Criar repositórios do GitLab Enterprise Edition em uma rede privada
Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
O Cloud Build permite criar gatilhos para criar repositórios
hospedados no GitLab Enterprise Edition,
permitindo executar builds em resposta a eventos como pushes de commit ou
solicitações de mesclagem associadas ao repositório do GitLab Enterprise Edition.
Nesta página, explicamos como ativar a funcionalidade de gatilho em uma instância do GitLab
Enterprise Edition se ela estiver hospedada em uma rede particular.
Antes de começar
Enable the Cloud Build, Secret Manager, Compute Engine, and Service Networking APIs.
Criar repositórios do GitLab Enterprise Edition em uma rede particular
Se a instância do GitLab Enterprise Edition só estiver acessível em uma rede VPC, configure um serviço do Diretório de serviços e crie usando pools particulares. O projeto que contém sua rede VPC pode estar em um projeto diferente daquele que contém seu serviço do Diretório de serviços.
Use as instruções a seguir para garantir que a instância esteja acessível antes de
criar gatilhos:
Confirme se você tem o papel Administrador do IAM do projeto concedido ao projetoGoogle Cloud em que pretende criar o serviço do Diretório de serviços. Para saber como conceder
papéis do IAM, consulte
Configurar o acesso aos recursos do Cloud Build.
Configure um serviço do Diretório de serviços concluindo as seguintes etapas:
Ao configurar um endpoint, é obrigatório usar um endereço IP interno e especificar um número de porta HTTPS para que o Cloud Build alcance seu serviço.
Se você incluir um certificado autoassinados ou particular ao conectar seu
host do GitLab Enterprise Edition ao Cloud Build, defina o
URI do host como o nome alternativo do assunto (SAN) do seu certificado.
Agora, o gatilho do GitLab Enterprise Edition invocará automaticamente os builds na
instância do GitLab Enterprise Edition baseada na sua configuração.
Usar o Diretório de serviços para alcançar hosts fora do Google Cloud
O Diretório de serviços usa o intervalo de endereços IP 35.199.192.0/19 para
conectar seu host fora de Google Cloud. Adicione esse intervalo a uma lista de permissões no firewall. Além disso, sua rede particular precisa ser
configurada para rotear esse intervalo pela conexão do Cloud VPN ou do Cloud Interconnect.
Se a conexão usar um Cloud Router, configure-a para
comunicar
o intervalo à rede particular.
Usar o Cloud Load Balancing para alcançar hosts fora de Google Cloud
Se a configuração da rede não permitir rotear o intervalo de endereços IP do Service Directory 35.199.192.0/19 para o Cloud VPN ou o Cloud Interconnect, crie um balanceador de carga usando o Cloud Load Balancing, que direciona o tráfego para seu host.
Ao criar seu balanceador de carga TCP, considere o seguinte:
Apenas um grupo de endpoints de rede (NEG) de conectividade híbrida é necessário para acessar
seu host.
O balanceador de carga TCP não exige a chave privada não criptografada para seu certificado SSL.
A configuração do Cloud VPN precisa usar o Cloud Router com roteamento dinâmico global. Se o Cloud VPN usar roteamento estático, use um proxy que use o Cloud Service Mesh. Para saber mais, consulte Configurar serviços de borda de rede para implantações híbridas.
Os dados enviados ao GitLab Enterprise Edition pelo Cloud Build ajudam a
identificar gatilhos por nome e ver os resultados da versão nos repositórios do GitLab Enterprise
Edition.
Os seguintes dados são compartilhados entre o Cloud Build e o GitLab
Enterprise Edition:
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-01 UTC."],[[["\u003cp\u003eCloud Build can trigger builds from GitLab Enterprise Edition repositories, even when the instance is within a private network, by responding to events like commit pushes or merge requests.\u003c/p\u003e\n"],["\u003cp\u003eTo enable builds from a private GitLab Enterprise Edition instance, you must set up a Service Directory service, ensure the instance is reachable, and use private pools for builds.\u003c/p\u003e\n"],["\u003cp\u003eService Directory requires specific configurations like a namespace, a service, and an endpoint with an internal IP and HTTPS port, all of which must be created within the same region as the Cloud Build host connection.\u003c/p\u003e\n"],["\u003cp\u003eAccess for the Cloud Build service agent to both the Service Directory and the VPC network must be granted using specific IAM role assignments.\u003c/p\u003e\n"],["\u003cp\u003eTo reach hosts outside of Google Cloud, Service Directory uses a specific IP range that must be allowlisted in the firewall, and an alternative to this is to use Cloud Load Balancing and its IP address in place of the host's.\u003c/p\u003e\n"]]],[],null,["# Build repositories from GitLab Enterprise Edition in a private network\n\nCloud Build enables you to create triggers to build from repositories\nhosted on [GitLab Enterprise Edition](https://about.gitlab.com/enterprise/),\nallowing you to execute builds in response to events such as commit pushes or\nmerge requests associated with your GitLab Enterprise Edition repository.\n\nThis page explains how you can enable trigger functionality on a GitLab\nEnterprise Edition instance if your instance is hosted in a private network.\n\nBefore you begin\n----------------\n\n-\n\n\n Enable the Cloud Build, Secret Manager, Compute Engine, and Service Networking APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=cloudbuild.googleapis.com,secretmanager.googleapis.com,compute.googleapis.com,servicenetworking.googleapis.com&redirect=https://cloud.google.com/build/docs/automating-builds/gitlab/build-repos-from-gitlab-enterprise-edition-private-network)\n\n\u003c!-- --\u003e\n\n- Follow the instructions to [connect a GitLab Enterprise Edition host](/build/docs/automating-builds/gitlab/connect-host-gitlab-enterprise-edition).\n- Follow the instructions to [connect a GitLab Enterprise Edition repository](/build/docs/automating-builds/gitlab/connect-repo-gitlab-enterprise-edition).\n\nBuild repositories from GitLab Enterprise Edition in a private network\n----------------------------------------------------------------------\n\nIf your GitLab Enterprise Edition instance is only accessible within a\nVPC network, you need to set up a\nService Directory service and build using private pools. The\nproject containing your VPC network can exist in a different\nproject than the one containing your Service Directory service.\nUse the following instructions to ensure your instance is reachable prior to\ncreating triggers:\n\n1. Enable the\n [Service Directory API](https://console.cloud.google.com/apis/library/servicedirectory.googleapis.com).\n\n2. Ensure you have the **Project IAM Admin** role granted to the\n Google Cloud project you intend to create your\n Service Directory service in. To learn how to grant\n IAM roles, see\n [Configuring access to Cloud Build resources](/build/docs/securing-builds/configure-access-to-resources).\n\n3. Set up a Service Directory service by completing the following steps:\n\n 1. [Configure a namespace](/../service-directory/docs/configuring-service-directory#configure_a_namespace)\n for your Google Cloud project.\n\n The region you specify in your namespace **must** match the region you\n specify in your Cloud Build host connection.\n 2. [Configure a service](/../service-directory/docs/configuring-service-directory#configure_a_service)\n in your namespace.\n\n 3. [Configure an endpoint](/../service-directory/docs/configuring-service-directory#configure_an_endpoint)\n for your registered service.\n\n When configuring an endpoint, you **must** use an internal IP address and\n specify an HTTPS port number in order for Cloud Build to reach your\n service.\n\n To learn more about private network access configuration, see\n [Configure private network access](/../service-directory/docs/configuring-private-network-access).\n Service Directory also provides integration with services\n such as load balancers and Google Kubernetes Engine (GKE).\n To learn more, see\n [Service Directory and load balancing overview](/../service-directory/docs/sd-lb-overview)\n or [Service Directory for GKE overview](/../service-directory/docs/sd-gke-overview).\n4. Grant Service Directory access to the Cloud Build service agent:\n\n export PROJECT_NUMBER=$(gcloud projects describe \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e --format=\"value(projectNumber)\")\n export CLOUD_BUILD_SERVICE_AGENT=\"service-$PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com\"\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID_CONTAINING_SERVICE_DIRECTORY\u003c/var\u003e \\\n --member=\"serviceAccount:$CLOUD_BUILD_SERVICE_AGENT\" \\\n --role=\"roles/servicedirectory.viewer\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e is your Cloud Build project ID.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID_CONTAINING_SERVICE_DIRECTORY\u003c/var\u003e is the ID of your Google Cloud project that contains your Service Directory.\n5. Grant VPC network resource access to the Cloud Build service agent:\n\n export PROJECT_NUMBER=$(gcloud projects describe \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e --format=\"value(projectNumber)\")\n export CLOUD_BUILD_SERVICE_AGENT=\"service-$PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com\"\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID_CONTAINING_NETWORK_RESOURCE\u003c/var\u003e \\\n --member=\"serviceAccount:$CLOUD_BUILD_SERVICE_AGENT\" \\\n --role=\"roles/servicedirectory.pscAuthorizedService\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e is your Cloud Build project ID.\n - \u003cvar translate=\"no\"\u003ePROJECT_ID_CONTAINING_NETWORK_RESOURCE\u003c/var\u003e is the ID of your Google Cloud project that contains your network resource.\n6. Use [private pools](/build/docs/private-pools/private-pools-overview) to run\n your builds. If you have not created a private pool, see [create a new\n private pool](/build/docs/private-pools/create-manage-private-pools).\n\n7. Follow the instructions to\n [create a GitLab Enterprise Edition trigger](/build/docs/automating-builds/gitlab/build-repos-from-gitlab-enterprise-edition)\n to build repositories hosted on a GitLab Enterprise Edition instance.\n\n If you include a self-signed or private certificate when connecting your\n GitLab Enterprise Edition host to Cloud Build, you **must** set the\n host URI as the Subject Alternative Name (SAN) of your certificate.\n\nYour GitLab Enterprise Edition trigger will now automatically invoke builds on\nyour GitLab Enterprise Edition instance based on your configuration.\n\nUse Service Directory to reach hosts outside Google Cloud\n---------------------------------------------------------\n\nService Directory uses the IP address range `35.199.192.0/19` to\nconnect your host outside of Google Cloud. You must add this range to\nan allowlist in your firewall. Additionally, your private network needs to be\nconfigured to route this range through the Cloud VPN or Cloud Interconnect\nconnection.\n\nIf your connection uses a Cloud Router, you can configure your connection to\n[communicate](/../network-connectivity/docs/router/how-to/advertising-custom-ip)\nthe range to your private network.\n\nTo learn more, see [Configure private network access](/../service-directory/docs/configuring-private-network-access).\n\n### Use Cloud Load Balancing to reach hosts outside Google Cloud\n\nIf your network configuration does not allow you to route the\nService Directory IP address range `35.199.192.0/19` to the\nCloud VPN or Cloud Interconnect, you can\n[create a load balancer](/../load-balancing/docs/l7-internal) using\nCloud Load Balancing that directs traffic to your host.\n\nWhen you create the Service Directory endpoint, make sure to use\nthe IP address of the forwarding rule of the load balancer instead of the IP\naddress of your host. You can use an\n[internal HTTPS load balancer](/../load-balancing/docs/l7-internal/setting-up-int-https-hybrid)\nor an\n[internal transmission control protocol (TCP) load balancer](/../load-balancing/docs/tcp/set-up-int-tcp-proxy-hybrid)\nwhen creating your endpoint.\n\nWhen creating your TCP load balancer, consider the following:\n\n- Only a hybrid connectivity network endpoint group (NEG) is required to reach your host.\n- The TCP load balancer does not require the unencrypted private key for your SSL certificate.\n- Your Cloud VPN setup needs to use Cloud Router with global dynamic routing. If your Cloud VPN uses static routing, you can use a proxy that uses Cloud Service Mesh instead. To learn more, see [Set up network\n edge services for hybrid\n deployments](/../traffic-director/tutorials/network-edge-services-multi-environment).\n\nTo learn more about creating an HTTPS load balancer, see\n[Set up an internal Application Load Balancer with hybrid connectivity](/../load-balancing/docs/l7-internal/setting-up-int-https-hybrid).\nTo learn more about creating a TCP load balancer, see\n[Set up a regional internal proxy Network Load Balancer with hybrid connectivity](/../load-balancing/docs/tcp/set-up-int-tcp-proxy-hybrid).\n\nData sharing\n------------\n\nThe data sent to GitLab Enterprise Edition from Cloud Build helps you\nidentify triggers by name and see build results on your GitLab Enterprise\nEdition repositories.\n\nThe following data is shared between Cloud Build and GitLab\nEnterprise Edition:\n\n- Google Cloud project ID\n- Trigger name\n\nWhat's next\n-----------\n\n- Learn how to [manage build triggers](/build/docs/automating-builds/create-manage-triggers).\n- Learn how to [perform blue/green deployments on Compute Engine](/build/docs/deploying-builds/deploy-compute-engine)."]]