Configure GitLab content discovery and OAuth so that execution environment builder can scan GitLab groups for Ansible collections and save definition files.
Before you begin
- You have a GitLab account with access to the groups automation portal needs to scan.
- You have admin access to your GitLab instance or group settings.
About this task
Complete this section if your organization uses GitLab for content discovery or saving definition files. If you use GitHub only, skip to Configure collection discovery sources.
GitLab uses a Personal Access Token for content discovery.
Procedure
Content discovery (scanning repositories for collections)
- Create a GitLab PAT with the following scopes:
- Store the PAT.
OpenShift — CLI:
$ oc create secret generic secrets-scm \
--from-literal=gitlab-token=<your_gitlab_pat> \
-n <namespace>
If you already have a secrets-scm secret (for example, with GitHub credentials), patch it instead:
$ oc patch secret secrets-scm -n <namespace> --type merge -p \
'{"stringData":{"gitlab-token":"<your_gitlab_pat>"}}'
OpenShift — web console:
- Navigate to Workloads > Secrets.
- Edit or create the
secrets-scm secret and add key gitlab-token.
RHEL appliance:
$ echo -n '<your_gitlab_pat>' | sudo podman secret create portal_gitlab_token -
Note
If you configured a GitLab personal access token during RHEL appliance installation (via cloud-init), the portal_gitlab_token secret already exists and is active for content discovery. Running the command above updates the existing secret with a new value.
- If you use a self-hosted GitLab instance (not
gitlab.com), add its URL to the CORS allowed origins.
OpenShift:
upstream:
backstage:
appConfig:
backend:
cors:
origin:
- ${BASE_URL}
- https://gitlab.internal.example.com
RHEL appliance — add to the existing backend: block in app-config.production.yaml:
backend:
cors:
origin:
- "https://portal.example.com"
- "https://gitlab.internal.example.com"
Important
On RHEL appliances, app.baseUrl, backend.baseUrl, and backend.cors.origin must all use the same portal URL. If any of these values are inconsistent, OAuth callbacks and API requests fail. Do not create a duplicate backend: block — add cors to the existing one.
Note
If you only use gitlab.com, no CORS changes are needed.
Save definition files to a GitLab repository (OAuth)
- Create a GitLab OAuth application in your GitLab instance under Admin Area > Applications (or group-level settings). Enter the following details:
- Name: A descriptive name, for example
ansible-portal-ee-builder.
- Redirect URI:
https://<my_portal_domain>/api/auth/gitlab/handler/frame
- Scopes: Select
write_repository.
The write_repository scope lets automation portal push EE definition files and open merge requests on behalf of the authenticated user. It is used for every save operation (new repository or merge request to an existing repository).
- Note the Application ID and Secret. Save the secret value immediately — you cannot view it again.
- Enable the GitLab auth provider in your configuration.
OpenShift: Uncomment the auth.providers.gitlab block in your Helm chart configuration.
RHEL appliance: Add the following auth.providers block to /etc/portal/configs/app-config/app-config.production.yaml. If an auth: section already exists, add the providers: section inside it:
auth:
providers:
gitlab:
production:
clientId: ${GITLAB_OAUTH_CLIENT_ID}
clientSecret: ${GITLAB_OAUTH_CLIENT_SECRET}
- Add the OAuth client credentials to your
secrets-scm secret.
OpenShift — CLI:
$ oc patch secret secrets-scm -n <namespace> --type merge -p \
'{"stringData":{"gitlab-oauth-client-id":"<your_client_id>","gitlab-oauth-client-secret":"<your_client_secret>"}}'
OpenShift — web console:
- Navigate to Workloads > Secrets.
- Edit the
secrets-scm secret and add keys gitlab-oauth-client-id and gitlab-oauth-client-secret.
RHEL appliance:
$ echo -n '<your_client_id>' | sudo podman secret create portal_gitlab_oauth_client_id -
$ echo -n '<your_client_secret>' | sudo podman secret create portal_gitlab_oauth_client_secret -
Append to the Quadlet drop-in file:
$ sudo tee -a /etc/containers/systemd/portal.container.d/ee-builder-secrets.conf << 'EOF'
Secret=portal_gitlab_oauth_client_id,type=env,target=GITLAB_OAUTH_CLIENT_ID
Secret=portal_gitlab_oauth_client_secret,type=env,target=GITLAB_OAUTH_CLIENT_SECRET
EOF
Red Hat Summit
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}