# k8s1.22部署gitlab对接keycloak

## 添加 gitlab repo, 下载 chart 包

```
helm repo add gitlab https://charts.gitlab.io/
helm repo update
helm pull gitlab/gitlab
```

## 查看 values.yaml 及依赖的 requirements.yaml相关参数

[values.yaml](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/values.yaml)

[requirements.yaml](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/requirements.yaml)

## keycloak 添加 giltab client

略

## 添加gitab 对接keycloak 使用 secret

创建 `provider`文件

```yaml
name: openid_connect
label: keycloak
args:
  name: "openid_connect"
  scope: ["openid","profile",]
  response_type:  "code"
  issuer: "https://sso.example.com/auth/realms/oc"
  client_auth_method: "query"
  uid_field: "preferred_username"
  send_scope_to_token_endpoint: false
  discovery: true
  client_options:
    identifier: "gitlab-92250"
    secret: "<凭证>"
    redirect_uri: "https://gitlab-apps92250.example.com/users/auth/openid_connect/callback"
```

创建`gitlab-keycloak-oauth2-secret` secret

```
kubectl create secret generic gitlab-keycloak-oauth2-secret --from-file=provider -n cicd
```

## 创建外部redis secret

```
kubectl create secret generic gitlab-redis-secret --from-literal=redis-password=xxxxxx -n cicd
```

## 创建 values.yaml

```yaml
# --- Global settings ---

global:
  hosts:
    domain: example.com
    hostSuffix: apps92250
    tls:
      secretName: example-com-tls
  ingress:
    configureCertmanager: false
    class: nginx
    tls:
      secretName: example-com-tls
      enabled: true

  # 外部redis连接信息
  redis:
    host: 172.16.180.8
    password:
      secret: gitlab-redis-secret
      key: "redis-password"

  # keycloak 配置
  appConfig:
    omniauth:
      enabled: true
      syncProfileAttributes: ["openid", "profile", "email", "groups"]
      allowSingleSignOn: ["openid_connect"]
      auto_link_user: ["openid_connect"]
      providers:
        - secret: gitlab-keycloak-oauth2-secret
          key: provider

certmanager:
  install: false

gitlab-runner:
  # 外部gitlab 不能访问，所以配置内部svc 地址
  gitlabUrl: "http://gitlab-webservice-default.cicd.svc:8181"
  runners:
    locked: false
    cache:
      secretName: gitlab-minio-secret
    config: |
      [[runners]]
        # 外部gitlab 不能访问，所以配置内部svc 地址
        clone_url = "http://gitlab-webservice-default.cicd.svc:8181"
        [runners.cache]
          Type = "s3"
          Path = "gitlab-runner"
          Shared = true
          [runners.cache.s3]
            # 外部minio 不能访问，所以配置内部svc 地址
            ServerAddress = "gitlab-minio-svc.cicd.svc:9000"
            BucketName = "runner-cache"
            BucketLocation = "us-east-1"
            Insecure = true

redis:
  install: false

postgresql:
  persistence:
    storageClass: "nfs4-client"
    subPath: "postgresql"
    size: 50Gi

minio:
  persistence:
    storageClass: "nfs4-client"
    subPath: "minio"
    size: 100Gi

gitlab:
  gitaly:
    persistence:
      storageClass: "nfs4-client"
      subPath: "gitaly"
      size: 50Gi

nginx-ingress:
  enabled: false

registry:
  enabled: true

prometheus:
  install: false
```

## 执行安装gitlab

```
helm upgrade --install gitlab gitlab-5.6.0.tgz \
  --namespace=cicd --create-namespace \
  --timeout 600s \
  -f values.yaml
```

## 参考

<https://github.com/paradeum-team/operator-env/blob/main/gitlab-cicd/k8s1.20%E4%BD%BF%E7%94%A8helm%E9%83%A8%E7%BD%B2gitlab.md>

<https://docs.gitlab.com/ee/>

<https://docs.gitlab.com/ee/ci/ci\\_cd\\_for\\_external\\_repos/>

<https://docs.gitlab.com/charts/charts/globals.html#configure-oauth-settings>

<https://docs.gitlab.com/ee/administration/auth/oidc.html>

<https://github.com/DvcLAB/DvcLAB/issues/33>

<https://fswb-documentation.knowis.net/1.0/Installation/content/post\\_install\\_configuration.html>