keyfil/教程/20250108-Gitlab安装及SSO接入指南.md

Gitlab 安装及 SSO 接入指南

Gitlab 安装启动

• 可以参考：https://docs.gitlab.com/ee/install/docker/installation.html
• GITLAB_HOME: /usr/local/gitlab

Docker Compose 启动

修改 docker compose 文件

• Docker Compose 文件 $GITLAB_HOME/docker-compose.yml

version: '3.6'
services:
  gitlab:
    image: gitlab/gitlab-ce:17.7.0-ce.0
    container_name: gitlab
    restart: always
    hostname: '192.168.113.131'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://192.168.113.131:8929'
        gitlab_rails['gitlab_shell_ssh_port'] = 2424
    ports:
      - '8929:8929'
      - '2443:443'
      - '2424:22'
    volumes:
      - '$GITLAB_HOME/config:/etc/gitlab'
      - '$GITLAB_HOME/logs:/var/log/gitlab'
      - '$GITLAB_HOME/data:/var/opt/gitlab'
    shm_size: '256m'

• 默认账号：root
• 默认密码：在 $GITLAB_HOME/config/initial_root_password

Yearning OIDC 配置

• 可以参考：https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak
• 注意： Gitlab 整合 OIDC，Identity Provider 必须要用 https

修改配置文件（Keycloak示例）

• 配置文件 $GITLAB_HOME/config/gitlab.rb

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
gitlab_rails['omniauth_providers'] = [
  {
    name: "openid_connect", #- do not change this parameter
    label: "Keycloak", #- optional label for login button, defaults to "Openid Connect"
    args: {
      name: "openid_connect",
      scope: ["openid", "profile", "email"],
      response_type: "code",
      issuer:  "https://keycloak.example.com/realms/myrealm",
      client_auth_method: "query",
      discovery: true,
      uid_field: "preferred_username",
      pkce: true,
      client_options: {
        identifier: "<YOUR CLIENT ID>",
        secret: "<YOUR CLIENT SECRET>",
        redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback"
      }
    }
  }
]

参考

• Gitlab OIDC
• Gitlab OIDC 整合 Keycloak