liuxiaohua
cd0b30796f
All checks were successful
Publish to Confluence / confluence (push) Successful in 3m39s
3.0 KiB
3.0 KiB
Gitlab 安装及 SSO 接入指南
Gitlab 安装启动
- 可以参考:https://docs.gitlab.com/ee/install/docker/installation.html
- GITLAB_HOME: /usr/local/gitlab
Docker Compose 启动
修改 docker compose 文件
- Docker Compose 文件
$GITLAB_HOME/docker-compose.yml
version: '3.6'
services:
gitlab:
image: gitlab/gitlab-ce:17.7.0-ce.0
container_name: gitlab
restart: always
hostname: '192.168.113.131'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://192.168.113.131:8929'
gitlab_rails['gitlab_shell_ssh_port'] = 2424
ports:
- '8929:8929'
- '2443:443'
- '2424:22'
volumes:
- '$GITLAB_HOME/config:/etc/gitlab'
- '$GITLAB_HOME/logs:/var/log/gitlab'
- '$GITLAB_HOME/data:/var/opt/gitlab'
shm_size: '256m'
- 默认账号:
root - 默认密码:在
$GITLAB_HOME/config/initial_root_password
Yearning Generic OAuth2 配置
- 由于 Gitlab
OIDC必须要使用https,所以采用Generic OAuth2进行SSO - 可以参考:https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak
修改配置文件(Keycloak示例)
- 配置文件
$GITLAB_HOME/config/gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
gitlab_rails['omniauth_auto_link_user'] = ['oauth2_generic']
gitlab_rails['omniauth_providers'] = [
{
name: "oauth2_generic",
label: "企业微信", # optional label for login button, defaults to "Oauth2 Generic"
app_id: "gitlab",
app_secret: "lGHpprHWcG3mgsQpPMtUsC4NeOqf8Izi",
args: {
client_options: {
site: "http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/",
user_info_url: "userinfo",
authorize_url: "auth",
token_url: "token"
},
user_response_structure: {
root_path: [],
id_path: ["preferred_username"],
attributes: {
email: "email",
name: "name"
}
},
authorize_params: {
scope: "openid profile email"
},
strategy_class: "OmniAuth::Strategies::OAuth2Generic"
}
}
]