1.2.2.3 GitLab auth

A Concourse server can authenticate against GitLab to leverage their permission model.

Authentication

First you need to create an OAuth application on GitLab.

The "Authorization callback URL" must be the URL of your Concourse server with /sky/issuer/callback appended. This address must be reachable by GitLab - it can't be localhost.

For example, Concourse's own CI server's callback URL would be:

https://ci.concourse-ci.org/sky/issuer/callback

You will be given a Client ID and a Client Secret for your new application. The client ID and secret must then be configured on the web node by setting the following env:

CONCOURSE_GITLAB_CLIENT_ID=myclientid
CONCOURSE_GITLAB_CLIENT_SECRET=myclientsecret

If you're configuring a self hosted GitLab instance, you'll also need to set the following flag:

CONCOURSE_GITLAB_HOST=https://gitlab.example.com

The GitLab host must contain a scheme and not a trailing slash.

Authorization

Users and groups can be authorized for a team by passing the following flags to fly set-team:

--gitlab-user=USERNAME

Authorize an individual user.

--gitlab-group=GROUP_NAME

Authorize an entire groups's members.

For example:

$ fly set-team -n my-team \
    --gitlab-user my-gitlab-user \
    --gitlab-team my-team

...or via --config for setting user roles:

roles:
- name: member
  gitlab:
    users: ["my-gitlab-login"]
    orgs: ["my-org"]
    teams: ["my-other-org:my-team"]

Configuring main Team Authorization

GitLab users and groups can be added to the main team authorization config by setting the following env on the web node:

CONCOURSE_MAIN_TEAM_GITLAB_GROUP=group-name
CONCOURSE_MAIN_TEAM_GITLAB_USER=some-user

Multiple groups and users may be specified by comma-separating them.