1.3.2.3 GitLab auth
A Concourse server can authenticate against GitLab to leverage their permission model.
Authentication
First you need to create an OAuth application on GitLab with the following scopes:
read_user
openid
The "Authorization callback URL" must be the URL of your Concourse server with /sky/issuer/callback
appended. This address must be reachable by GitLab - it can't be localhost
.
For example, Concourse's own CI server's callback URL would be:
https://ci.concourse-ci.org/sky/issuer/callback
You will be given a Client ID and a Client Secret for your new application. The client ID and secret must then be configured on the web
node by setting the following env:
CONCOURSE_GITLAB_CLIENT_ID=myclientid
CONCOURSE_GITLAB_CLIENT_SECRET=myclientsecret
If you're configuring a self hosted GitLab instance, you'll also need to set the following flag:
CONCOURSE_GITLAB_HOST=https://gitlab.example.com
The GitLab host must contain a scheme and not a trailing slash.
Authorization
Users and groups can be authorized for a team by passing the following flags to fly set-team
:
--gitlab-user=USERNAME
Authorize an individual user.
--gitlab-group=GROUP_NAME
Authorize an entire groups's members.
For example:
$ fly set-team -n my-team \
--gitlab-user my-gitlab-user \
--gitlab-group my-group
...or via --config
for setting user roles:
roles:
- name: member
gitlab:
users: ["my-gitlab-login"]
groups: ["my-gitlab-group"]
Configuring main
Team Authorization
GitLab users and groups can be added to the main
team authorization config by setting the following env on the web
node:
CONCOURSE_MAIN_TEAM_GITLAB_GROUP=group-name
CONCOURSE_MAIN_TEAM_GITLAB_USER=some-user
Multiple groups and users may be specified by comma-separating them.