Hi,I had never implemented GitHub OAuth directly, but you might want to look into Gerrit OAuth plugin.
https://gerrit.googlesource.com/plugins/oauth/
You need to get artifact or to build it and to place it into /var/gerrit/plugins directory.
Then you need to configure/enable it. In case of Keycloak it looks like this:
```
[plugin "gerrit-oauth-provider-keycloak-oauth"]
root-url = https://sso.example.com
realm = external
client-id = gerrit
client-secret = your-secret
```
Might be similar to the GitHub.
In general you want to follow the documentation. I found it pretty complete to get it up and running.
You can also use GitHub Search to find the relevant config examples.
Is it possible for you to "bake" an "golden image" with all required plugins already there? You can also use K8s volumes to mount the plugins directory.On Tuesday, May 21, 2024 at 12:45:26 PM UTC+3 Aankhi Talukdar wrote:On Tuesday, May 21, 2024 at 12:47:38 PM UTC+5:30 Dzintars Klavins wrote:Hi,I had never implemented GitHub OAuth directly, but you might want to look into Gerrit OAuth plugin.
https://gerrit.googlesource.com/plugins/oauth/
You need to get artifact or to build it and to place it into /var/gerrit/plugins directory.
Then you need to configure/enable it. In case of Keycloak it looks like this:
```
[plugin "gerrit-oauth-provider-keycloak-oauth"]
root-url = https://sso.example.com
realm = external
client-id = gerrit
client-secret = your-secret
```
Might be similar to the GitHub.
In general you want to follow the documentation. I found it pretty complete to get it up and running.
You can also use GitHub Search to find the relevant config examples.Hi,We are following the same plugin doc for oauth implementation. But as we are implementing on k8s Gerrit, we cannot copy the plugin to the pod itself as this is not recommendable. If the pod crashes, the plugin might not be present in the pod, and we have to reconfigure it again. Moreover, the config file inside the /var/gerrit/plugins directory is a read-only file. We cannot update the file from our end. So, we need to invoke the plugin details in the gerrit-cluster.yaml file so that when the Gerrit cluster gets implemented, it is implemented with the plugin configuration itself and the same gets updated in the /var/gerrit/plugins directory of the pod.
Aankhi
Thomas/ Matthias, can you please help us on this?
Thanks
On Tuesday, May 21, 2024 at 9:39:58 AM UTC+3 Aankhi Talukdar wrote:On Monday, May 20, 2024 at 8:24:44 PM UTC+5:30 Aankhi Talukdar wrote:Hi Team,We have a requirement to implement github oAuth for authentication in k8s Gerrit.
Is it possible to implement github oAuth in k8s Gerrit? If so, can you please let me know the procedure for the same?ThanksAankhi
Any Update on this please?
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/df5d6375-0300-4d4c-bd21-01aa5bb5f81fn%40googlegroups.com.
Hi Thomas,
We generated the oauth.jar file using the Bazel build on my local machine. How can we fetch the jar file present locally into spec.gerrits[].spec.plugins without using URL and sha sum. I built the Gerrit-base image by adding the oauth.jar into /var/gerrit/plugins/oauth.jar.Can you please help us with this?
# Add the OAuth plugin
COPY plugins/oauth.jar /var/plugins/oauth.jar
RUN ln -s /var/plugins/oauth.jar /var/gerrit/plugins/oauth.jar
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/a375fa10-744c-4315-a522-1025ab9e032en%40googlegroups.com.
https://gerrit-ci.gerritforge.com/view/Plugins-stable-3.8/job/plugin-oauth-bazel-master-stable-3.8/lastSuccessfulBuild/artifact/bazel-bin/plugins/oauth/oauth.jar
Is this Oauth plugin compatible with arm architecture and can we use it in our Gerrit Dockerfile?
Regards,
Swapna
Hi Team,
Also, I've found this build for the Oauth jar in the plugin's job.
https://gerrit-ci.gerritforge.com/view/Plugins-stable-3.8/job/plugin-oauth-bazel-master-stable-3.8/lastSuccessfulBuild/artifact/bazel-bin/plugins/oauth/oauth.jar
Is this Oauth plugin compatible with arm architecture and can we use it in our Gerrit Dockerfile?
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/4e2bb303-b0d2-4508-83ed-d824d14b0eb8n%40googlegroups.com.
Hi,
We face multiple issues while building the Oauth plugin using Bazel for both x86 and arm. Logs attached:
Could you please help us with this error message?
Also tried to build using the Gerrit tree, but the issue remains the same. Is it possible for you to build the OAuth plugin on arm or x86?
Hi,
Thanks David. I could build the oauth.jar file in standalone mode using the latest fix. However, I still face errors while building it in a gerrit tree mode.
Errors as attached in the log file.
steps followed to build in gerrit mode.
--> git clone https://gerrit.googlesource.com/gerrit--> git clone https://gerrit.googlesource.com/plugins/oauth--> cd gerrit/plugins--> ln -s ../../oauth .--> rm external_plugin_deps.bzl
--> ln -s oauth/external_plugin_deps.bzl .--> bazel build plugins/oauth
I built the image with the Gerrit-base dockerfile by adding the newly generated oauth.jar file and have done the basic configuration in my Gerrit yaml file.
however, my Gerrit container is not up and running. It is going to crashloopbackoff error. The logs indicate the error is:
Invalid plugin file /var/gerrit/plugins/oauth.jar: cannot get plugin name
[2024-06-10T10:40:53.961Z] [main] INFO com.google.gerrit.server.plugins.PluginLoader : Loading plugins from /var/gerrit/plugins
Jun 10, 2024 10:40:54 AM com.google.inject.servlet.GuiceFilter setPipeline
WARNING: Multiple Servlet injectors detected. This is a warning indicating that you have more than one GuiceFilter running in your web application. If this is deliberate, you may safely ignore this message. If this is NOT deliberate however, your application may not work as expected.
[2024-06-10T10:40:54.090Z] [main] INFO com.google.gerrit.server.plugins.PluginLoader : Loaded plugin healthcheck (w/ ApiModule), version v3.5.6-20-g2432849168 ..............
My gerrit replica pod is also not fully functioning as the gerrit container is not up. Error for the gerrit container in the gerrit replica pod:
Caused by: javax.servlet.ServletException: OAuth service provider wasn't installed
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.pickSSOServiceProvider(OAuthWebFilter.java:180)
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.init(OAuthWebFilter.java:74)
at com.google.inject.servlet.FilterDefinition.init(FilterDefinition.java:110)
at com.google.inject.servlet.ManagedFilterPipeline.initPipeline(ManagedFilterPipeline.java:98)
at com.google.inject.servlet.GuiceFilter.init(GuiceFilter.java:232)
at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:140)
at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:750)
at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:992)
at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:734)
at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:762)
at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:774) ............
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/21e942f0-6f73-465b-874e-7fc570d1d057n%40googlegroups.com.
On Monday, June 10, 2024 at 5:16:30 PM UTC+5:30 Thomas Dräbing wrote:
On Mon, 10 Jun 2024 at 13:34, swapna vegi <swapna...@gmail.com> wrote:
Hi,
Thanks David. I could build the oauth.jar file in standalone mode using the latest fix. However, I still face errors while building it in a gerrit tree mode.
Errors as attached in the log file.
steps followed to build in gerrit mode.
--> git clone https://gerrit.googlesource.com/gerrit--> git clone https://gerrit.googlesource.com/plugins/oauth--> cd gerrit/plugins--> ln -s ../../oauth .--> rm external_plugin_deps.bzl
--> ln -s oauth/external_plugin_deps.bzl .--> bazel build plugins/oauth
I built the image with the Gerrit-base dockerfile by adding the newly generated oauth.jar file and have done the basic configuration in my Gerrit yaml file.
however, my Gerrit container is not up and running. It is going to crashloopbackoff error. The logs indicate the error is:
Invalid plugin file /var/gerrit/plugins/oauth.jar: cannot get plugin name
[2024-06-10T10:40:53.961Z] [main] INFO com.google.gerrit.server.plugins.PluginLoader : Loading plugins from /var/gerrit/plugins
Jun 10, 2024 10:40:54 AM com.google.inject.servlet.GuiceFilter setPipeline
WARNING: Multiple Servlet injectors detected. This is a warning indicating that you have more than one GuiceFilter running in your web application. If this is deliberate, you may safely ignore this message. If this is NOT deliberate however, your application may not work as expected.
[2024-06-10T10:40:54.090Z] [main] INFO com.google.gerrit.server.plugins.PluginLoader : Loaded plugin healthcheck (w/ ApiModule), version v3.5.6-20-g2432849168 ..............
Looks like the jar file in the Gerrit site is not valid. Have you tried to run Gerrit with the plugin locally on your machine? Could you also post the logs of the gerrit-init container? Have you checked whether the plugin file in the site has a reasonable size and expected SHA sum?
Here, is my logs for the gerrit-init container. We cannot login to the pod so we cannot check the plugins folder inside the site. Also, not able to run gerrit with the plugin as I'm getting space crunch issues when running it on Minikube.
Additionally, could you please let us know how to build gerrit so that we can add the custom plugins into it?
[2024-06-10 10:40:26,792] INFO Requiring plugins: ['healthcheck'][2024-06-10 10:40:26,792] INFO Requiring libs: [][2024-06-10 10:40:26,802] INFO Removed plugin oauth.jar[2024-06-10 10:40:26,802] INFO Removed plugin delete-project.jar[2024-06-10 10:40:26,802] INFO Removed plugin download-commands.jar[2024-06-10 10:40:26,803] INFO Removed plugin gitiles.jar[2024-06-10 10:40:26,807] INFO Installing plugin healthcheck from container to /var/gerrit/plugins/healthcheck.jar.[2024-06-10 10:40:26,808] DEBUG SHA1 of file '/var/plugins/healthcheck.jar' is b5a285a0ed64bcae8a51de6c4f5086468670d8dc[2024-06-10 10:40:26,809] DEBUG SHA1 of file '/var/gerrit/plugins/healthcheck.jar' is b5a285a0ed64bcae8a51de6c4f5086468670d8dc[2024-06-10 10:40:26,809] INFO Installing packaged plugin download-commands.[2024-06-10 10:40:26,816] INFO Installing packaged plugin delete-project.[2024-06-10 10:40:26,827] INFO Installing packaged plugin gitiles.[2024-06-10 10:40:26,851] INFO Downloading oauth plugin to /var/gerrit/plugins/oauth.jar[2024-06-10 10:40:27,974] DEBUG SHA1 of file '/var/gerrit/plugins/oauth.jar' is 775fadd515a7d952220c54031f7fb6511aec7321[2024-06-10 10:40:30,450] INFO Installed Gerrit version: gerrit version 3.9.1; Provided Gerrit version: gerrit version 3.9.1).[2024-06-10 10:40:30,450] INFO Plugins were installed or updated. Initializing.[2024-06-10 10:40:30,450] INFO Existing gerrit.config found.Generating SSH host key ... rsa... ed25519... ecdsa 384... ecdsa 521... doneInitialized /var/gerrit[2024-06-10 10:40:38,196] INFO Skipping reindexing.
Also, you don't need to build in the plugin into the image, if you anyway download it from artifactory. Building it into the image would require you to also change the scripts in the gerrit-init container, so that the scripts install the plugin. Another option would be to build Gerrit itself and include the plugin into the war-file. Then it can be installed like any core plugin.
My gerrit replica pod is also not fully functioning as the gerrit container is not up. Error for the gerrit container in the gerrit replica pod:
Caused by: javax.servlet.ServletException: OAuth service provider wasn't installed
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.pickSSOServiceProvider(OAuthWebFilter.java:180)
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.init(OAuthWebFilter.java:74)
at com.google.inject.servlet.FilterDefinition.init(FilterDefinition.java:110)
at com.google.inject.servlet.ManagedFilterPipeline.initPipeline(ManagedFilterPipeline.java:98)
at com.google.inject.servlet.GuiceFilter.init(GuiceFilter.java:232)
at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:140)
at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:750)
at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:992)
at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:734)
at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:762)
at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:774) ............
Looks like your gerrit.config configures Gerrit to use Oauth but the plugin has not been installed.HTH,Thomas
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/21e942f0-6f73-465b-874e-7fc570d1d057n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/21e942f0-6f73-465b-874e-7fc570d1d057n%40googlegroups.com.
I have unzipped the jar file and the contents looks fine.
Not able to attach the jar file. Hence, attaching a screenshot displaying the contents of the unzipped jar file.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/42669661-f7e4-41b0-9a64-0a3368006c83n%40googlegroups.com.