Skip to main content

GitLab

  1. Create A GitLab App

    In GitLab, navigate to User Settings > Applications and create a new application with the following settings:

    Remember the $GITLAB_CLIENT_ID and $GITLAB_CLIENT_SECRET that GitLab generates for your OAuth application because you will need it in the next step.

  2. Create vCluster.Pro Config For GitLab

    To tell vCluster.Pro to use gitlab for SSO, navigate to Admin > Config in vCluster.Pro and adjust your config as shown below:

    auth:
    # Tell loft to use gitlab authentication
    gitlab:
    #
    #
    # REQUIRED CONFIGURATION
    #
    #
    # ClientID for the gitlab authentication. Can be string literal or pulled from the environment.
    clientId: $CLIENTID
    # ClientSecret for the gitlab authentication. Can be string literal or pulled from the environment.
    clientSecret: $CLIENTSECRET
    # Callback URL in the form of https://your-loft-domain/auth/gitlab/callback
    redirectURI: https://vcluster-pro.my.domain/auth/gitlab/callback
    #
    #
    # OPTIONAL CONFIGURATION
    #
    #
    # (Optional) BaseURL of the gitlab instance,
    # default = https://gitlab.com
    baseURL: https://my-gitlab-instance.com
    # (Optional) Optional groups whitelist, communicated through the "groups" scope.
    # If groups is omitted, all of the user's GitLab groups are returned.
    # If groups is provided, this acts as a whitelist - only the user's GitLab
    # groups that are in the configured groups below will go into the groups claim.
    # Conversely, if the user is not in any of the configured groups, the user will
    # not be authenticated.
    groups:
    - my-group
  3. Authenticate via GitLab

    After saving the new vCluster.Pro configuration, vCluster.Pro will restart itself and you should be able to log in via GitLab.

  4. Disable Username + Password Authentication (optional)

    To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

    auth:
    oidc: ... # This is your SSO configuration (make sure this is working!)
    password:
    disabled: true # Disable password-based authentication