liuxiaohua
cd0b30796f
All checks were successful
Publish to Confluence / confluence (push) Successful in 3m39s
112 lines
3.0 KiB
Markdown
112 lines
3.0 KiB
Markdown
<!-- Space: qifu -->
|
||
<!-- Parent: 后端技术&知识&规范 -->
|
||
<!-- Parent: 技术方案 -->
|
||
<!-- Parent: 基建 -->
|
||
<!-- Parent: 03-接入指南 -->
|
||
<!-- Title: 20250108-Gitlab安装及SSO接入指南 -->
|
||
|
||
<!-- Macro: :anchor\((.*)\):
|
||
Template: ac:anchor
|
||
Anchor: ${1} -->
|
||
<!-- Macro: \!\[.*\]\((.+)\)\<\!\-\- width=(.*) \-\-\>
|
||
Template: ac:image
|
||
Url: ${1}
|
||
Width: ${2} -->
|
||
<!-- Macro: \<\!\-\- :toc: \-\-\>
|
||
Template: ac:toc
|
||
Printable: 'false'
|
||
MinLevel: 2
|
||
MaxLevel: 4 -->
|
||
<!-- Include: 杂项/声明文件.md -->
|
||
|
||
<!-- :toc: -->
|
||
|
||
# Gitlab 安装及 SSO 接入指南
|
||
|
||
## Gitlab 安装启动
|
||
|
||
- 可以参考:https://docs.gitlab.com/ee/install/docker/installation.html
|
||
- GITLAB_HOME: /usr/local/gitlab
|
||
|
||
### Docker Compose 启动
|
||
|
||
#### 修改 docker compose 文件
|
||
|
||
- Docker Compose 文件 `$GITLAB_HOME/docker-compose.yml`
|
||
|
||
```yaml
|
||
version: '3.6'
|
||
services:
|
||
gitlab:
|
||
image: gitlab/gitlab-ce:17.7.0-ce.0
|
||
container_name: gitlab
|
||
restart: always
|
||
hostname: '192.168.113.131'
|
||
environment:
|
||
GITLAB_OMNIBUS_CONFIG: |
|
||
external_url 'http://192.168.113.131:8929'
|
||
gitlab_rails['gitlab_shell_ssh_port'] = 2424
|
||
ports:
|
||
- '8929:8929'
|
||
- '2443:443'
|
||
- '2424:22'
|
||
volumes:
|
||
- '$GITLAB_HOME/config:/etc/gitlab'
|
||
- '$GITLAB_HOME/logs:/var/log/gitlab'
|
||
- '$GITLAB_HOME/data:/var/opt/gitlab'
|
||
shm_size: '256m'
|
||
|
||
```
|
||
|
||
- 默认账号:`root`
|
||
- 默认密码:在 `$GITLAB_HOME/config/initial_root_password`
|
||
|
||
### Yearning Generic OAuth2 配置
|
||
|
||
- 由于 Gitlab `OIDC` 必须要使用 `https`,所以采用 `Generic OAuth2` 进行SSO
|
||
- 可以参考:https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak
|
||
|
||
#### 修改配置文件(Keycloak示例)
|
||
|
||
- 配置文件 `$GITLAB_HOME/config/gitlab.rb`
|
||
|
||
```shell
|
||
gitlab_rails['omniauth_enabled'] = true
|
||
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
|
||
gitlab_rails['omniauth_auto_link_user'] = ['oauth2_generic']
|
||
gitlab_rails['omniauth_providers'] = [
|
||
{
|
||
name: "oauth2_generic",
|
||
label: "企业微信", # optional label for login button, defaults to "Oauth2 Generic"
|
||
app_id: "gitlab",
|
||
app_secret: "lGHpprHWcG3mgsQpPMtUsC4NeOqf8Izi",
|
||
args: {
|
||
client_options: {
|
||
site: "http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/",
|
||
user_info_url: "userinfo",
|
||
authorize_url: "auth",
|
||
token_url: "token"
|
||
},
|
||
user_response_structure: {
|
||
root_path: [],
|
||
id_path: ["preferred_username"],
|
||
attributes: {
|
||
email: "email",
|
||
name: "name"
|
||
}
|
||
},
|
||
authorize_params: {
|
||
scope: "openid profile email"
|
||
},
|
||
strategy_class: "OmniAuth::Strategies::OAuth2Generic"
|
||
}
|
||
}
|
||
]
|
||
```
|
||
|
||
## 参考
|
||
|
||
- [Gitlab OIDC](https://docs.gitlab.com/ee/administration/auth/oidc.html)
|
||
- [Gitlab OIDC 整合 Keycloak](https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak)
|
||
- [Gitlab Generic OAuth2](https://docs.gitlab.com/ee/integration/oauth2_generic.html)
|