Application Catalog - GitLab (Hosted)

Overview

GitLab is a comprehensive DevOps platform and Git-repository manager, offering a range of issue-tracking and continuous integration and deployment pipeline features. As a Banyan Administrator, you can securely expose and protect your team’s GitLab resources.

This guide describes GitLab as a hosted service. For GitLab SaaS, please refer to Application Catalog - GitLab (SaaS).

In order to fully protect and expose GitLab as a hosted service, you must configure two policies in Banyan:

  • Web Policy, to enable browser access via OIDC authentication
  • Combined SSH & TCP Policy, to enable git management (such as commits, pulls, etc.) via SSH and TCP (via HTTPS)

You must also configure three hosted services in Banyan:

Prerequisites

This guide assumes you have:

Additionally, for larger organizations which have deployed GitLab across multiple application nodes via load balancer (such as HAProxy), then the backend domains (configured in Steps 2, 4, and 5) should point to the IP/hostname of the proxy.

Setup

Step 1. Create a Policy for Web

1.1 Log in to the Banyan Command Center and navigate to Secure Access > Policies > + Create Policy.

1.2 Select Basic Authorization Policy for Users.

1.3 Enter a Policy Name (such as, GitLab Browser Access) and a Description (such as, Access to GitLab via Web Browsers).

1.4 Configure the Policy Attributes for minimal controls:

  • Specify this policy is intended for Web - for accessing HTTP services via web browser
  • Only allow access from the following role: ANY
  • Only allow users and devices with the following Trust Levels: No Trust Level - ignore TrustScore (or a Trust Level according to your organization’s security requirements)

1.5 Click Create Policy.

Step 2. Register GitLab as a Hosted Web Service

2.1 Navigate to Manage Services > Hosted Services > + Register Service.

2.2 Select Standard Website.

2.3 Enter the Service Name (such as, GitLab-Web) and Description (shown to end users) (such as Access to GitLab (Web)).

2.4 Optionally, select an icon. Search for gitlab, and then select the GitLab icon.

2.5 Select the cluster where the applicable Access Tier is located.

2.6 Configure the Service Attributes:

  • Enter the Service Domain Name of the Access Tier behind which the hosted GitLab service is deployed and leave the Port as 8443.
  • Set the enforcement model to Site-based (Access Tier), and then select the applicable Site (Access Tier).
  • Enter the Backend Domain (or IP address) of the GitLab host. Also, enter the Port on which these hosts are listening.
  • Check the TLS and TLS Insecure checkboxes.

2.7 Attach the policy we had previously created in Step 1, and then set enforcement mode to Enforcing.

2.8 Click Register Service.

Step 3. Create a Combined Policy for SSH and TCP

3.1 Log in to the Banyan Command Center and navigate to Secure Access > Policies > + Create Policy.

3.2 Select Basic Authorization Policy for Users.

3.3 Enter a Policy Name (such as,GitLab CLI Access) and a Description (such as,GitLab CLI Policy).

3.4 Configure the policy attributes for minimal controls:

  • Specify this policy is intended for TCP - for remote access using a TCP-based protocol
  • Only allow access from the following role: ANY
  • Only allow users and devices with the following Trust Levels: No Trust Level - ignore TrustScore (or a Trust Level according to your organization’s security requirements)

3.5 Click Create Policy.

Step 4. Register GitLab as a Hosted SSH Service

4.1 Navigate to Manage Services > Hosted Services > + Register Service.

4.2 Select TCP Service for Users.

4.3 Enter the Service Name (such as, GitLab-cli-ssh) and Description (shown to end users) (such as Access to GitLab (HTTPS)).

4.4 Optionally, select an icon. Search for gitlab, and then select the GitLab icon.

4.5 Select the cluster where the applicable Access Tier is located.

4.6 Configure the Service Attributes:

  • Set Service Type to SSH.
  • Enter the Service Domain Name of the Access Tier behind which the hosted GitLab service is deployed and leave the Port as 8443.
  • Set the enforcement model to Site-based (Access Tier), and then select the applicable Site (Access Tier).
  • Enter the Backend Domain (or IP address) of the GitLab host. Also, enter the Port on which these hosts are listening.

4.7 Configure the SSH Desktop App Settings:

  • Set Banyan to handle user connections to this service to Only use the TrustCert.
  • Set the Desktop App to update the SSH config file on the device to Yes.

4.8 Attach the policy we had previously created in Step 3, and then set enforcement mode to Enforcing.

4.9 Click Register.

Step 5. Register GitLab as a Hosted Generic TCP Service

5.1 Navigate to Manage Services > Hosted Services > + Register Service.

5.2 Select TCP Service for Users.

5.3 Enter the Service Name (such as, GitLab-cli-https) and Description (shown to end users) (such as Access to GitLab (HTTPS)).

5.4 Optionally, select an icon. Search for gitlab, and then select the GitLab icon.

5.5 Select the cluster where the applicable Access Tier is located.

5.6 Configure the Service Attributes:

  • Set Service Type to Generic TCP.
  • Enter the Service Domain Name of the Access Tier behind which the hosted GitLab service is deployed and leave the Port as 8443.
  • Set the enforcement model to Site-based (Access Tier), and then select the applicable Access Tier.
  • Set the incoming connections to be proxied to the backend via Fixed Backend Domain.
  • Enter the Backend Domain (or IP address) of the GitLab host. Also, enter the Port on which these hosts are listening.

5.7 Configure the Service Connection Settings:

  • Set the Assigned Listen Port to any free port for BanyanProxy to listen for connection.
  • Optionally, allow or deny end users the ability to override these settings in the Banyan Desktop App.

5.8 Attach the policy we had previously created in Step 5, and then set enforcement mode to Enforcing.

5.9 Click Register.

Step 6. Connect to GitLab via Web Browser

6.1 In your preferred browser, access the GitLab login URL.

This login URL is also available in the Banyan Desktop App. Navigate to Services, locate the GitLab service, then either click Open to launch the URL in your browser or copy-and-paste the Service Address in your preferred browser.

6.2 Enter your credentials to authenticate. If you have configured GitLab SSO with your IdP, then enter your IdP credentials. The example below shows Okta as the organization’s IdP.

Step 7. Connect to BanyanProxy and GitLab via SSH

7.1 In the Banyan Desktop App, locate the GitLab SSH service and then click Connect.

7.2 Click into the service and take note of the SSH user and service details, replacing {user} with git.

7.3 In your preferred CLI, run a git command (such as git clone to clone a repo) to the git@gitlab-cli-git user and service details copied in the previous step.

Step 8. Connect to BanyanProxy and GitLab via CLI and HTTPS

8.1 In the Banyan Desktop App, locate the GitLab TCP service and then click Connect.

8.2 Click into the service and take note of the HTTPS_PROXY address (http://localhost:[port]) and service destination.

8.3 In your preferred CLI, set the HTTPS_PROXY set http proxy for git.

git config --global http.proxy http://localhost:[port]

8.4 Run a git command (such as git clone) to the git@gitlab-cli-git user and service destination noted in step 8.4.

Last modified: Jun 17, 2021