diff --git a/k8s/production/gitlab/release.yaml b/k8s/production/gitlab/release.yaml index 2d6d69f45..237aa88b3 100644 --- a/k8s/production/gitlab/release.yaml +++ b/k8s/production/gitlab/release.yaml @@ -121,6 +121,34 @@ spec: # to 90 from its default of 30. graphQlTimeout: 90 + # https://docs.gitlab.com/charts/charts/globals/#omniauth + omniauth: + enabled: true + + # This secret specifies the github provider with its secret values + providers: + - secret: gitlab-omniauth-github + key: provider + + # Sync github profile data to users' gitlab accounts + syncProfileFromProvider: ['github'] + + # Make github an "external provider", i.e. users logging in via GitHub + # will not have access to internal GitLab projects + externalProviders: ['github'] + + # Allow new accounts to be created when authenticating through GitHub + allowSingleSignOn: true + + # If a user is logging in via GitHub for the first time and already has an account + # on Spack GitLab, automatically link the accounts + autoLinkUser: true + + # Block auto-created users from logging in until an admin has approved them. + # Since the primary purpose of this integration is authentication between + # the two services (and nothing more), this is preferred. + blockAutoCreatedUsers: true + antiAffinity: hard ### END OF GLOBAL SECTION diff --git a/k8s/production/gitlab/secrets.yaml b/k8s/production/gitlab/secrets.yaml new file mode 100644 index 000000000..8d5785967 --- /dev/null +++ b/k8s/production/gitlab/secrets.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-omniauth-github + namespace: gitlab +stringData: + provider: | + { + "name": "github", + "app_id": "id", + "app_secret": "secret" + }