Cloud Experts Documentation

Configure GitLab as an identity provider for ARO

Last edited
Published
Authors
Steve Mirman, 
Paul Czarkowski

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

The following instructions will detail how to configure GitLab as the identity provider for Azure Red Hat OpenShift:

  1. Register a new application in GitLab
  2. Create OAuth callback URL in ARO
  3. Log in and confirm
  4. Add administrative users or groups

Register a new application in GitLab

Log into GitLab and execute the following steps:

  1. Go to Preferences

    GitLab Preferences

  2. Select Applications from the left navigation bar

    GitLab applications

  3. Provide a Name and enter an OAuth Callback URL as the Redirect URI in GitLab

    Note: the OAuth Callback has the following format: https://oauth-openshift.apps.<cluster-id>.<region>.aroapp.io/oauth2callback/GitLab

    GitLab Redirect URI

  4. Check the openid box and save the application

    GitLab OpenID

  5. After saving the GitLab application you will be provided with an Application ID and a Secret

    GitLab Confirmation

  6. Copy both the Application ID and Secret for use in the ARO console

Create OAuth provider in ARO

Log in to the ARO console as an administrator to add a GitLab identity provider

  1. Select the ‘Administration’ drop down and click ‘Cluster Settings’

    aro administration

  2. On the ‘Configuration’ scroll down and click on ‘OAuth’

    aro select OAuth

  3. Select ‘GitLab’ from the Identity Providers drop down

    aro select GitLab

  4. Enter a Name, the base URL of your GitLab OAuth server, and the Client ID and CLient Secret from the previous step

    Add the IDP

  5. Click Add to confirm the configuration

    blank values

Log in and confirm

  1. Go to the ARO console in a new browser to bring up the OpenShift login page. An option for GitLab should now be available.

    Note: I can take 2-3 minutes for this update to occur

    OpenShift GitLab login

  2. After selecting GitLab for the first time an authorization message will appear. Click Authorize to confirm.

    GitLab Authorize

  3. Once you have successfully logged in using GitLab, your userid should display under Users in the User Management section of the ARO console

    GitLab user

    Note: On initial login users do NOT have elevated access

Add administrative users or groups

  1. Now that the GitLab identity provider is configured, it is possible to add authenticated users to elevated OpenShift roles. This can be accomplished at the user or group level.

  2. To elevate a users permissions, select the user in the OpenShift console and click Create Binding from the RoleBindings tab

    GitLab user details

  3. Choose the scope (namespace/cluster), assign a name to the RoleBinding, and choose a role.

    GitLab user role

  4. After clicking Create the assigned user will have elevated access once they log in.

    GitLab user role confirm

  5. To elevate a groups permissions, create a group in the OpenShift console.

    GitLab group create

  6. Edit the group YAML to specify a custom name and initial user set

    GitLab user role

  7. Create a RoleBinding for the group, similar to what was configured previously for an individual user

    GitLab user role confirm

  8. Add additional users to the YAML file as needed and they will assume the elevated access

    GitLab Add Users

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.