liuxiaohua
e616f8f9f3
All checks were successful
Publish to Confluence / confluence (push) Successful in 39s
104 lines
2.8 KiB
Markdown
104 lines
2.8 KiB
Markdown
<!-- Space: qifu -->
|
||
<!-- Parent: 后端技术&知识&规范 -->
|
||
<!-- Parent: 技术方案 -->
|
||
<!-- Parent: 基建 -->
|
||
<!-- Title: 20250108-Gitlab安装及SSO接入指南 -->
|
||
|
||
<!-- Macro: :anchor\((.*)\):
|
||
Template: ac:anchor
|
||
Anchor: ${1} -->
|
||
<!-- Macro: \!\[.*\]\((.+)\)\<\!\-\- width=(.*) \-\-\>
|
||
Template: ac:image
|
||
Url: ${1}
|
||
Width: ${2} -->
|
||
<!-- Macro: \<\!\-\- :toc: \-\-\>
|
||
Template: ac:toc
|
||
Printable: 'false'
|
||
MinLevel: 2
|
||
MaxLevel: 4 -->
|
||
<!-- Include: 杂项/声明文件.md -->
|
||
|
||
<!-- :toc: -->
|
||
|
||
# Gitlab 安装及 SSO 接入指南
|
||
|
||
## Gitlab 安装启动
|
||
|
||
- 可以参考:https://docs.gitlab.com/ee/install/docker/installation.html
|
||
- GITLAB_HOME: /usr/local/gitlab
|
||
|
||
### Docker Compose 启动
|
||
|
||
#### 修改 docker compose 文件
|
||
|
||
- Docker Compose 文件 `$GITLAB_HOME/docker-compose.yml`
|
||
|
||
```yaml
|
||
version: '3.6'
|
||
services:
|
||
gitlab:
|
||
image: gitlab/gitlab-ce:17.7.0-ce.0
|
||
container_name: gitlab
|
||
restart: always
|
||
hostname: '192.168.113.131'
|
||
environment:
|
||
GITLAB_OMNIBUS_CONFIG: |
|
||
external_url 'http://192.168.113.131:8929'
|
||
gitlab_rails['gitlab_shell_ssh_port'] = 2424
|
||
ports:
|
||
- '8929:8929'
|
||
- '2443:443'
|
||
- '2424:22'
|
||
volumes:
|
||
- '$GITLAB_HOME/config:/etc/gitlab'
|
||
- '$GITLAB_HOME/logs:/var/log/gitlab'
|
||
- '$GITLAB_HOME/data:/var/opt/gitlab'
|
||
shm_size: '256m'
|
||
|
||
```
|
||
- 默认账号:`root`
|
||
- 默认密码:在 `$GITLAB_HOME/config/initial_root_password`
|
||
|
||
### Yearning OIDC 配置
|
||
|
||
- 可以参考:https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak
|
||
- **注意:** Gitlab 整合 OIDC,Identity Provider 必须要用 `https`
|
||
|
||
#### 修改配置文件(Keycloak示例)
|
||
|
||
- 配置文件 `$GITLAB_HOME/config/gitlab.rb`
|
||
|
||
```shell
|
||
gitlab_rails['omniauth_enabled'] = true
|
||
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
|
||
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
|
||
gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
|
||
gitlab_rails['omniauth_providers'] = [
|
||
{
|
||
name: "openid_connect", #- do not change this parameter
|
||
label: "Keycloak", #- optional label for login button, defaults to "Openid Connect"
|
||
args: {
|
||
name: "openid_connect",
|
||
scope: ["openid", "profile", "email"],
|
||
response_type: "code",
|
||
issuer: "https://keycloak.example.com/realms/myrealm",
|
||
client_auth_method: "query",
|
||
discovery: true,
|
||
uid_field: "preferred_username",
|
||
pkce: true,
|
||
client_options: {
|
||
identifier: "<YOUR CLIENT ID>",
|
||
secret: "<YOUR CLIENT SECRET>",
|
||
redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback"
|
||
}
|
||
}
|
||
}
|
||
]
|
||
```
|
||
|
||
## 参考
|
||
|
||
- [Gitlab OIDC](https://docs.gitlab.com/ee/administration/auth/oidc.html)
|
||
- [Gitlab OIDC 整合 Keycloak](https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak)
|
||
|