Configure GitLab Repository
This guide connects a GitLab repository to PAC: prepare the credentials, create the Repository resource, let the controller register the webhook, and trigger a PipelineRun.
GitLab uses Webhook mode. A GitLab access token and a project webhook are required. When automatic webhook registration is enabled, the webhook registration controller creates or updates the project webhook for you.
This page uses manifests and the GitLab Web UI. For the CLI workflow, see tkn pac Command Reference.
TOC
PrerequisitesStep 1: Create a GitLab Access TokenStep 2: Create the Kubernetes SecretStep 3: Create theRepository resourceStep 4: Verify automatic webhook registrationManual fallbackStep 5: Add a PipelineRun and trigger itVerificationTroubleshootingNext stepsPrerequisites
- PAC component deployed and exposed to GitLab; see Manage PAC Component.
- The PAC webhook URL is recorded in
pipelines-as-code-info.data.controller-url. See Get the PAC Webhook URL for setup and verification. - Maintainer access to the GitLab project, or a token with permission to manage project webhooks.
- A target Kubernetes namespace where the
Repositoryresource and itsPipelineRuns will live. kubectlaccess to that namespace.
Step 1: Create a GitLab Access Token
PAC needs a token to read project metadata, post merge request comments, and update commit status. A Personal Access Token or a Project Access Token both work.
- In GitLab, open the project or your user Settings → Access Tokens.
- Create a token with:
- Name: a descriptive name, for example
pac-integration. - Scopes:
api.
- Name: a descriptive name, for example
- Copy the token. GitLab shows it only once.
This Repository-local token is used by PAC during normal pipeline processing. It does not need Maintainer/Owner access solely for webhook registration when a centralized webhook registration credential is configured.
For automatic webhook registration, configure a matching centralized credential with the api scope. The token identity must be an instance administrator or have Maintainer/Owner access to the target project. See Centralized webhook registration token.
Step 2: Create the Kubernetes Secret
Create one Secret carrying the GitLab token and a webhook secret. Follow Create a Git Secret for PAC.
In the rest of this guide the Secret is named gitlab-webhook-config.
Step 3: Create the Repository resource
The Repository references the Secret. For GitLab.com:
For self-hosted GitLab, set spec.url to the project URL and add git_provider.url with the GitLab instance base URL:
For self-hosted GitLab, git_provider.url must be the GitLab instance base URL, not the project URL.
Apply it:
Verify:
Example output:
Step 4: Verify automatic webhook registration
After the Repository is created, the webhook registration controller watches it and registers a GitLab project webhook. Check the Repository annotations and events:
Expected status is Registered. The controller creates or updates a GitLab webhook with:
- URL: the public PAC webhook URL
- Secret token: the
webhook.secretvalue referenced byspec.git_provider.webhook_secret - Events: push, tag push, comments, and merge requests
- SSL verification: enabled by default
The controller records the GitLab hook ID in pac.tekton.alauda.io/webhook-managed-ref. If the PAC webhook URL changes later, the controller updates the recorded hook by ID instead of creating a duplicate hook for the same project.
The controller uses the token from spec.git_provider.secret first. Keep that Repository-local token scoped for normal PAC access. If it is missing or lacks webhook management permission, the controller can use one matching labeled credential Secret in the webhook registration controller namespace. The centralized GitLab credential needs the api scope, and the token identity must be an instance administrator or have Maintainer/Owner access to the target project. See Create a Git Secret for PAC.
To exclude one Repository from automatic webhook registration, add this label to the Repository metadata:
Manual fallback
If automatic registration is disabled or cannot be used, register the webhook manually:
- Open the GitLab project, then Settings → Webhooks.
- Click Add new webhook.
- Fill in the form:
- URL: the PAC webhook URL from the prerequisites.
- Secret token: the same
webhook.secretvalue stored in the Kubernetes Secret. - SSL verification: enabled (recommended; uncheck only for non-production setups with self-signed certificates).
- Under Trigger, check:
- Push events (with All branches unless you want to restrict)
- Tag push events
- Comments
- Merge request events
- Click Add webhook.
GitLab offers a Test → Push events action under the webhook entry. A 200 response confirms the controller received and accepted the event.
Step 5: Add a PipelineRun and trigger it
Add a PipelineRun manifest under .tekton/ in the repository and push it. PAC reads the file from the branch the event was raised on, matches the annotations against the event, and creates a PipelineRun in the namespace.
See Define PipelineRuns in Git for the file layout and annotation grammar, and Trigger PAC Pipelines for automatic and comment-based triggers.
Verification
After a Git event arrives, PAC creates a PipelineRun in the Repository's namespace. Confirm:
The PAC controller logs show the event being processed:
GitLab displays the commit status set by PAC on the relevant pipeline / merge request page.
Troubleshooting
For the full troubleshooting matrix, see Common Issues.
Next steps
- Define PipelineRuns in Git — define and evolve pipelines under
.tekton/. - Trigger PAC Pipelines — automatic events and comment commands.
- Advanced Repository Configuration — concurrency, parameters, custom settings.
- Configure Custom Certificates — for self-hosted GitLab with a private CA.