Integrating zitadel into a gitlab ci pipline, problem with admin login for setup
Hi, I'm tying to integrate zitadel into a gitlab's ci pipeline to be used in tests, and I'm hitting a problem of "admin login for the initial setup"
For local development everything is fine, since I can do PAT/Machinekey generation and access it with mounted volumes. But for gitlab that strategy doesn't work - I can not access the fs of the service.
I thought that I could use the username/password of the firstinstance user, but Zitadel does not support Resource Owner Password Credentials.
Are there any other options that I'm missing?
7 Replies
Hi @maksim.khardin đź‘‹ thanks for reaching out. My name is Matias, and I will be happy to help with this question.
Just for context:
By using the FirstInstance section, you can overwrite the DefaultInstance configuration for the first instance created by zitadel setup. You can configure ZITADEL to create service users during initial setup using environment variables. All supported environment variables are listed in the runtime configuration file and the database initialization file.
Now, straight to your question. When creating a FirstInstance machine user, ZITADEL provides specific configuration paths to output the generated credentials, is that what you say you can't access? If that is so, the recommended approach is to let ZITADEL write credentials into a Kubernetes Secret, then read that secret from your GitLab job with
kubectl.
Check the Kubernetes (Helm) section below Passing the configuration. I hope that helps!ZITADEL Docs
This guide assumes you are familiar with running ZITADEL using the least amount of configuration possible.
Now, straight to your question. When creating a FirstInstance machine user, ZITADEL provides specific configuration paths to output the generated credentials, is that what you say you can't access?Hey @Matias, Yes, that's exactly the Issue that I have - gitlab CI does not provide any access to the services (no fs, no docker-specific exposed handles), AFAIK, you just present it with a docker image, some variables and after that it's a blackbox with only a public interface FirstInstance actually looks like exactly what I need, no idea how I missed that, thank you very much
Great, I'm glad that helped. Please let me know if the above solves your issue once you have the chance to test it 🙏 and if so, could you please react to my answer with a ✅ ? Thanks!
So I remembered why I couldn't use the username/password strategy - Zitadel does not support Resource Owner Password Credentials flow due to security concerns, and to create a new session using username/password I need to have an existing valid token for using the create sessions api
Is there maybe any other way to create a session token using username/password without having an existing good one?
ZITADEL Docs
Create a new session. A token will be returned, which is required for further updates of the session.
gitlab CI does not provide any access to the services (no fs, no docker-specific exposed handles),Gitlab doesn't allow you to interact directly with the cli?
@Larzous I'm talking specifically about services, so as far as I can see - there's no way for me to gain any access into service containers
services: usually just launches whatever docker image your calling. -- and no, I don't think you can "enter" them.