2024-04-15

implementing sso on gitlab community edition deployed to kubernetes

I was recently tasked with setting up Single Sign-On (SSO) for our GitLab instance, which is deployed on our Kubernetes (EKS) instance. This deployment was carried out using GitLab’s Helm Charts.

The challenge I encountered was that most of the existing documentation provided instructions for setting up SSO on GitLab instances installed on a Linux box, and not for instances deployed using Helm Charts. I have documented the steps I took below:

1. First, ensure that your identity provider is supported. For this example, I will outline the steps required for AWS Cognito. However, these steps should be very similar for other providers.

2. The GitLab AWS Cognito docs suggests setting up by manually editing the /etc/gitlab/gitlab.rb file. However, for users who have deployed GitLab using Helm Charts, this is not possible. In the Helm Chart documentation, under the globals section, they list the options that can be passed to omniauth. But does not include which key omniauth should be under. To enable omniauth in your Helm manifest, pass it nested under appConfig, as shown below:

appConfig:
	omniauth:
		enabled: true
		allowSingleSignOn: ['cognito']
		providers:
		- secret: gitlab-cognito-provider

3. GitLab requires the provider information to be passed in as a Kubernetes secret. The secret should match the value from gitlab_rails['omniauth_providers'] in the AWS Cognito integration documentation.