Code Stream lets you trigger a pipeline when a code review occurs in your Gerrit project. The trigger for Gerrit definition includes the Gerrit project and the pipelines that must run for different event types.
The trigger for Gerrit uses a Gerrit listener on the Gerrit server that you will monitor. To define a Gerrit endpoint in Code Stream, you select a project and enter the URL for the Gerrit server. Then you specify the endpoint when you create a Gerrit listener on that server.
If you are using a Gerrit server as a Code Stream endpoint in a vRealize Automation instance that has FIPS enabled, you must verify that your Gerrit configuration file includes the correct message authentication keys. If the Gerrit server configuration file does not include the correct message authentication keys, the server cannot start up correctly, and displays this message: PrivateKey/PassPhrase is incorrect
The following procedure shows how to define a Gerrit endpoint that you can use in your Gerrit listener definition. In the event that you need to edit an endpoint, an optional step at the end of the procedure explains how and when to perform the update.
Prerequisites
- Verify that you can access the Gerrit server to which you plan to connect.
- Verify that you are a member of a project in Code Stream. If you are not a member, ask a Code Stream administrator to add you as a member of a project. See How do I add a project in Code Stream.
Procedure
- Define a Gerrit endpoint.
- Click and click New Endpoint.
- Select a project, and for the type of endpoint, select Gerrit. Then, enter a name and a description.
- If this endpoint is a business-critical component in your infrastructure, enable Mark as restricted.
- Enter the URL for the Gerrit server.
To use the default port, you can provide a port number with the URL or leave the value blank.
- Enter a username and password for the Gerrit server.
If the password must be encrypted, click
Create Variable and select the type:
- Secret. The password resolves when a user who has any role runs the pipeline.
- Restricted. The password resolves when a user who has the Admin role runs the pipeline.
For the value, enter the password that must be secure, such as the password of a Jenkins server.
- For the private key, enter the SSH key used to access the Gerrit server securely.
This key is the RSA private key that resides in the
.ssh directory.
- (Optional) If a passphrase is associated with the private key, enter the passphrase.
To encrypt the passphrase, click
Create Variable and select the type:
- Secret. The password resolves when a user who has any role runs the pipeline.
- Restricted. The password resolves when a user who has the Admin role runs the pipeline.
For the value, enter the passphrase that must be secure, such as the passphrase for an SSH server.
- Click Validate, and verify that the Gerrit endpoint in Code Stream connects to the Gerrit server.
If it does not connect, correct any errors, then click
Validate again.
- Click Create.
- Verify that the vRealize Automation environment has FIPS enabled, or have your Jenkins job create the environment with FIPS enabled by using the Jenkins URL.
- To run the command from the command line, connect to your vRealize Automation 8.x appliance over SSH, and log in as the root user. For example, connect to your fully qualified domain name URL, such as https://cava-1-234-567.yourcompanyFQDN.com on port 22, 5480, or 443.
- To check for FIPS on vRealize Automation, run the command vracli security fips.
- Verify that the command returns
FIPS mode: strict
.
- If your Gerrit server is an endpoint in a vRealize Automation instance that has FIPS enabled, ensure that your Gerrit configuration file includes the correct message authentication (MAC) keys.
- Open Gerrit and create an SSH key pair.
- Locate the Gerrit server configuration file at '$site_path'/etc/gerrit.config.
- Verify that the Gerrit server configuration file includes one or more message authentication code (MAC) keys, except for
hmac-MD5
.
Note: In FIPS mode,
hmac-MD5
is not a supported MAC algorithm. To ensure that the Gerrit server starts up correctly, the Gerrit server configuration file must exclude this algorithm. If the Gerrit server does not start up correctly, it displays this message:
PrivateKey/PassPhrase is incorrect
Supported message authentication code (MAC) key names that begin with a plus sign (+) are enabled. The MAC key names that begin with a hyphen (-) are removed from the list of default MACs. By default, these supported MACs are available in
Code Stream for the Gerrit server:
hmac-md5-96
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
- (Optional) Before updating a Gerrit endpoint to change a URL or private key for example, check to see if the endpoint is connected to a Gerrit listener.
- If the endpoint is not connected to a Gerrit listener, perform the following steps to update the endpoint:
- Click and click Open on the endpoint that you want to update.
- Update the endpoint definition.
- click Validate to verify that the Gerrit endpoint in Code Stream connects to the Gerrit server.
- Click Save.
- If the endpoint is connected to a Gerrit listener, perform the following steps to update the endpoint:
- Disconnect any attached Gerrit listeners. See How do I use the Gerrit trigger in Code Stream to run a pipeline.
- Perform the steps to configure the new endpoint.
- Validate and save the updated endpoint definition.
- Connect the Gerrit listeners again.
Note: If the Gerrit listeners do not disconnect, this might be because current Gerrit endpoint values have changed so that the listeners can no longer communicate with the Gerrit server. If this problem occurs, first make changes in the endpoint definition so that the listeners can communicate with the Gerrit server. Then disconnect the Gerrit listeners and reconnect them.