GoCD Authorization

[X-Cloud Lab]

Hello All,

Currently, I'm using GitLab authorization and it works perfectly but the users in GitLab is local users.

Now, I'm using AWS Identity Center (SSO). It provides SAML federation.

It can integrate with GitLab through AWS SSO portal.

But GoCD does not provide SAML authorization plugin.

Can GoCD authorize through GitLab? AWS SSO -> GitLab -> GoCD.

In my opinion, it likes a chain authorization. I'm not sure this will work or not.

So, I've PoC AWS Cognito + AWS SSO. It works as expect. I don't need to setup local users in AWS Cognito. However, GoCD does not provide OAuth plugin for AWS Cognito.

But it seems able to use Okta OAuth plugin.

Could you please help to guild me what solution is suitable for GoCD?

[Sriram Narayanan]

You can indeed use Gitlab authentication in GoCD. I have set one up for a friend. Please see: https://github.com/gocd-contrib/gitlab-oauth-authorization-plugin

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/11c4d719-d115-4ea4-a749-3df4d8c1975fn%40googlegroups.com.

[X-Cloud Lab]

Thank you. I tested my first scenario.

It seems the problem causes from domain name resolving. I'm using localhost for a test gitlab and gocd with docker.

GitLab:80

GoCD:8153

jvm 1    | 2022-10-07 09:07:02,534 ERROR [qtp1671617251-38] p.c.g.a.g.c.g.a.g.GitLabPlugin:127 [plugin-cd.go.authorization.gitlab] - Error while executing request go.cd.authorization.fetch-access-tokenjvm 1    | java.net.ConnectException: Failed to connect to localhost/127.0.0.1:80

[Chad Wilson]

Hiya

Localhost doesn't resolve within docker/containers like you're expecting there. From within a GoCD it will refer to the GoCD docker container not your wider host. You need to either use the container's IP on the internal docker network, OR use the gitlab container ID as hostname, OR override the hostname OR if you are on Mac/Windows and exposing the port outside the container you can use host.docker.internal. You should be able to find more details in a docker networking guide appropriate for your platform.

-Chad

To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/30c2c48d-3e90-4afe-b310-033adff96047n%40googlegroups.com.

[Sriram Narayanan]

On Fri, Oct 7, 2022 at 5:15 PM X-Cloud Lab <xclo...@gmail.com> wrote:

Thank you. I tested my first scenario.

It seems the problem causes from domain name resolving. I'm using localhost for a test gitlab and gocd with docker.

GitLab:80

GoCD:8153

jvm 1    | 2022-10-07 09:07:02,534 ERROR [qtp1671617251-38] p.c.g.a.g.c.g.a.g.GitLabPlugin:127 [plugin-cd.go.authorization.gitlab] - Error while executing request go.cd.authorization.fetch-access-tokenjvm 1    | java.net.ConnectException: Failed to connect to localhost/127.0.0.1:80

In your specific case, GoCD within in the container is attempting to connect to localhost within the same container, whereas your gitlab instance is on the host network.

Does your host computer have another interface and IP address? You could configure gocd to point to that IP address. You may also want to edit /etc/resolv.conf on your host (assuming you are on MacOS or on Linux) to give that host a unique name like gitlab.

e.g. /etc/resolv.conf could contain the following if your host has 10.10.1.19 as an IP Address

10.10.1.19 gitlab

Then configure GoCD to refer to Gitlab at "gitlab:80". The name would resolve on the host as 10.10.1.19

The above is just for you to prove the concept.

Incidentally, you could run GoCD on the host too, if you want. You could take the zip file installer for ease of R&D.

 

On Friday, October 7, 2022 at 11:43:43 AM UTC+7 srir...@gmail.com wrote:

On Fri, 7 Oct 2022 at 11:36 AM, X-Cloud Lab <xclo...@gmail.com> wrote:

Hello All,

Currently, I'm using GitLab authorization and it works perfectly but the users in GitLab is local users.

Now, I'm using AWS Identity Center (SSO). It provides SAML federation.

It can integrate with GitLab through AWS SSO portal.

But GoCD does not provide SAML authorization plugin.

Can GoCD authorize through GitLab? AWS SSO -> GitLab -> GoCD.

In my opinion, it likes a chain authorization. I'm not sure this will work or not.

So, I've PoC AWS Cognito + AWS SSO. It works as expect. I don't need to setup local users in AWS Cognito. However, GoCD does not provide OAuth plugin for AWS Cognito.

But it seems able to use Okta OAuth plugin.

Could you please help to guild me what solution is suitable for GoCD?

You can indeed use Gitlab authentication in GoCD. I have set one up for a friend. Please see: https://github.com/gocd-contrib/gitlab-oauth-authorization-plugin

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/11c4d719-d115-4ea4-a749-3df4d8c1975fn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/30c2c48d-3e90-4afe-b310-033adff96047n%40googlegroups.com.

[Sriram Narayanan]

On Fri, Oct 7, 2022 at 6:17 PM Chad Wilson <ch...@thoughtworks.com> wrote:

Hiya

Localhost doesn't resolve within docker/containers like you're expecting there. From within a GoCD it will refer to the GoCD docker container not your wider host. You need to either use the container's IP on the internal docker network, OR use the gitlab container ID as hostname, OR override the hostname OR if you are on Mac/Windows and exposing the port outside the container you can use host.docker.internal. You should be able to find more details in a docker networking guide appropriate for your platform.

Sorry, Chad, our messages overlapped. It appears to me that his Gitlab instance is on the host network while GoCD is within a container. Please see my response and advice if you recommend something else for him.

-- Sriram

 

To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAA1RwH9EOPaj6EtEshPhue24X%3DdFp%2Be3Vv19CdxXDfJqL4Fv5Q%40mail.gmail.com.

[X-Cloud Lab]

Thank you Chad and Sriram. It works as you said. I can use AWS SSO as IdP for GitLab, and GitLab as IdP for GoCD.

One more question, does GitLab OAuth plugin support GitLab group mapping with GoCD role?

I see it mentions in the GitHub repository.

"It also supports authorization, which can be used by server admin to map GoCD roles with GitLab projects or groups with access level."

[Chad Wilson]

I believe it was intended to support this, however it's not clear to me the status of this integration against a recent GitLab version as there are a couple of open PRs at https://github.com/gocd-contrib/gitlab-oauth-authorization-plugin/pulls that appear to make adjustments to this functionality.

Unless someone else on this group has recent personal experience with the plugin (personally I have only sanity checked it for authentication), if you have a test GitLab available you might be best to just try creating an authorization configuration and see if it is working how you'd expect?

-Chad

To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/bb45d906-6294-49ba-aae5-e8e982cd029cn%40googlegroups.com.