How to integrate Cloud Foundry with Gitlab

by Gastón Ramos

This article explains how to use gitlab and login against a cloud foundry authorization server.
Basically you will need 3 components:

  • uaa
  • gitlabhq
  • omniauth-uaa-oauth2

Installing UAA

In a real world probably you already has a  uaa server installed, but for the purpose of this article let’s start cloning and installing a fresh uaa;

git clone git@github.com:cloudfoundry/uaa.git
cd uaa
mvn install

Gitlab installation

Ok. with this we have the uaa server installed so now we will install gitlab, I’m not going to explain the whole installation
process that you can find in the gitlabhq readme, for the purpose of this article you only needs to install the required gems and that’s all.

git clone git@github.com:gitlabhq/gitlabhq.git
cd gitlabhq
cp config/database.yml.mysql config/database.yml
cp config/gitlab.yml.example config/gitlab.yml
bundle install

Omniauth uaa strategy installation

Now we have a basic installation of gitlab, but we need to add the omniauth-uaa-oauth2 strategy for omniauth to be able to login against uaa.
First we need to clone the omniauth-uaa-oauth2 and install it:

git clone git@github.com:cloudfoundry/omniauth-uaa-oauth2.git
bundle install
bundle exec gem build omniauth-uaa-oauth2.gemspec
gem install omniauth-uaa-oauth2-*.gem

Enable omniauth and cloudfoundry strategy

Now let’s go back to the gitlabhq dir
and add this 3 lines into the Gemfile:

gem 'cf-uaa-lib', '1.3.10'
gem 'omniauth-uaa-oauth2

And then enable oauth in the gitlab.yml, basically we should change the omniauth enabled to true and add the cloudfoundry to the omniauth providers, so the gitlab.yml config file should look like this:

# # # # # # # # # # # # # # # # # #
# GitLab application config file #
# # # # # # # # # # # # # # # # # #
#
# How to use:
# 1. copy file as gitlab.yml
# 2. Replace gitlab -> host with your domain
# 3. Replace gitlab -> email_from
production: &base
#
# 1. GitLab app settings
# ==========================
## GitLab settings
gitlab:
## Web server settings (note: host is the FQDN, do not include http://)
host: localhost
port: 80
https: false
# Uncomment and customize the last line to run in a non-root path
# WARNING: We recommend creating a FQDN to host GitLab in a root path instead of this.
# Note that four settings need to be changed for this to work.
# 1) In your application.rb file: config.relative_url_root = "/gitlab"
# 2) In your gitlab.yml file: relative_url_root: /gitlab
# 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab"
# 4) In ../gitlab-shell/config.yml: gitlab_url: "http://127.0.0.1/gitlab"
# To update the path, run: sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production
#
# relative_url_root: /gitlab
# Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
# user: git
## Email settings
# Email address used in the "From" field in mails sent by GitLab
email_from: gitlab@localhost
# Email address of your support contact (default: same as email_from)
support_email: support@localhost
## User settings
default_projects_limit: 10
# default_can_create_group: false # default: true
# username_changing_enabled: false # default: true – User can change her username/namespace
## Default theme
## BASIC = 1
## MARS = 2
## MODERN = 3
## GRAY = 4
## COLOR = 5
# default_theme: 2 # default: 2
## Users management
# default: false – Account passwords are not sent via the email if signup is enabled.
# signup_enabled: true
# Restrict setting visibility levels for non-admin users.
# The default is to allow all levels.
#restricted_visibility_levels: [ "public" ]
## Automatic issue closing
# If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
# This happens when the commit is pushed or merged into the default branch of a project.
# When not specified the default issue_closing_pattern as specified below will be used.
# issue_closing_pattern: '([Cc]lose[sd]|[Ff]ixe[sd]) +#\d+'
## Default project features settings
default_projects_features:
issues: true
merge_requests: true
wiki: true
wall: false
snippets: false
visibility_level: "private" # can be "private" | "internal" | "public"
## External issues trackers
issues_tracker:
# redmine:
# title: "Redmine"
# ## If not nil, link 'Issues' on project page will be replaced with this
# ## Use placeholders:
# ## :project_id – GitLab project identifier
# ## :issues_tracker_id – Project Name or Id in external issue tracker
# project_url: "http://redmine.sample/projects/:issues_tracker_id"
#
# ## If not nil, links from /#\d/ entities from commit messages will replaced with this
# ## Use placeholders:
# ## :project_id – GitLab project identifier
# ## :issues_tracker_id – Project Name or Id in external issue tracker
# ## :id – Issue id (from commit messages)
# issues_url: "http://redmine.sample/issues/:id"
#
# ## If not nil, linkis to creating new issues will be replaced with this
# ## Use placeholders:
# ## :project_id – GitLab project identifier
# ## :issues_tracker_id – Project Name or Id in external issue tracker
# new_issue_url: "http://redmine.sample/projects/:issues_tracker_id/issues/new"
#
# jira:
# title: "Atlassian Jira"
# project_url: "http://jira.sample/issues/?jql=project=:issues_tracker_id"
# issues_url: "http://jira.sample/browse/:id"
# new_issue_url: "http://jira.sample/secure/CreateIssue.jspa"
## Gravatar
gravatar:
enabled: true # Use user avatar image from Gravatar.com (default: true)
# plain_url: "http://…" # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=mm
# ssl_url: "https://…" # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=mm
#
# 2. Auth settings
# ==========================
## LDAP settings
# You can inspect a sample of the LDAP users with login access by running:
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
enabled: false
host: '_your_ldap_server'
base: '_the_base_where_you_search_for_users'
port: 636
uid: 'sAMAccountName'
method: 'ssl' # "ssl" or "plain"
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
password: '_the_password_of_the_bind_user'
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# – the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
# – GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: true
## OmniAuth settings
omniauth:
# Allow login via Twitter, Google, etc. using OmniAuth providers
enabled: true
# CAUTION!
# This allows users to login without having a user account first (default: false).
# User accounts will be created automatically when authentication was successful.
allow_single_sign_on: true
# Locks down those users until they have been cleared by the admin (default: true).
block_auto_created_users: false
## Auth providers
# Uncomment the following lines and fill in the data of the auth provider you want to use
# If your favorite auth provider is not listed you can use others:
# see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Working-custom-omniauth-provider-configurations
# The 'app_id' and 'app_secret' parameters are always passed as the first two
# arguments, followed by optional 'args' which can be either a hash or an array.
providers:
{ name: 'cloudfoundry', app_id: 'app', app_secret: 'appclientsecret',
args: { auth_server_url: 'http://localhost:8080/uaa/', token_server_url: 'http://localhost:8080/uaa' } }
# – { name: 'twitter', app_id: 'YOUR APP ID',
# app_secret: 'YOUR APP SECRET'}
# – { name: 'github', app_id: 'YOUR APP ID',
# app_secret: 'YOUR APP SECRET',
# args: { scope: 'user:email' } }
#
# 3. Advanced settings
# ==========================
# GitLab Satellites
satellites:
# Relative paths are relative to Rails.root (default: tmp/repo_satellites/)
path: /home/git/gitlab-satellites/
## Backup settings
backup:
path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/)
# keep_time: 604800 # default: 0 (forever) (in seconds)
## GitLab Shell settings
gitlab_shell:
path: /home/git/gitlab-shell/
# REPOS_PATH MUST NOT BE A SYMLINK!!!
repos_path: /home/git/repositories/
hooks_path: /home/git/gitlab-shell/hooks/
# Git over HTTP
upload_pack: true
receive_pack: true
# If you use non-standard ssh port you need to specify it
# ssh_port: 22
## Git settings
# CAUTION!
# Use the default values unless you really know what you are doing
git:
bin_path: /usr/bin/git
# The next value is the maximum memory size grit can use
# Given in number of bytes per git object (e.g. a commit)
# This value can be increased if you have very large commits
max_size: 5242880 # 5.megabytes
# Git timeout to read a commit, in seconds
timeout: 10
#
# 4. Extra customization
# ==========================
extra:
## Google analytics. Uncomment if you want it
# google_analytics_id: '_your_tracking_id'
## Text under sign-in page (Markdown enabled)
# sign_in_text: |
# ![Company Logo](http://www.companydomain.com/logo.png)
# [Learn more about CompanyName](http://www.companydomain.com/)
development:
<<: *base
test:
<<: *base
issues_tracker:
redmine:
title: "Redmine"
project_url: "http://redmine/projects/:issues_tracker_id"
issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
staging:
<<: *base

view raw
gistfile1.yml
hosted with ❤ by GitHub

Now that we have all the required components installed and cofigured we should ensure that uaa and gitlab are up (“mvn tomcat:run” for uaa and “rails s” for gitlab) and then open a browser and go to http://localhost:3000 and as you can see in the image you should see the gitlab login page with a “Sign in with cloudfoundry” button in it.

gitlab-cf-login

That’s all.

Update: I’ve made a video to show the login screen