sso templating

2024-10-30 16:49:50 -04:00 · 2024-10-30 16:49:50 -04:00 · 3cb30ab798
commit 3cb30ab798
parent 9149ed568c
3 changed files with 11 additions and 7 deletions
--- a/.env.sample
+++ b/.env.sample
@ -3,7 +3,8 @@ TYPE=gitlab
 DOMAIN=gitlab.example.com

 REGISTRY_DOMAIN=registry.gitlab.example.com
-PAGES_DOMAIN=pages.gitlab.example.com
+# The Gitlab Pages domain must not be a subdomain of the main Gitlab domain
+PAGES_DOMAIN=pages.example.com

 ## Domain aliases
 EXTRA_DOMAINS=", `$REGISTRY_DOMAIN`, `$PAGES_DOMAIN`"
@ -20,6 +21,6 @@ SECRET_RUNNER_TOKEN_VERSION=v1
 SSO=false
 ## Authentik Configuration
 # SSO=true
-# SSO_PROVIDER_HOST="authentik.mydomain.com"
+# SSO_PROVIDER_URL="https://authentik.mydomain.com/application/o/gitlab/"
 # ORG_NAME="My Organization"
-# SECRET_CLIENT_SSO_SECRET_VERSION=v1
+# SECRET_SSO_PROVIDER_SECRET_VERSION=v1
--- a/compose.yml
+++ b/compose.yml
@ -53,6 +53,9 @@ secrets:
  runner_token:
    external: true
    name: ${STACK_NAME}_runner_token_${SECRET_RUNNER_TOKEN_VERSION}
+  sso_provider_secret:
+    external: true
+    name: ${STACK_NAME}_sso_provider_secret_${SECRET_SSO_PROVIDER_SECRET_VERSION}

 volumes:
  gitlabconfig:
--- a/gitlab.rb.tmpl
+++ b/gitlab.rb.tmpl
@ -569,19 +569,19 @@ gitlab_rails['omniauth_providers'] = [
  {
    "name" => "openid_connect",
    "label" => "{{ env "ORG_NAME" }}",
-    "icon" => "https://git.{{ env "BASE_DOMAIN" }}/uploads/-/system/appearance/favicon/1/favicon.png",
+    "icon" => "https://{{ env "DOMAIN" }}/uploads/-/system/appearance/favicon/1/favicon.png",
    "args" => { 
      "name" => "openid_connect",
      "scope" => ["openid","profile","email"],
      "response_type" => "code",
-      "issuer" => "https://accounts.{{ env "BASE_DOMAIN" }}/realms/{{ env "KEYCLOAK_REALM" }}",
+      "issuer" => "{{ env "SSO_PROVIDER_URL" }}",
      "discovery" => true,
      "client_auth_method" => "query",
      "send_scope_to_token_endpoint" => "false",
      "client_options" => {
        "identifier" => "gitlab",
-        "secret" => "{{ env "GITLAB_KEYCLOAK_SECRET" }}",
-        "redirect_uri" => "https://git.{{ env "BASE_DOMAIN" }}/users/auth/openid_connect/callback"
+        "secret" => "{{ secret "sso_provider_secret" }}",
+        "redirect_uri" => "https://{{ env "DOMAIN" }}/users/auth/openid_connect/callback"
      }
    }
  }