Publication date: 2023-05-09
Both requirements appear simple to solve (and actually they are...). Nevertheless, my first attempts to do so failed.
Create a readonly access token in Gitlab and select scope "read_repository". As role you need to specify "Reporter". The role "Guest" is not sufficient here, even if the scope is correctly set!
Now the repository can be cloned with this URL: https://token:GITLAB_TOKEN_HERE@gitlab.lrz.de/myrepo.git
token
can be set arbitrarily. I recommend to use the Gitlab token name to self-document the URL.
Then this token can be used in a Saltstack state to clone the repo. One could use the URL above as the value of the name
attribute. However, in this case the token would appear in the Saltstate output/logs. Thus it is better to provide the token as value of the http_pass
attribute as shown below.
git_myrepo:
git.latest:
- name: https://gitlab.lrz.de/myrepo.git
- https_pass: {{ salt['pillar.get']('gitlab:myrepo') }}
- target: /home/myrepo
- branch: main
Unfortunately, any forum posts I found were not really helpful.