IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Configure GitLab as an identity provider for ARO

Authors: Steve Mirman, Paul Czarkowski
Last Editor: Dustin Scott
Published Date: 28 March 2022
Modified Date: 25 May 2023

The following instructions will detail how to configure GitLab as the identity provider for Azure Red Hat OpenShift:

  1. Register a new application in GitLab
  2. Create OAuth callback URL in ARO
  3. Log in and confirm
  4. Add administrative users or groups

Register a new application in GitLab

Log into GitLab and execute the following steps:

  1. Go to Preferences

    GitLab Preferences

  2. Select Applications from the left navigation bar

    GitLab applications

  3. Provide a Name and enter an OAuth Callback URL as the Redirect URI in GitLab

    Note: the OAuth Callback has the following format: https://oauth-openshift.apps.<cluster-id>.<region>.aroapp.io/oauth2callback/GitLab

    GitLab Redirect URI

  4. Check the openid box and save the application

    GitLab OpenID

  5. After saving the GitLab application you will be provided with an Application ID and a Secret

    GitLab Confirmation

  6. Copy both the Application ID and Secret for use in the ARO console

Create OAuth provider in ARO

Log in to the ARO console as an administrator to add a GitLab identity provider

  1. Select the ‘Administration’ drop down and click ‘Cluster Settings’

    aro administration

  2. On the ‘Configuration’ scroll down and click on ‘OAuth’

    aro select OAuth

  3. Select ‘GitLab’ from the Identity Providers drop down

    aro select GitLab

  4. Enter a Name, the base URL of your GitLab OAuth server, and the Client ID and CLient Secret from the previous step

    Add the IDP

  5. Click Add to confirm the configuration

    blank values

Log in and confirm

  1. Go to the ARO console in a new browser to bring up the OpenShift login page. An option for GitLab should now be available.

    Note: I can take 2-3 minutes for this update to occur

    OpenShift GitLab login

  2. After selecting GitLab for the first time an authorization message will appear. Click Authorize to confirm.

    GitLab Authorize

  3. Once you have successfully logged in using GitLab, your userid should display under Users in the User Management section of the ARO console

    GitLab user

    Note: On initial login users do NOT have elevated access

Add administrative users or groups

  1. Now that the GitLab identity provider is configured, it is possible to add authenticated users to elevated OpenShift roles. This can be accomplished at the user or group level.

  2. To elevate a users permissions, select the user in the OpenShift console and click Create Binding from the RoleBindings tab

    GitLab user details

  3. Choose the scope (namespace/cluster), assign a name to the RoleBinding, and choose a role.

    GitLab user role

  4. After clicking Create the assigned user will have elevated access once they log in.

    GitLab user role confirm

  5. To elevate a groups permissions, create a group in the OpenShift console.

    GitLab group create

  6. Edit the group YAML to specify a custom name and initial user set

    GitLab user role

  7. Create a RoleBinding for the group, similar to what was configured previously for an individual user

    GitLab user role confirm

  8. Add additional users to the YAML file as needed and they will assume the elevated access

    GitLab Add Users