IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Configure GitLab as an identity provider for ROSA/OSD

Authors: Steve Mirman, Paul Czarkowski
Last Editor: Dustin Scott
Published Date: 16 February 2022
Modified Date: 25 May 2023

The following instructions will detail how to configure GitLab as the identity provider for Managed OpenShift through the OpenShift Cluster Manager (OCM):

  1. Create OAuth callback URL in OCM
  2. Register a new application in GitLab
  3. Configure the identity provider credentials and URL
  4. Add cluster-admin or dedicated-admin users
  5. Log in and confirm

Create OAuth callback URL in OCM

Log in to the OpenShift Cluster Manager (OCM) to add a GitLab identity provider

  1. Select your cluster in OCM and then go to the ‘Access control’ tab and select ‘Identity Providers’

    ocm select access control tab

  2. Choose GitLab as identity provider from the identity providers list

    ocm select OpenID as indenity provider

  3. Provide a name for the new identity provider

    ocm set a name to the OpenID identity provider

  4. Copy the OAuth callback URL. It will be needed later

    ocm set a name to the OpenID identity provider

    Note: the OAuth Callback has the following format:

    https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_name>

  5. At this point, leave the Client ID, Client secret, and URL blank while configuring GitLab

    blank values

Register a new application in GitLab

Log into GitLab and execute the following steps:

  1. Go to Preferences

    GitLab Preferences

  2. Select Applications from the left navigation bar

    GitLab applications

  3. Provide a Name and enter the OAuth Callback URL copied from OCM above and enter it as the Redirect URL in GitLab

    GitLab Redirect URL

  4. Check the openid box and save the application

    GitLab OpenID

  5. After saving the GitLab application you will be provided with an Application ID and a Secret

    GitLab Confirmation

  6. Copy both the Application ID and Secret and return to the OCM console

    GitLab AppID GitLab Secret

Configure the identity provider credentials and URL

  1. Returning to the OCM console, enter the Application ID and Secret obtained from GitLab in the previous step and enter them as Client ID and Client Secret respectively in the OCM console. Additionally, provide the GitLab URL where credentials were obtained and click Add

    OCM Credentials

  2. The new GitLab identity provider should display in the IDP list

    new IDP

Add cluster-admin or dedicated-admin users

  1. Now that the GitLab identity provider is configured, it is possible to add authenticated users to elevated OCM and OpenShift roles. Under Cluster Roles and Access select Add user and enter an existing GitLab user. Then choose to assign dedicated-admin or cluster-admin permissions to the user and click Add user

    add cluster-admin user

  2. The new user should now display, with proper permissions, in the cluster-admin or dedicated-admin user lists

    confirm user

Log in and confirm

  1. Select the Open console button in OCM to bring up the OpenShift login page. An option for GitLab should now be available.

    Note: I can take 1-2 minutes for this update to occur

    OpenShift GitLab login

  2. After selecting GitLab for the first time an authorization message will appear. Click Authorize to confirm.

    GitLab Authorize

  3. Congratulations!

    GitLab Authorize