Keycloak
Prerequisites📜
The integration assumes that keycloak is deployed with a realm other than master (eg: baby-yoda) and a client within named gitlab. The secret is used in the gitlab keycloak configuration.
This documentation is geared towards configuring GitLab to work with P1 SSO/login.dso.mil
. To learn about deploying GtitLab with a dev version of Keycloak, see keycloak-dev.md.
If the client gitlab doesn’t exist in keycloak, please create the client gitlab with the following settings: 1. Create a gitlab OIDC client scope. The scope name is case sensitive and must match the oidc settings that Gitlab was deployed with. Bigbang Gitlab settings are expecting scope name “Gitlab” with a capital G. Use the following mappings:
| Name | Mapper Type | Mapper Selection Sub | Token Claim Name | Claim JSON Type |
|-------------|------------------|----------------------|--------------------|-----------------|
| email | User Property | email | email | String |
| profile | User Attribute | profile | N/A | String |
| username | User Property | username | preferred_username | String |
- Create a gitlab client
- Change the following configuration items
- access type: confidential this will enable “Credentials”
- Direct Access Grants Enabled: Off
- Valid Redirect URIs: https://code.${DOMAIN}/users/auth/openid_connect/callback
- Base URL: https://code.${DOMAIN}
- Set Client Scopes
- Default Client Scopes: Gitlab (the client scope you created in the previous step. This is case sensitive.)
- optional client scopes: N/A
- Take note of the client secret in the credential tab
GitLab configuration for keycloak📜
Reference Gitlab documentation for SSO. This is a working example of the json configuration used for keycloak integration.
{
"name": "openid_connect",
"label": "Platform One SSO",
"args": {
"name": "openid_connect",
"scope": [
"Gitlab"
],
"response_type": "code",
"issuer": "https://login.dso.mil/auth/realms/baby-yoda",
"client_auth_method": "query",
"discovery": true,
"uid_field": "preferred_username",
"client_options": {
"identifier": "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-gitlab",
"secret": "your-secret-here",
"redirect_uri": "https://code.dev.bigbang.mil/users/auth/openid_connect/callback",
"end_session_endpoint": "https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/logout"
}
}
}
cat gitlab-oidc.enc.json | base64 -w 0
-w 0
insures that the encoded value is a one line string.
Create a secret in Gitlab namespace for the oidc provider info📜
Create a secret for the json provider config from the previous step
apiVersion: v1
kind: Secret
metadata:
name: oidc-provider
namespace: gitlab
data:
gitlab-oidc.json: <enter your encoded json config here>
Gitlab omniauth global configuration📜
Override the helm chart values.yaml for your environment to include the oidc-provider secret in gitlab global.appConfig.omniauth
definition. The following example is the minimum config that you need. Refer to Gitlab documentation for more settings.
global:
...
appConfig:
...
omniauth:
enabled: true
# autoSignInWithProvider:
# syncProfileFromProvider: []
syncProfileAttributes: ['email']
allowSingleSignOn: ['openid_connect']
blockAutoCreatedUsers: false
# autoLinkLdapUser: false
# autoLinkSamlUser: false
# externalProviders: []
# allowBypassTwoFactor: []
providers:
- secret: oidc-provider
key: gitlab-oidc.json
Network Policy egress-sso configurable port📜
- Default egressPort = 443
- Scenerio: If omniauth is “enabled” and you are configuring the controlPlaneCidr to a specific controlplane ip block you will need to update the “Values.networkPolicies.egressPort” to 8443. This port needs to be open for oidc authentication to the keycloak client in the baby-yoda realm.
Example egress-sso Network Policy override:
gitlab:
enabled: true
git:
tag: null
branch: "main" # or your branch you are working.
sso:
enabled: true
label: "Platform One SSO"
# client_id takien from baby-yoda dev realm: https://repo1.dso.mil/big-bang/product/packages/keycloak/-/blob/main/chart/resources/dev/baby-yoda.json?ref_type=heads#L830
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_gitlab
client_secret: ""
values:
gitlab:
networkPolicies:
enabled: true
ingress:
enabled: true
controlPlaneCidr: 172.x.x.x/x
egressPort: 8443 # egressPort defaults to 443 if no value
global:
appConfig:
object_store:
enabled: true
defaultCanCreateGroup: true
omniauth:
enabled: true
sso: # derived from https://repo1.dso.mil/big-bang/product/packages/gitlab/-/blob/main/docs/keycloak-dev.md?ref_type=heads
name: Keycloak Dev SSO
url: https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda
saml:
metadata: <paste output of curl command here>
certificateAuthority:
cert: |
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
If all your configuration is correct you will be able to deploy and use SSO auth for Gitlab!