feat: configure gitlab groups from external oidc groups
General MR
Summary
This Merge Request adds the ability to configure GitLab users based on OIDC group membership. The impacted config is the gitlab-sso-provider secret that is deployed alongside the GitLab HelmRelease.
The following values can now be included in addons.gitlab.sso:
groups:
groupsAttribute: ""
requiredGroups: []
externalGroups: []
auditorGroups: []
adminGroups: []This addition is backwards compatible. If a user does not supply any groups in their GitLab values, the gitlab-sso-provider secret will still render a valid JSON object.
NOTE: That this is only a GitLab premium/ultimate feature.
Relevant logs/screenshots
GitLab Docs on configuring external groups - ref
Linked Issue
Upgrade Notices
N/A
Merge request reports
Activity
assigned to @noahbirrer
added statusdoing label
added gitlab label
added kindfeature label
Resolved by Noah BirrerLGTM, suggest we add this comment to the addons.gitlab.sso section as a guide:
# Uncomment this block and populate with Keycloak groups according to your desired Gitlab membership requirements # Legend # requiredGroups - groups that must be included in the Keycloak response for the user to be granted access to Gitlab # externalGroups - groups that must be included in the Keycloak response for the user to be identified as an external Gitlab user (see https://docs.gitlab.com/ee/administration/external_users.html) # auditorGroups - groups that must be included in the Keycloak response for the user to be added as Gitlab instance auditors # adminGroups - groups that must be included in the Keycloak response for the user to be added as a Gitlab instance admin # Full documentation: https://docs.gitlab.com/ee/administration/auth/oidc.html?tab=Linux+package+%28Omnibus%29#configure-users-based-on-oidc-group-membership # # groups: # requiredGroups: [] # externalGroups: [] # auditorGroups: [] # adminGroups: []- Last reply by Noah Birrer
added 35 commits
-
64329607...da469410 - 34 commits from branch
master - 13f7f6ba - Merge branch 'master' into feat/gitlab-oidc-group-members
-
64329607...da469410 - 34 commits from branch
removed statusdoing label
added statusreview label
mentioned in issue big-bang/product/packages/gitlab#225 (closed)
@noahbirrer hello, would you be able to allow the option to configure value for "groups_attribute" as well? Because Keycloak groups are configured differently per project, and we want to be able to the use custom group name per my comment on the ticket
Edited by Hung Doremoved statusreview label
added statusdoing label
removed statusdoing label
added statusdoing label
- Resolved by Noah Birrer
- Last reply by Noah Birrer
added 1 commit
- 6753793f - add note to docs about `groupsAttribute` [ci skip]
changed milestone to %2.21.0
removed statusdoing label
added statusreview label
added 7 commits
-
6753793f...da8fc808 - 6 commits from branch
master - 4be64a0c - Merge branch 'master' into feat/gitlab-oidc-group-members
-
6753793f...da8fc808 - 6 commits from branch
- Resolved by Ryan Garcia
Thanks for working this @noahbirrer I would like to re-work that comment to read a bit better and start with the formatting in the comment above. If you go off other SSO or extra values provided by a package we usually only have a 1 sentence blurb and a ref to upstream documentation so as not to add clutter to the values file.
- Last reply by Noah Birrer
requested review from @chris.oconnell, @michaelmartin, @ryan.thompson.44, and @ryan.j.garcia
@andrewshoell : You have been tagged in this merge request for the purpose of conducting secondary review.
added 3 commits
-
ee14c788...46943c67 - 2 commits from branch
master - ddf60bd3 - Merge branch 'master' into feat/gitlab-oidc-group-members
-
ee14c788...46943c67 - 2 commits from branch
added 3 commits
-
07b1210e...7ab2d0e8 - 2 commits from branch
master - 8a76404c - Merge branch 'master' into feat/gitlab-oidc-group-members
-
07b1210e...7ab2d0e8 - 2 commits from branch
mentioned in commit 2a9cd6c3
mentioned in merge request big-bang/customers/template!72 (merged)
