Add GitLab controller support with OIDC auth and config file#10
Draft
welteki wants to merge 2 commits intoself-actuated:masterfrom
Draft
Add GitLab controller support with OIDC auth and config file#10welteki wants to merge 2 commits intoself-actuated:masterfrom
welteki wants to merge 2 commits intoself-actuated:masterfrom
Conversation
Add GitLab platform support alongside GitHub. The CLI now detects the platform from a config file (~/.actuated/config.json) keyed by controller URL and dispatches runners/jobs commands to platform-specific implementations. GitLab authentication uses the Device Authorization Grant flow with OIDC. The short-lived id_token (~2min) is cached in config and reused when valid (with 30s leeway); otherwise it is refreshed via the stored refresh_token. Refresh tokens are rotated on each use and saved back to config. Config and OIDC field names are kept generic (URL, IDToken, RefreshToken) so the mechanism can be reused for other OIDC providers in the future. All commands now resolve the controller URL via getControllerURL() and token via getPat() which checks config before falling back to the legacy PAT file. Backward compatibility with --token/--token-value flags and the PAT file is preserved. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
Add checkGitHubOnly() guard to the 11 commands that only have GitHub implementations. Running them with a GitLab controller now returns: "the X command is not supported for platform gitlab". Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds GitLab platform support to the CLI alongside GitHub. A new config file (
~/.actuated/config.json) stores per-controller credentials keyed by URL, supporting both GitHub tokens and GitLab OIDC credentials (refresh token, client ID, OIDC provider URL).GitLab authentication uses the Device Authorization Grant flow with OpenID Connect. The short-lived
id_token(JWT, ~2min validity) is cached and reused when still valid (with 30s leeway), and automatically refreshed via the storedrefresh_tokenwhen expired.The
runnersandjobscommands have been implemented for GitLab, dispatching to platform-specific implementations based on the controller's platform in config. Commands not yet supported for GitLab return a clear error message, e.g.the "repair" command is not supported for platform "gitlab".Example auth flow:
Backward compatibility with
--token/--token-valueflags and the legacyPATfile is preserved.Breaking change: GitHub users must re-authenticate with
actuated-cli auth --url URLto store their token in the new config file, or continue using the--token/--token-valueflags.Motivation and context
Actuated is adding support for GitLab CI alongside GitHub Actions. The CLI needs to authenticate with GitLab controllers using OIDC and dispatch commands to platform-specific API endpoints with different request/response formats.
How has this been tested
go build ./...andgo vet ./...pass.