diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-02 21:12:04 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-02 21:12:04 +0300 |
commit | eed7260f13c0a3139876e3659603f3d803e8fcd7 (patch) | |
tree | f877bb301ff936d73516241ad608271bc5a624fd /doc/user | |
parent | ef211f6aff22891e232a700b61d2d3bf567ed6bf (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/user')
-rw-r--r-- | doc/user/clusters/agent/user_access.md | 59 | ||||
-rw-r--r-- | doc/user/group/saml_sso/index.md | 40 | ||||
-rw-r--r-- | doc/user/packages/generic_packages/index.md | 6 | ||||
-rw-r--r-- | doc/user/project/integrations/gitlab_slack_application.md | 2 |
4 files changed, 84 insertions, 23 deletions
diff --git a/doc/user/clusters/agent/user_access.md b/doc/user/clusters/agent/user_access.md index 21dc249b1d1..a1e98a2db76 100644 --- a/doc/user/clusters/agent/user_access.md +++ b/doc/user/clusters/agent/user_access.md @@ -151,15 +151,66 @@ Prerequisite: - You have an agent configured with the `user_access` entry. -To grant Kubernetes API access: +### Configure local access with the GitLab CLI (recommended) + +You can use the [GitLab CLI `glab`](../../../editor_extensions/gitlab_cli/index.md) to create or update +a Kubernetes configuration file to access the agent Kubernetes API. + +Use `glab cluster agent` commands to manage cluster connections: + +1. View a list of all the agents associated with your project: + +```shell +glab cluster agent list --repo '<group>/<project>' + +# If your current working directory is the Git repository of the project with the agent, you can omit the --repo option: +glab cluster agent list +``` + +1. Use the numerical agent ID presented in the first column of the output to update your `kubeconfig`: + +```shell +glab cluster agent update-kubeconfig --repo '<group>/<project>' --agent '<agent-id>' --use-context +``` + +1. Verify the update with `kubectl` or your preferred Kubernetes tooling: + +```shell +kubectl get nodes +``` + +The `update-kubeconfig` command sets `glab cluster agent get-token` as a +[credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) +for Kubernetes tools to retrieve a token. The `get-token` command creates and +returns a personal access token that is valid until the end of the current day. +Kubernetes tools cache the token until it expires, the API returns an authorization error, or the process exits. Expect all subsequent calls to your Kubernetes tooling to create a new token. + +The `glab cluster agent update-kubeconfig` command supports a number of command line flags. You can view all supported flags with `glab cluster agent update-kubeconfig --help`. + +Some examples: + +```shell +# When the current working directory is the Git repository where the agent is registered the --repo / -R flag can be omitted +glab cluster agent update-kubeconfig --agent '<agent-id>' + +# When the --use-context option is specified the `current-context` of the kubeconfig file is changed to the agent context +glab cluster agent update-kubeconfig --agent '<agent-id>' --use-context + +# The --kubeconfig flag can be used to specify an alternative kubeconfig path +glab cluster agent update-kubeconfig --agent '<agent-id>' --kubeconfig ~/gitlab.kubeconfig +``` + +### Configure local access manually using a personal access token + +You can configure access to a Kubernetes cluster using a long-lived personal access token following these steps: 1. On the left sidebar, select **Search or go to** and find your project. 1. Select **Operate > Kubernetes clusters** and retrieve the numerical ID of the agent you want to access. You need the ID to construct the full API token. 1. Create a [personal access token](../../profile/personal_access_tokens.md) with the `k8s_proxy` scope. You need the access token to construct the full API token. -1. Construct `kube config` entries to access the cluster: - 1. Make sure that the proper `kube config` is selected. +1. Construct `kubeconfig` entries to access the cluster: + 1. Make sure that the proper `kubeconfig` is selected. For example, you can set the `KUBECONFIG` environment variable. - 1. Add the GitLab KAS proxy cluster to the `kube config`: + 1. Add the GitLab KAS proxy cluster to the `kubeconfig`: ```shell kubectl config set-cluster <cluster_name> --server "https://kas.gitlab.com/k8s-proxy" diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index 444afd3442b..70af800b180 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -54,7 +54,8 @@ To set up SSO with Azure as your identity provider: 1. You should set the following attributes: - **Unique User Identifier (Name identifier)** to `user.objectID`. - **nameid-format** to `persistent`. For more information, see how to [manage user SAML identity](#manage-user-saml-identity). - - **Additional claims** to [supported attributes](#user-attributes). + - **email** to `user.mail` or similar. + - **Additional claims** to [supported attributes](#configure-assertions). 1. Make sure the identity provider is set to have provider-initiated calls to link existing GitLab accounts. @@ -98,7 +99,7 @@ To set up Google Workspace as your identity provider: - For **Last name**: `last_name`. - For **Name ID format**: `EMAIL`. - For **NameID**: `Basic Information > Primary email`. - For more information, see [manage user SAML identity](#manage-user-saml-identity). + For more information, see [supported attributes](#configure-assertions). 1. Make sure the identity provider is set to have provider-initiated calls to link existing GitLab accounts. @@ -134,6 +135,8 @@ To set up SSO with Okta as your identity provider: 1. Set these values: - For **Application username (NameID)**: **Custom** `user.getInternalProperty("id")`. - For **Name ID Format**: `Persistent`. For more information, see [manage user SAML identity](#manage-user-saml-identity). + - For **email**: `user.email` or similar. + - For additional **Attribute Statements**, see [supported attributes](#configure-assertions). 1. Make sure the identity provider is set to have provider-initiated calls to link existing GitLab accounts. @@ -170,10 +173,28 @@ To set up OneLogin as your identity provider: | **Identity provider single sign-on URL** | **SAML 2.0 Endpoint** | 1. For **NameID**, use `OneLogin ID`. For more information, see [manage user SAML identity](#manage-user-saml-identity). - +1. Configure [required and supported attributes](#configure-assertions). 1. Make sure the identity provider is set to have provider-initiated calls to link existing GitLab accounts. +### Configure assertions + +At minimum, you must configure the following assertions: + +1. [NameID](#manage-user-saml-identity). +1. Email. + +Optionally, you can pass user information to GitLab as attributes in the SAML assertion. + +- The user's email address can be an **email** or **mail** attribute. +- The username can be either a **username** or **nickname** attribute. You should specify only + one of these. + +For more information, see the [attributes available for self-managed GitLab instances](../../../integration/saml.md#configure-assertions). + +NOTE: +Attribute names starting with phrases such as `http://schemas.microsoft.com/ws/2008/06/identity/claims/` are not supported. For more information on configuring required attribute names in the SAML identity provider's settings, see [example group SAML and SCIM configurations](../../../user/group/saml_sso/example_saml_config.md). + ### Use metadata To configure some identity providers, you need a GitLab metadata URL. @@ -253,19 +274,6 @@ When a user tries to sign in with Group SSO, GitLab attempts to find or create a - Create a new account with another email address. - Sign-in to their existing account to link the SAML identity. -### User attributes - -You can pass user information to GitLab as attributes in the SAML assertion. - -- The user's email address can be an **email** or **mail** attribute. -- The username can be either a **username** or **nickname** attribute. You should specify only - one of these. - -For more information, see the [attributes available for self-managed GitLab instances](../../../integration/saml.md#configure-assertions). - -NOTE: -Attribute names starting with phrases such as `http://schemas.microsoft.com/ws/2008/06/identity/claims/` are not supported. For more information on configuring required attribute names in the SAML identity provider's settings, see [example group SAML and SCIM configurations](../../../user/group/saml_sso/example_saml_config.md). - ### Link SAML to your existing GitLab.com account > **Remember me** checkbox [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/121569) in GitLab 15.7. diff --git a/doc/user/packages/generic_packages/index.md b/doc/user/packages/generic_packages/index.md index 938093f2a27..1416dcde14f 100644 --- a/doc/user/packages/generic_packages/index.md +++ b/doc/user/packages/generic_packages/index.md @@ -33,7 +33,7 @@ Prerequisites: - You must [authenticate with the API](../../../api/rest/index.md#authentication). If authenticating with a deploy token, it must be configured with the `write_package_registry` scope. If authenticating with a personal access token or project access token, it must be - configured with the `api` scope. + configured with the `api` scope. Project access tokens must have at least the Developer role. - You must call this API endpoint serially when attempting to upload multiple files under the same package name and version. Attempts to concurrently upload multiple files into a new package name and version may face partial failures with @@ -142,7 +142,9 @@ If multiple packages have the same name, version, and filename, then the most re Prerequisites: -- You need to [authenticate with the API](../../../api/rest/index.md#authentication). If authenticating with a deploy token, it must be configured with the `read_package_registry` and/or `write_package_registry` scope. +- You need to [authenticate with the API](../../../api/rest/index.md#authentication). + - If authenticating with a deploy token, it must be configured with the `read_package_registry` and/or `write_package_registry` scope. + - Project access tokens require the `read_api` scope and at least the `Reporter` role. ```plaintext GET /projects/:id/packages/generic/:package_name/:package_version/:file_name diff --git a/doc/user/project/integrations/gitlab_slack_application.md b/doc/user/project/integrations/gitlab_slack_application.md index 6f70305ce8b..67a6916c3b6 100644 --- a/doc/user/project/integrations/gitlab_slack_application.md +++ b/doc/user/project/integrations/gitlab_slack_application.md @@ -74,7 +74,7 @@ You can use slash commands to run common GitLab operations. Replace `<project>` - You must authorize your Slack user on GitLab.com when you run your first slash command. - You can [create a shorter project alias](#create-a-project-alias-for-slash-commands) for slash commands. -**For [Slack slash commands](slack_slash_commands.md) on self-managed GitLab, [Mattermost slash commands](mattermost_slash_commands.md), and [ChatOps](../../../ci/chatops/index.md)**, replace `/gitlab` with the slash command trigger name configured for your integration. +**For [Slack slash commands](slack_slash_commands.md) on self-managed GitLab and [Mattermost slash commands](mattermost_slash_commands.md), replace `/gitlab` with the slash command trigger name configured for your integration. The following slash commands are available: |