Configure users based on Keycloak group membership
Feature Request
Why
We wanted to configure Gitlab users based on the Keycloak group. Based on Gitlab doc (https://docs.gitlab.com/ee/administration/auth/oidc.html?tab=Linux+package+%28Omnibus%29#administrator-groups), we have to configure Gitlab to identify what to look for in the Keycloak response. This is currently set as the secret (https://repo1.dso.mil/big-bang/bigbang/-/blob/2.1.0/chart/templates/gitlab/secret-sso.yaml?ref_type=tags#L33) in Bigbang, but it does not have the capability as of now. Request to provide the option to add additional config to the secret. Example below:
name: "openid_connect",
label: "Provider name",
args: {
name: "openid_connect",
scope: ["openid","profile","email"],
response_type: "code",
issuer: "<your_oidc_url>",
discovery: true,
client_auth_method: "query",
uid_field: "<uid_field>",
client_options: {
identifier: "<your_oidc_client_id>",
secret: "<your_oidc_client_secret>",
redirect_uri: "<your_gitlab_url>/users/auth/openid_connect/callback",
gitlab: {
groups_attribute: "groups",
admin_groups: ["Admin"]
}
}
}
}
Provide any steps possible used to reproduce the error (ideally in an isolated fashion).
BigBang Version
What version of BigBang were you running? BB 2.1.0
This can be retrieved multiple ways:
# via helm
helm ls -n bigbang
# via the deployed umbrella git tag
kubectl get gitrepository -n bigbang
## Proposed Solution
Request to provide the option to add additional config to the secret
gitlab: {
groups_attribute: "groups",
admin_groups: ["Admin"]
}
If your proposed solution _changes_ the existing behavior of a feature, please outline why your approach is recommended/better.