<!-- Space: qifu -->
<!-- Parent: 后端技术&知识&规范 -->
<!-- Parent: 技术方案 -->
<!-- Parent: 基建 -->
<!-- Parent: 03-接入指南 -->
<!-- Title: 20250108-Gitlab安装及SSO接入指南 -->

<!-- Macro: :anchor\((.*)\):
     Template: ac:anchor
     Anchor: ${1} -->
<!-- Macro: \!\[.*\]\((.+)\)\<\!\-\- width=(.*) \-\-\>
     Template: ac:image
     Url: ${1}
     Width: ${2} -->
<!-- Macro: \<\!\-\- :toc: \-\-\>
     Template: ac:toc
     Printable: 'false'
     MinLevel: 2 
     MaxLevel: 4 -->
<!-- Include: 杂项/声明文件.md -->

<!-- :toc: -->

# Gitlab 安装及 SSO 接入指南

## Gitlab 安装启动

- 可以参考：https://docs.gitlab.com/ee/install/docker/installation.html
- GITLAB_HOME: /usr/local/gitlab

### Docker Compose 启动

#### 修改 docker compose 文件

- Docker Compose 文件 `$GITLAB_HOME/docker-compose.yml`

```yaml
version: '3.6'
services:
  gitlab:
    image: gitlab/gitlab-ce:17.7.0-ce.0
    container_name: gitlab
    restart: always
    hostname: '192.168.113.131'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://192.168.113.131:8929'
        gitlab_rails['gitlab_shell_ssh_port'] = 2424
    ports:
      - '8929:8929'
      - '2443:443'
      - '2424:22'
    volumes:
      - '$GITLAB_HOME/config:/etc/gitlab'
      - '$GITLAB_HOME/logs:/var/log/gitlab'
      - '$GITLAB_HOME/data:/var/opt/gitlab'
    shm_size: '256m'

```

- 默认账号：`root`
- 默认密码：在 `$GITLAB_HOME/config/initial_root_password`

### Yearning Generic OAuth2 配置

- 由于 Gitlab `OIDC` 必须要使用 `https`，所以采用 `Generic OAuth2` 进行SSO
- 可以参考：https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak

#### 修改配置文件（Keycloak示例）

- 配置文件 `$GITLAB_HOME/config/gitlab.rb`

```shell
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
gitlab_rails['omniauth_auto_link_user'] = ['oauth2_generic']
gitlab_rails['omniauth_providers'] = [
  {
    name: "oauth2_generic",
    label: "企业微信", # optional label for login button, defaults to "Oauth2 Generic"
    app_id: "gitlab",
    app_secret: "lGHpprHWcG3mgsQpPMtUsC4NeOqf8Izi",
    args: {
      client_options: {
        site: "http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/",
        user_info_url: "userinfo",
        authorize_url: "auth",
        token_url: "token"
      },
      user_response_structure: {
        root_path: [],
        id_path: ["preferred_username"],
        attributes: {
          email: "email",
          name: "name"
        }
      },
      authorize_params: {
        scope: "openid profile email"
      },
      strategy_class: "OmniAuth::Strategies::OAuth2Generic"
    }
  }
]
```

## 参考

- [Gitlab OIDC](https://docs.gitlab.com/ee/administration/auth/oidc.html)
- [Gitlab OIDC 整合 Keycloak](https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak)
- [Gitlab Generic OAuth2](https://docs.gitlab.com/ee/integration/oauth2_generic.html)