
• Explore other integrations available through Developer Connect.