First off: we need to improve the documentation for doing this.
There are (potentially) two parts to the story: access to the GitLab API and access to the repo contents. BinderHub itself needs access to the API and then needs to be able to pass some form of credentials on to repo2docker which clones to repository. These might or might not be the same credentials.
The credentials passed on to repo2docker come via:
which then get passed as an environment variable to the pod in which repo2docker runs which then consumes them.
How does it consume them? Via a small shell script that git will use if it needs credentials which is best documented in this commit message. The idea is that git allows you to install a “credential helper” which we do in the docker image that BinderHub uses to run repo2docker in.
Did I mention we need better docs around this? 
An example of how the credentials env variables is formatted is https://github.com/jupyterhub/binderhub/blob/2e5086a087ab3d41972d0d2359a08a4a632a35f9/binderhub/repoproviders.py#L329-L340