To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a client ID and secret key for you to use.
To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your application with Azure. Azure will generate a client ID and secret key for you to use.
1. Sign in to the [Azure Management Portal](https://manage.windowsazure.com).
1.Sign in to the [Azure Management Portal](https://portal.azure.com).
1.Select "Active Directory" on the left and choose the directory you want to use to register GitLab.
1. Select "Active Directory" on the left and choose the directory you want to use to register GitLab.
1.Select "Applications" at the top bar and click the "Add" button the bottom.
1. Select "Applications" at the top bar and click the "Add" button the bottom.
1.Select "Add an application my organization is developing".
1. Select "Add an application my organization is developing".
1.Provide the project information and click the "Next" button.
1. Provide the project information and click the "Next" button.
- Name: 'GitLab' works just fine here.
- Name: 'GitLab' works just fine here.
- Type: 'WEB APPLICATION AND/OR WEB API'
- Type: 'WEB APPLICATION AND/OR WEB API'
1.On the "App properties" page enter the needed URI's and click the "Complete" button.
1. On the "App properties" page enter the needed URI's and click the "Complete" button.
- SIGN-IN URL: Enter the URL of your GitLab installation (e.g `https://gitlab.mycompany.com/`)
- SIGN-IN URL: Enter the URL of your GitLab installation (e.g `https://gitlab.mycompany.com/`)
- APP ID URI: Enter the endpoint URL for Microsoft to use, just has to be unique (e.g `https://mycompany.onmicrosoft.com/gitlab`)
- APP ID URI: Enter the endpoint URL for Microsoft to use, just has to be unique (e.g `https://mycompany.onmicrosoft.com/gitlab`)
1. Select "Configure" in the top menu.
1. Select "Configure" in the top menu.
...
@@ -30,59 +30,59 @@ To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your ap
...
@@ -30,59 +30,59 @@ To enable the Microsoft Azure OAuth2 OmniAuth provider you must register your ap
1. You will see lots of endpoint URLs in the form `https://login.microsoftonline.com/TENANT ID/...`, note down the TENANT ID part of one of those endpoints.
1. You will see lots of endpoint URLs in the form `https://login.microsoftonline.com/TENANT ID/...`, note down the TENANT ID part of one of those endpoints.
1.On your GitLab server, open the configuration file.
1. On your GitLab server, open the configuration file.
For omnibus package:
For omnibus package:
```sh
```sh
sudo editor /etc/gitlab/gitlab.rb
sudo editor /etc/gitlab/gitlab.rb
```
```
For installations from source:
For installations from source:
```sh
```sh
cd /home/git/gitlab
cd /home/git/gitlab
sudo -u git -H editor config/gitlab.yml
sudo-u git -H editor config/gitlab.yml
```
```
1.See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings.
1. See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings.
1.Add the provider configuration:
1. Add the provider configuration:
For omnibus package:
For omnibus package:
```ruby
```ruby
gitlab_rails['omniauth_providers'] = [
gitlab_rails['omniauth_providers']=[
{
{
"name" => "azure_oauth2",
"name"=>"azure_oauth2",
"args" => {
"args"=>{
"client_id" => "CLIENT ID",
"client_id"=>"CLIENT ID",
"client_secret" => "CLIENT SECRET",
"client_secret"=>"CLIENT SECRET",
"tenant_id" => "TENANT ID",
"tenant_id"=>"TENANT ID",
}
}
}
}
]
]
```
```
For installations from source:
For installations from source:
```
```
- { name: 'azure_oauth2',
- { name: 'azure_oauth2',
args: { client_id: "CLIENT ID",
args: { client_id: "CLIENT ID",
client_secret: "CLIENT SECRET",
client_secret: "CLIENT SECRET",
tenant_id: "TENANT ID" } }
tenant_id: "TENANT ID" } }
```
```
The `base_azure_url` is optional and can be added for different locales;
The `base_azure_url` is optional and can be added for different locales;
e.g. `base_azure_url: "https://login.microsoftonline.de"`.
e.g. `base_azure_url: "https://login.microsoftonline.de"`.
1.Replace 'CLIENT ID', 'CLIENT SECRET' and 'TENANT ID' with the values you got above.
1. Replace 'CLIENT ID', 'CLIENT SECRET' and 'TENANT ID' with the values you got above.
1.Save the configuration file.
1. Save the configuration file.
1.[Reconfigure][] or [restart GitLab][] for the changes to take effect if you
1.[Reconfigure][] or [restart GitLab][] for the changes to take effect if you
installed GitLab via Omnibus or from source respectively.
installed GitLab via Omnibus or from source respectively.
On the sign in page there should now be a Microsoft icon below the regular sign in form. Click the icon to begin the authentication process. Microsoft will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.
On the sign in page there should now be a Microsoft icon below the regular sign in form. Click the icon to begin the authentication process. Microsoft will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.
[OpenID Connect] \(OIDC) is a simple identity layer on top of the
[OpenID Connect](https://openid.net/connect/)\(OIDC) is a simple identity layer on top of the
OAuth 2.0 protocol. It allows clients to verify the identity of the end-user
OAuth 2.0 protocol. It allows clients to verify the identity of the end-user
based on the authentication performed by GitLab, as well as to obtain
based on the authentication performed by GitLab, as well as to obtain
basic profile information about the end-user in an interoperable and
basic profile information about the end-user in an interoperable and
...
@@ -14,7 +14,7 @@ but does so in a way that is API-friendly, and usable by native and
...
@@ -14,7 +14,7 @@ but does so in a way that is API-friendly, and usable by native and
mobile applications.
mobile applications.
On the client side, you can use [omniauth-openid-connect] for Rails
On the client side, you can use [omniauth-openid-connect] for Rails
applications, or any of the other available [client implementations].
applications, or any of the other available [client implementations](https://openid.net/developers/libraries/#connect).
GitLab's implementation uses the [doorkeeper-openid_connect] gem, refer
GitLab's implementation uses the [doorkeeper-openid_connect] gem, refer
to its README for more details about which parts of the specifications
to its README for more details about which parts of the specifications
...
@@ -46,8 +46,6 @@ Currently the following user information is shared with clients:
...
@@ -46,8 +46,6 @@ Currently the following user information is shared with clients:
Only the `sub` and `sub_legacy` claims are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.
Only the `sub` and `sub_legacy` claims are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.
@@ -5,8 +5,8 @@ This documentation is for enabling shibboleth with omnibus-gitlab package.
...
@@ -5,8 +5,8 @@ This documentation is for enabling shibboleth with omnibus-gitlab package.
In order to enable Shibboleth support in gitlab we need to use Apache instead of Nginx (It may be possible to use Nginx, however this is difficult to configure using the bundled Nginx provided in the omnibus-gitlab package). Apache uses mod_shib2 module for shibboleth authentication and can pass attributes as headers to omniauth-shibboleth provider.
In order to enable Shibboleth support in gitlab we need to use Apache instead of Nginx (It may be possible to use Nginx, however this is difficult to configure using the bundled Nginx provided in the omnibus-gitlab package). Apache uses mod_shib2 module for shibboleth authentication and can pass attributes as headers to omniauth-shibboleth provider.
To enable the Shibboleth OmniAuth provider you must configure Apache shibboleth module.
To enable the Shibboleth OmniAuth provider you must configure Apache shibboleth module.
Installation and configuration of module it self is out of scope of this document.
The installation and configuration of the module itself is out of the scope of this document.
Check <https://wiki.shibboleth.net/> for more info.
Check <https://wiki.shibboleth.net/confluence/display/SP3/Apache> for more info.
You can find Apache config in gitlab-recipes (<https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache>).
You can find Apache config in gitlab-recipes (<https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache>).
To enable the Twitter OmniAuth provider you must register your application with Twitter. Twitter will generate a client ID and secret key for you to use.
To enable the Twitter OmniAuth provider you must register your application with Twitter. Twitter will generate a client ID and secret key for you to use.
1. Sign in to [Twitter Application Management](https://apps.twitter.com/).
1.Sign in to [Twitter Application Management](https://developer.twitter.com/apps).
1.Select "Create new app"
1. Select "Create new app"
1.Fill in the application details.
1. Fill in the application details.
- Name: This can be anything. Consider something like `<Organization>'s GitLab` or `<Your Name>'s GitLab` or
- Name: This can be anything. Consider something like `<Organization>'s GitLab` or `<Your Name>'s GitLab` or
something else descriptive.
something else descriptive.
- Description: Create a description.
- Description: Create a description.
- Website: The URL to your GitLab installation. `https://gitlab.example.com`
- Website: The URL to your GitLab installation. `https://gitlab.example.com`
1. Underneath the Callback URL check the box next to "Allow this application to be used to Sign in with Twitter."
1.Select the "Settings" tab.
1. Select "Update settings" at the bottom to save changes.
1.Underneath the Callback URL check the box next to "Allow this application to be used to Sign in with Twitter."
1. Select the "Keys and Access Tokens" tab.
1.Select "Update settings" at the bottom to save changes.
1. You should now see an API key and API secret (see screenshot). Keep this page open as you continue configuration.
1.Select the "Keys and Access Tokens" tab.
![Twitter app](img/twitter_app_api_keys.png)
1. You should now see an API key and API secret (see screenshot). Keep this page open as you continue configuration.
1. On your GitLab server, open the configuration file.
![Twitter app](img/twitter_app_api_keys.png)
For omnibus package:
1. On your GitLab server, open the configuration file.
```sh
For omnibus package:
sudo editor /etc/gitlab/gitlab.rb
```
For installations from source:
```sh
sudo editor /etc/gitlab/gitlab.rb
```
```sh
For installations from source:
cd /home/git/gitlab
sudo -u git -H editor config/gitlab.yml
```sh
```
cd /home/git/gitlab
1. See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings.
sudo-u git -H editor config/gitlab.yml
```
1. Add the provider configuration:
1.See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings.
For omnibus package:
1. Add the provider configuration:
```ruby
For omnibus package:
gitlab_rails['omniauth_providers'] = [
{
"name" => "twitter",
"app_id" => "YOUR_APP_ID",
"app_secret" => "YOUR_APP_SECRET"
}
]
```
For installations from source:
```ruby
gitlab_rails['omniauth_providers']=[
{
"name"=>"twitter",
"app_id"=>"YOUR_APP_ID",
"app_secret"=>"YOUR_APP_SECRET"
}
]
```
```
For installations from source:
- { name: 'twitter', app_id: 'YOUR_APP_ID',
app_secret: 'YOUR_APP_SECRET' }
```
1. Change 'YOUR_APP_ID' to the API key from Twitter page in step 11.
```
- { name: 'twitter', app_id: 'YOUR_APP_ID',
app_secret: 'YOUR_APP_SECRET' }
```
1. Change 'YOUR_APP_SECRET' to the API secret from the Twitter page in step 11.
1.Change 'YOUR_APP_ID' to the API key from Twitter page in step 11.
1. Save the configuration file.
1.Change 'YOUR_APP_SECRET' to the API secret from the Twitter page in step 11.
1.[Reconfigure][] or [restart GitLab][] for the changes to take effect if you
1. Save the configuration file.
installed GitLab via Omnibus or from source respectively.
1.[Reconfigure][] or [restart GitLab][] for the changes to take effect if you
installed GitLab via Omnibus or from source respectively.
On the sign in page there should now be a Twitter icon below the regular sign in form. Click the icon to begin the authentication process. Twitter will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.
On the sign in page there should now be a Twitter icon below the regular sign in form. Click the icon to begin the authentication process. Twitter will ask the user to sign in and authorize the GitLab application. If everything goes well the user will be returned to GitLab and will be signed in.
@@ -18,6 +18,7 @@ Once enabled, GitLab will automatically detect metrics from known services in th
...
@@ -18,6 +18,7 @@ Once enabled, GitLab will automatically detect metrics from known services in th
## Enabling Prometheus Integration
## Enabling Prometheus Integration
### Managed Prometheus on Kubernetes
### Managed Prometheus on Kubernetes
> **Note**: [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/28916) in GitLab 10.5
> **Note**: [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/28916) in GitLab 10.5
GitLab can seamlessly deploy and manage Prometheus on a [connected Kubernetes cluster](../clusters/index.md), making monitoring of your apps easy.
GitLab can seamlessly deploy and manage Prometheus on a [connected Kubernetes cluster](../clusters/index.md), making monitoring of your apps easy.
...
@@ -39,9 +40,9 @@ Once you have a connected Kubernetes cluster with Helm installed, deploying a ma
...
@@ -39,9 +40,9 @@ Once you have a connected Kubernetes cluster with Helm installed, deploying a ma
#### About managed Prometheus deployments
#### About managed Prometheus deployments
Prometheus is deployed into the `gitlab-managed-apps` namespace, using the [official Helm chart](https://github.com/kubernetes/charts/tree/master/stable/prometheus). Prometheus is only accessible within the cluster, with GitLab communicating through the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/).
Prometheus is deployed into the `gitlab-managed-apps` namespace, using the [official Helm chart](https://github.com/helm/charts/tree/master/stable/prometheus). Prometheus is only accessible within the cluster, with GitLab communicating through the [Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/).
The Prometheus server will [automatically detect and monitor](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#%3Ckubernetes_sd_config%3E) nodes, pods, and endpoints. To configure a resource to be monitored by Prometheus, simply set the following [Kubernetes annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/):
The Prometheus server will [automatically detect and monitor](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config) nodes, pods, and endpoints. To configure a resource to be monitored by Prometheus, simply set the following [Kubernetes annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/):
-`prometheus.io/scrape` to `true` to enable monitoring of the resource.
-`prometheus.io/scrape` to `true` to enable monitoring of the resource.
-`prometheus.io/port` to define the port of the metrics endpoint.
-`prometheus.io/port` to define the port of the metrics endpoint.
...
@@ -66,9 +67,9 @@ Integration with Prometheus requires the following:
...
@@ -66,9 +67,9 @@ Integration with Prometheus requires the following:
Installing and configuring Prometheus to monitor applications is fairly straight forward.
Installing and configuring Prometheus to monitor applications is fairly straight forward.
@@ -20,7 +20,7 @@ The [Prometheus service](../prometheus.md) must be enabled.
...
@@ -20,7 +20,7 @@ The [Prometheus service](../prometheus.md) must be enabled.
To get started with Cloudwatch monitoring, you should install and configure the [Cloudwatch exporter](https://github.com/prometheus/cloudwatch_exporter) which retrieves and parses the specified Cloudwatch metrics and translates them into a Prometheus monitoring endpoint.
To get started with Cloudwatch monitoring, you should install and configure the [Cloudwatch exporter](https://github.com/prometheus/cloudwatch_exporter) which retrieves and parses the specified Cloudwatch metrics and translates them into a Prometheus monitoring endpoint.
Right now, the only AWS resource supported is the Elastic Load Balancer, whose Cloudwatch metrics can be found [here](http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-cloudwatch-metrics.html).
Right now, the only AWS resource supported is the Elastic Load Balancer, whose Cloudwatch metrics are [documented here](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-cloudwatch-metrics.html).
A sample Cloudwatch Exporter configuration file, configured for basic AWS ELB monitoring, is [available for download](../samples/cloudwatch.yml).
A sample Cloudwatch Exporter configuration file, configured for basic AWS ELB monitoring, is [available for download](../samples/cloudwatch.yml).
@@ -6,7 +6,7 @@ The Slack Notifications Service allows your GitLab project to send events (e.g.
...
@@ -6,7 +6,7 @@ The Slack Notifications Service allows your GitLab project to send events (e.g.
## Slack Configuration
## Slack Configuration
1. Sign in to your Slack team and [start a new Incoming WebHooks configuration](https://my.slack.com/services/new/incoming-webhook/).
1. Sign in to your Slack team and [start a new Incoming WebHooks configuration](https://my.slack.com/services/new/incoming-webhook).
1. Select the Slack channel where notifications will be sent to by default. Click the **Add Incoming WebHooks integration** button to add the configuration.
1. Select the Slack channel where notifications will be sent to by default. Click the **Add Incoming WebHooks integration** button to add the configuration.
1. Copy the **Webhook URL**, which we'll use later in the GitLab configuration.
1. Copy the **Webhook URL**, which we'll use later in the GitLab configuration.