djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
96c094c901
ContainerImage.Pinniped/deploy_carvel/temp_pinniped_config_resources/oidc.gitlab.vmware.yaml

61 lines
2.2 KiB
YAML
Raw Blame History

apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
# namespace: pinniped-supervisor
namespace: supervisor-ns # for this install this is the namespace that I've ben using.
name: gitlab
spec:
# Specify the upstream issuer URL.
issuer: https://gitlab.eng.vmware.com
# Specify how to form authorization requests to GitLab.
authorizationConfig:
# GitLab is unusual among OIDC providers in that it returns an
# error if you request the "offline_access" scope during an
# authorization flow, so ask Pinniped to avoid requesting that
# scope when using GitLab by excluding it from this list.
# By specifying only "openid" here then Pinniped will only
# request "openid".
additionalScopes: [openid,email]
# If you would also like to allow your end users to authenticate using
# a password grant, then change this to true. See
# https://docs.gitlab.com/ee/api/oauth2.html#resource-owner-password-credentials-flow
# for more information about using the password grant with GitLab.
allowPasswordGrant: false
# Specify how GitLab claims are mapped to Kubernetes identities.
claims:
# Specify the name of the claim in your GitLab token that will be mapped
# to the "username" claim in downstream tokens minted by the Supervisor.
username: email
# Specify the name of the claim in GitLab that represents the groups
# that the user belongs to. Note that GitLab's "groups" claim comes from
# their "/userinfo" endpoint, not the token.
groups: groups
# Specify the name of the Kubernetes Secret that contains your GitLab
# application's client credentials (created below).
client:
secretName: gitlab-client-credentials
---
apiVersion: v1
kind: Secret
metadata:
# namespace: pinniped-supervisor
namespace: supervisor-ns # for this install this is the namespace that I've ben using.
name: gitlab-client-credentials
type: secrets.pinniped.dev/oidc-client
stringData:
# The "Application ID" that you got from GitLab.
clientID: "bbf1c9e13b38642adec54d47a112159549c2de10ae3506086c5af2ff4beb32d6"
# The "Secret" that you got from GitLab.
clientSecret: "16a92c0fdbba5f87a7ea61d6c64a526b5fb838bf436825c98af95459c7c5eeb8"
Reference in New Issue View Git Blame Copy Permalink