From eafcd760a04c56b39874bb9627e9f6ab9ad8f744 Mon Sep 17 00:00:00 2001 From: Mike VanDenburgh Date: Thu, 6 Nov 2025 15:09:21 -0500 Subject: [PATCH 1/2] [wip] set up github.com as an oauth provider --- k8s/production/gitlab/release.yaml | 25 +++++++++++++++++++++++++ k8s/production/gitlab/secrets.yaml | 12 ++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 k8s/production/gitlab/secrets.yaml diff --git a/k8s/production/gitlab/release.yaml b/k8s/production/gitlab/release.yaml index 2d6d69f45..09e5cb4ca 100644 --- a/k8s/production/gitlab/release.yaml +++ b/k8s/production/gitlab/release.yaml @@ -121,6 +121,31 @@ spec: # to 90 from its default of 30. graphQlTimeout: 90 + omniauth: + enabled: true + + providers: + - secret: gitlab-omniauth-github + key: provider + + # Sync github profile data to users' gitlab accounts + syncProfileFromProvider: ['github'] + + # Make github an "external provider", i.e. users logging in via GitHub + # will not have access to internal GitLab projects + externalProviders: ['github'] + + # Allow single sign on from GitHub + allowSingleSignOn: true + + # If a user is logging in via GitHub for the first time and already has an account + # on Spack GitLab, automatically link the accounts + autoLinkUser: true + + # Block auto-created users from logging in until an admin has approved them + # TODO: do we want to do this? + blockAutoCreatedUsers: true + antiAffinity: hard ### END OF GLOBAL SECTION diff --git a/k8s/production/gitlab/secrets.yaml b/k8s/production/gitlab/secrets.yaml new file mode 100644 index 000000000..8d5785967 --- /dev/null +++ b/k8s/production/gitlab/secrets.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-omniauth-github + namespace: gitlab +stringData: + provider: | + { + "name": "github", + "app_id": "id", + "app_secret": "secret" + } From e7e81b4a857a78a3b0328dc671548d9892aa96a8 Mon Sep 17 00:00:00 2001 From: Jacob Nesbitt Date: Wed, 7 Jan 2026 15:57:13 -0500 Subject: [PATCH 2/2] Update comments --- k8s/production/gitlab/release.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/k8s/production/gitlab/release.yaml b/k8s/production/gitlab/release.yaml index 09e5cb4ca..237aa88b3 100644 --- a/k8s/production/gitlab/release.yaml +++ b/k8s/production/gitlab/release.yaml @@ -121,9 +121,11 @@ spec: # to 90 from its default of 30. graphQlTimeout: 90 + # https://docs.gitlab.com/charts/charts/globals/#omniauth omniauth: enabled: true + # This secret specifies the github provider with its secret values providers: - secret: gitlab-omniauth-github key: provider @@ -135,15 +137,16 @@ spec: # will not have access to internal GitLab projects externalProviders: ['github'] - # Allow single sign on from GitHub + # Allow new accounts to be created when authenticating through GitHub allowSingleSignOn: true # If a user is logging in via GitHub for the first time and already has an account # on Spack GitLab, automatically link the accounts autoLinkUser: true - # Block auto-created users from logging in until an admin has approved them - # TODO: do we want to do this? + # Block auto-created users from logging in until an admin has approved them. + # Since the primary purpose of this integration is authentication between + # the two services (and nothing more), this is preferred. blockAutoCreatedUsers: true antiAffinity: hard