Openshift SSO with Gitlab
Configure Openshift Cluster to use Gitlab as a user backend for login with oauth2 and SSO.
Parts of the Openshift series
- Part1: Install Opeshift
- Part2: How to Enable Auto Approval of CSR in Openshift v3.11
- Part3: Add new workers to Openshift cluster
- Part4: Chane the certificates of the Openshift cluster
- Part5: LDAP authentication for Openshift
- Part6: Keycloak SSO authentication for Openshift
- Part7: Gitlab SSO authentication for Openshift
- Part8a: Ceph persistent storage for Openshift
- Part8b: vSphere persistent storage for Openshift
- Part9: Helm on Openshift
- Part10: Tillerless Helm on Openshift
- Part11: Use external docker registry on Openshift
- Part12: Secondary router on Openshift
- Part13a: Use Letsencrypt on Openshift
- Part13b: Install cert-managger on Openshift
- Part14: Create Openshift operators
- Part15: Convert docker-compose file to Opeshift
- Part16a: Opeshift elasticsearch search-guard error
- Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
With Ansible-openshift you can not change the authetication method after Install !! If you installed the cluster with htpasswd, then change to LDAP the playbook trys to add a second authentication methot for the config. It is forbidden to add a second type of identity provider in the version 3.11 of Ansible-openshift. To solve this problem we must change the configuration manually.
Environment
192.168.1.40 deployer
192.168.1.41 openshift01 # master node
192.168.1.42 openshift02 # infra node
192.168.1.43 openshift03 # worker node
Configuration Gitlab
Login to Gitlab and create client for the app:
Configurate The cluster
# on all openshift hosts
nano /etc/origin/master/master-config.yaml
...
identityProviders:
- name: gitlabsso
challenge: true
login: true
mappingMethod: claim
provider:
apiVersion: v1
kind: GitLabIdentityProvider
legacy: true
clientID: 7305abce637a123654a2c9dd4f8caec1156a1bc41cd80be4db0f14253fe24e58
clientSecret: 2d5aebe7831c99383d876cc235febb401906263de748a29b03b058f62f15c2f7
url: https://gitlab.devopstales.intra/
- challenge: true
Reconfigurate the cluster
# on all openshift hosts
master-restart api
master-restart controllers