implementing sso on gitlab community edition deployed to kubernetes
I was recently tasked with setting up Single Sign-On (SSO) for our GitLab instance, which is deployed on our Kubernetes (EKS) instance. This deployment was carried out using GitLab’s Helm Charts.
The challenge I encountered was that most of the existing documentation provided instructions for setting up SSO on GitLab instances installed on a Linux box, and not for instances deployed using Helm Charts. I have documented the steps I took below:
First, ensure that your identity provider is supported. For this example, I will outline the steps required for AWS Cognito. However, these steps should be very similar for other providers.
The GitLab AWS Cognito docs suggests setting up by manually editing the
/etc/gitlab/gitlab.rb
file. However, for users who have deployed GitLab using Helm Charts, this is not possible. In the Helm Chart documentation, under theglobals
section, they list the options that can be passed toomniauth
. But does not include which keyomniauth
should be under. To enableomniauth
in your Helm manifest, pass it nested underappConfig
, as shown below:
appConfig:
omniauth:
enabled: true
allowSingleSignOn: ['cognito']
providers:
- secret: gitlab-cognito-provider
- GitLab requires the provider information to be passed in as a Kubernetes secret. The secret should match the value from
gitlab_rails['omniauth_providers']
in the AWS Cognito integration documentation.