Accessing private code repositories

A code repository, such as GitHub or GitLab, stores source code. With Code Engine, you can add access to a private code repository and then reference that repository from your build.

After you create access to your private code repository, you can pull code from repo, build it, and deploy an app or job with IBM Cloud® Code Engine.

Create code repository access

When you create access to a private code repository, you are saving credentials in Code Engine. These credentials are called SSH secrets.

Before you begin

Choosing an SSH key for code repository

For both GitHub and GitLab, you can decide between two kinds of SSH keys to connect to your source repository.

An SSH key associated with the source code repository, this key has access to only those repositories where you register the SSH key. This access is read only, by default, which is the level that is required by Code Engine to download the source code. You can select write access, if needed. Consider choosing this option to set an SSH key that is scoped to specific repositories to control access to only the specified repositories.
- GitHub - Deployment keys
- GitLab - Deployment keys
An SSH key associated with a user, for example, your own user account or a functional ID that is available in your organization. This SSH key has the repository permissions from the user account. Code Engine requires read access to download the source code.

Because setting an SSH key that is scoped to a user account provides access to the full account, it is important to be aware of security implications when you choose this option.
- Adding an SSH key to your GitHub account.
- Adding an SSH key to your GitLab account.

Do not create your SSH key file with a secure passphrase as this action causes your build command to fail.

Adding private repository access from the console

Before you begin, create a project.

After your project is in Active status, click the name of your project on the Code Engine Projects page.
From the Components page, click Secrets and configmaps.
From the Secrets and configmaps page, click Create to create your secret.
From the Create secret or configmap page, complete the following steps:
1. Select SSH secret, and click Next.
2. Provide a name; for example, mysecret-ssh.
3. Add the SSH private key for this secret.
4. Click Create to create the secret.

Now that your secret is created from the console, go to the Secrets and configmaps page to view a list of defined secrets and configmaps. You can apply filters to customize the list to meet your needs.

You can create access when you build an image.

Adding private repository access with the CLI

Beginning with CLI version 1.42.0, defining and working with secrets in the CLI is unified under the secret command group. See ibmcloud ce secret commands. Use the --format option to specify the category of secret, such as basic_auth, generic, ssh, tls, or registry. While you can continue to use the repo command group, take advantage of the unified secret command group. To create a secret to access a service with an SSH key, such as to authenticate to a Git repository like GitHub or GitLab, use the ibmcloud ce secret create --format ssh command. An SSH secret is also used as a Git repository access secret. To learn more about working with secrets in Code Engine, see Working with secrets.

An SSH secret contains the credentials to access the private repository that contains the source code to build your container image. An SSH secret is also used as a Git repository access secret.

To create an SSH secret with the CLI, use the secret create --format ssh command. This command requires a name and a key path, and also allows other optional arguments such as the path to the known hosts file. For a complete listing of options, see the ibmcloud ce secret create --format ssh command.

For example, the following command creates an SSH secret that is called myrepossh to a repository at github.com that uses your personal SSH private key that is found at the default location on your system.

Mac OS or Linux®

ibmcloud ce secret create --format ssh --name myrepossh --key-path $HOME/.ssh/id_rsa --known-hosts-path $HOME/.ssh/known_hosts

Windows

ibmcloud ce secret create --format ssh --name myrepossh --key-path "%HOMEPATH%\.ssh\id_rsa" --known-hosts-path "%HOMEPATH%\.ssh\known_hosts"

The following table summarizes the options that are used with the repo create command in this example. For more information about the command and its options, see the ibmcloud ce repo create command.

Table 1. Command description
Option	Description
`--name`	The name of the SSH secret. Use a name that is unique within the project. This value is required. The name must begin and end with a lowercase alphanumeric character. The name must be 253 characters or fewer and can contain lowercase letters, numbers, periods (.), and hyphens (-).
`--key-path`	The local path to the unencrypted private SSH key. If you use your personal private SSH key, then this file is usually at `$HOME/.ssh/id_rsa` (Mac OS or Linux) or at `%HOMEPATH%.ssh\id_rsa`(Windows). This value is required.
`--known-hosts-path`	The path to your known hosts file. This value is a security feature to ensure that the private key is only used to authenticate at hosts that you previously accessed, specifically, the GitHub or GitLab hosts. This file is usually located at `$HOME/.ssh/known_hosts` (Mac OS or Linux) or at `%HOMEPATH%.ssh\known_hosts` (Windows).

Referencing a private Git repository in a build

You can reference existing access or create access when you build an image from the console.

Referencing a private Git repository in a build from the console

To reference your private Git repository in a build,

Go to the Code Engine dashboard.
Select a project (or create one).
From the project page, click Image builds.
From the Image build tab, click Create.
To specify a private repository and add access, enter the URL to the repository in the Code repo URL field and then select either your existing code repo access or to create access.
Finish specifying information for your build and click Done.

For more information about building images, see Building a container image.

The code repo URL must be an SSH URL such as git@github.com:IBM/CodeEngine.git instead of an HTTPS URL such as https://github.ibm.com/codeengine/ui.

Referencing an SSH secret in a build with the CLI

To use an SSH secret in a build, use the --git-repo-secret option when you run the build create or the build update command. An SSH secret is also used as a Git repository access secret.

If you have an existing build, then you can update it by using the build update command,

ibmcloud ce build update --name mybuild --git-repo-secret myrepossh

If you want to create a new build, then see Creating a build configuration with the CLI.

Next steps for Git repository access

After you create your SSH secret to access a Git repository, you can build images from source code in your private repository. Specify your SSH secret when you run the build create command with the --git-repo-secret option.