Private Gitlab Access for BinderHub

Chris_Stone · March 18, 2019, 5:52pm

We run our own GitLab installation, and are able to use its public repos as BinderHub sources with no problem. However, we are unable to get BinderHub to pull from any private repo there. I tried to configure BinderHub to do this by looking at the code here: https://github.com/jupyterhub/binderhub/blob/8357c90106be6f30d3d427bc6c9257e7657e48ba/binderhub/repoproviders.py#L163-L264

And thought it might be possible by seeing this:

hostname = Unicode('gitlab.com', config=True,
    help="""The host of the GitLab instance
    For personal GitLab servers.
    """
    )

Does or will BinderHub support pulling from private GitLab repos not hosted at gitlab.com?

Thanks,

–Chris

betatim · March 18, 2019, 6:44pm

First off: we need to improve the documentation for doing this.

There are (potentially) two parts to the story: access to the GitLab API and access to the repo contents. BinderHub itself needs access to the API and then needs to be able to pass some form of credentials on to repo2docker which clones to repository. These might or might not be the same credentials.

The credentials passed on to repo2docker come via:

github.com

jupyterhub/binderhub/blob/cddf018b16d83e1539c10cc83487ad80a9ac14d4/binderhub/repoproviders.py#L76-L81


git_credentials = Unicode(
    "",
    help="""
    Credentials (if any) to pass to git when cloning.
    """,
)

which then get passed as an environment variable to the pod in which repo2docker runs which then consumes them.

How does it consume them? Via a small shell script that git will use if it needs credentials which is best documented in this commit message. The idea is that git allows you to install a “credential helper” which we do in the docker image that BinderHub uses to run repo2docker in.

Did I mention we need better docs around this?

An example of how the credentials env variables is formatted is https://github.com/jupyterhub/binderhub/blob/2e5086a087ab3d41972d0d2359a08a4a632a35f9/binderhub/repoproviders.py#L329-L340

Chris_Stone · March 18, 2019, 6:36pm

Thanks, Tim. yes, I neglected to mention that I can see via the gitlab logs that the API connection is successful; it’s only at the cloning via repo2docker that I see the authentication failure. In any case, this does look very encouraging, and I’ll give it a try right now. Thanks again for your help! --Chris

betatim · March 26, 2019, 7:07pm

I made my post a “wiki post” so you should be able to edit it (I think, still figuring out the mechanics of discourse). If you feel like modifying, extending, or correcting bits as you go through the process that would be great. It could then serve as a starting point for adding it to our docs. Or you could make a PR to do that from scratch

katylava · March 26, 2019, 6:54pm

@betatim Where can I find the wiki post?

consideRatio · March 26, 2019, 6:56pm

@katylava - @betatim was referring to this post: Private Gitlab Access for BinderHub, which is actually within this discourse topic. I have recently started understanding the terminology myself

betatim · March 26, 2019, 7:08pm

@consideRatio is exactly right. Sorry if the terminology was confusing. I edited the post where I refer to “the wiki post” to link to the actual post and to a “what is a wiki post” article from the discourse documentation.