ContextQMD
Back to Gitlabhq

GitLab for Jira Cloud app administration

doc/administration/settings/jira_cloud_app.md

18.11.226.6 KB
Original Source

{{< details >}}

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab Self-Managed

{{< /details >}}

[!note] This page contains administrator documentation for the GitLab for Jira Cloud app. For user documentation, see GitLab for Jira Cloud app.

With the GitLab for Jira Cloud app, you can connect GitLab and Jira Cloud to sync development information in real time. You can view this information in the Jira development panel.

To set up the GitLab for Jira Cloud app on your GitLab Self-Managed instance, do one of the following:

<i class="fa-youtube-play" aria-hidden="true"></i> For an overview, see:

The videos above show the older Universal Plugin Manager interface which might be unavailable on newer Jira Cloud instances. The following instructions cover both old and new app management interfaces.

If you install the GitLab for Jira Cloud app from the Atlassian Marketplace, you can use the project toolchain developed and maintained by Atlassian to link GitLab repositories to Jira projects. The project toolchain does not affect how development information is synced between GitLab and Jira Cloud.

For Jira Data Center or Jira Server, use the Jira DVCS connector developed and maintained by Atlassian.

Set up OAuth authentication

Whether you want to install the GitLab for Jira Cloud app from the Atlassian Marketplace or manually, you must create an OAuth application.

Prerequisites:

  • Administrator access.

To create an OAuth application on your GitLab Self-Managed instance:

  1. In the upper-right corner, select Admin.

  2. Select Applications.

  3. Select New application.

  4. In Redirect URI:

    • If you're installing the app from the Atlassian Marketplace listing, enter https://gitlab.com/-/jira_connect/oauth_callbacks.
    • If you're installing the app manually, enter <instance_url>/-/jira_connect/oauth_callbacks and replace <instance_url> with the URL of your instance.

  5. Clear the Trusted and Confidential checkboxes.

    [!note] You must clear these checkboxes to avoid sign in errors.

  6. In Scopes, select the api checkbox only.

  7. Select Save application.

  8. Copy the Application ID value.

  9. In the left sidebar, select Settings > General.

  10. Expand GitLab for Jira App.

  11. Paste the Application ID value into Jira Connect Application ID.

  12. Select Save changes.

Jira user requirements

{{< history >}}

  • Support for the org-admins group introduced in GitLab 16.6.

{{< /history >}}

In your Atlassian organization, you must ensure that the Jira user that is used to set up the GitLab for Jira Cloud app is a member of either:

  • The Organization Administrators (org-admins) group. Newer Atlassian organizations are using centralized user management, which contains the org-admins group. Existing Atlassian organizations are being migrated to centralized user management. If available, you should use the org-admins group to indicate which Jira users can manage the GitLab for Jira Cloud app. Alternatively you can use the site-admins group.
  • The Site Administrators (site-admins) group. The site-admins group was used under original user management.

If necessary:

  1. Create your preferred group.
  2. Edit the group to add your Jira user as a member of it.
  3. If you customized your global permissions in Jira, you might also need to grant the Browse users and groups permission to the Jira user.

Install the GitLab for Jira Cloud app from the Atlassian Marketplace

{{< history >}}

  • Introduced in GitLab 15.7.

{{< /history >}}

You can use the official GitLab for Jira Cloud app from the Atlassian Marketplace with your GitLab Self-Managed instance.

With this method:

  • GitLab.com handles the install and uninstall lifecycle events sent from Jira Cloud and forwards them to your GitLab instance. All data from your GitLab Self-Managed instance is still sent directly to Jira Cloud.
  • GitLab.com handles branch creation links by redirecting them to your instance.
  • With any version of GitLab prior to 17.2 it is not possible to create branches from Jira Cloud on GitLab Self-Managed instances. For more information, see issue 391432.

Alternatively, you might want to install the GitLab for Jira Cloud app manually if:

Prerequisites

  • The instance must be publicly available.
  • The instance must be on GitLab version 15.7 or later.
  • You must set up OAuth authentication.
  • Your GitLab instance must use HTTPS and your GitLab certificate must be publicly trusted or contain the full chain certificate.
  • Your network configuration must allow:
    • Outbound connections from your GitLab Self-Managed instance to Jira Cloud (Atlassian IP addresses)
    • Inbound and outbound connections between your GitLab Self-Managed instance and GitLab.com (GitLab.com IP addresses)
    • For instances behind a firewall:
      1. Set up an internet-facing reverse proxy in front of your GitLab Self-Managed instance.
      2. Configure the reverse proxy to allow inbound connections from GitLab.com (GitLab.com IP addresses)
      3. Ensure your GitLab Self-Managed instance can still make the outbound connections described previously.
  • The Jira user that installs and configures the app must meet certain requirements.

Set up your instance for Atlassian Marketplace installation

Prerequisites

To set up your GitLab Self-Managed instance for Atlassian Marketplace installation in GitLab 15.7 and later:

  1. In the upper-right corner, select Admin.
  2. Select Settings > General.
  3. Expand GitLab for Jira App.
  4. In Jira Connect Proxy URL, enter https://gitlab.com to install the app from the Atlassian Marketplace.
  5. Select Save changes.

Prerequisites

To link your GitLab Self-Managed instance to the GitLab for Jira Cloud app:

  1. Install the GitLab for Jira Cloud app.
  2. Configure the GitLab for Jira Cloud app.
  3. Optional. Check if Jira Cloud is now linked.

Check if Jira Cloud is linked

You can use the Rails console to check if Jira Cloud is linked to:

  • A specific group:

    ruby
    JiraConnectSubscription.where(namespace: Namespace.by_path('group/subgroup'))

  • A specific project:

    ruby
    Project.find_by_full_path('path/to/project').jira_subscription_exists?

  • Any group:

    ruby
    installation = JiraConnectInstallation.find_by_base_url("https://customer_name.atlassian.net")
installation.subscriptions

Install the GitLab for Jira Cloud app manually

[!warning] In GitLab 17.5 and earlier, you might encounter an issue when you install the GitLab for Jira Cloud app manually. For more information, see issue 505372. This issue does not affect installations from the Atlassian Marketplace.

If you do not want to use the official Atlassian Marketplace listing, install the GitLab for Jira Cloud app manually. This installation method is based on Atlassian Connect.

You must install each Jira Cloud app from a single location. Jira fetches a manifest file from the location you provide. The manifest file describes the app to the system.

To support your GitLab Self-Managed instance with Jira Cloud, do one of the following:

Prerequisites

  • The instance must be publicly available.
  • You must set up OAuth authentication.
  • Your network configuration must allow:
    • Inbound and outbound connections between your GitLab Self-Managed instance and Jira Cloud (Atlassian IP addresses).
    • For instances behind a firewall:
      1. Set up an internet-facing reverse proxy in front of your GitLab Self-Managed instance.
      2. Configure the reverse proxy to allow inbound connections from Jira Cloud (Atlassian IP addresses).
      3. Ensure your GitLab Self-Managed instance can still make the outbound connections described previously.
  • The Jira user that installs and configures the app must meet certain requirements.

Set up your instance for manual installation

Prerequisites

To set up your GitLab Self-Managed instance for manual installation in GitLab 15.7 and later:

  1. In the upper-right corner, select Admin.
  2. Select Settings > General.
  3. Expand GitLab for Jira App.
  4. Leave Jira Connect Proxy URL blank to install the app manually.
  5. Select Save changes.

Install the app in development mode

Prerequisites

To configure your Jira instance so you can install apps from outside the Atlassian Marketplace:

  1. Sign in to your Jira instance as an administrator.

  2. Enable development mode on your Jira instance.

  3. Sign in to GitLab as an administrator.

  4. In Jira, select the horizontal ellipsis ({{< icon name="ellipsis_h" >}}) beside Apps and select Manage your apps.

  5. Install GitLab from your Jira instance using one of these methods:

    For instances with centralized app management:

    1. If you see "App management has moved to Administration", select Take me there. Otherwise follow the For instances with legacy app management instructions below.

    2. Select Install a private app.

    3. For the Choose a product to install this app on dropdown list, select Jira.

    4. In App descriptor URL, provide the full URL to your manifest file based on your instance configuration.

      By default, your manifest file is located at /-/jira_connect/app_descriptor.json. For example, if your instance domain is app.pet-store.cloud, your manifest file is located at https://app.pet-store.cloud/-/jira_connect/app_descriptor.json.

    5. Select Install app.

    6. Refresh the page.

    7. Locate the app GitLab for Jira (<gitlab.example.com>), select the horizontal ellipsis ({{< icon name="ellipsis_h" >}}) and then select Get started to configure the GitLab for Jira Cloud app.

    For instances with legacy app management:

    1. Select Upload app.

    2. In App descriptor URL, provide the full URL to your manifest file based on your instance configuration.

      By default, your manifest file is located at /-/jira_connect/app_descriptor.json. For example, if your instance domain is app.pet-store.cloud, your manifest file is located at https://app.pet-store.cloud/-/jira_connect/app_descriptor.json.

    3. Select Upload.

    4. Locate the app GitLab for Jira (<gitlab.example.com>), select the chevron ({{< icon name="chevron-right" >}}) and then select Get started to configure the GitLab for Jira Cloud app.

  6. Disable development mode on your Jira instance.

If a GitLab upgrade makes changes to the app descriptor, you must reinstall the app.

Create an Atlassian Marketplace listing

Prerequisites

If you do not want to use development mode, you can create your own Atlassian Marketplace listing. This way, you can install the GitLab for Jira Cloud app from the Atlassian Marketplace.

To create an Atlassian Marketplace listing:

  1. Register as an Atlassian Marketplace vendor.
  2. List your application with the application descriptor URL.
    • Your manifest file is located at: https://your.domain/your-path/-/jira_connect/app_descriptor.json
    • You should list your application as private because public applications can be viewed and installed by any user.
  3. Generate test license tokens for your application.

Like the GitLab.com Marketplace listing, this method uses automatic updates.

For more information about creating an Atlassian Marketplace listing, see the Atlassian documentation.

Connect multiple GitLab instances

Use the GitLab for Jira app to connect multiple GitLab instances to a single Jira Cloud instance. The installation methods depend on which instances you want to connect.

Prerequisites:

  • Each instance requires separate OAuth authentication.
  • You must meet the prerequisites for each installation method.

For GitLab.com + GitLab Self-Managed:

  • On GitLab.com: Use the Atlassian Marketplace installation.
  • On GitLab Self-managed instances: Install the app manually.

For multiple GitLab Self-Managed instances:

  • On the first instance, either: Use the Atlassian Marketplace installation or install the app manually.
  • On other instances: Install the app manually.

Jira Cloud displays a GitLab for Jira Cloud app for each installation.

Only one GitLab instance per organization can use the official Atlassian Marketplace listing.

Configure your GitLab instance to serve as a proxy

[!note] For most users, this configuration is not necessary. To Jira Cloud with multiple instances, you can connect each instance with the GitLab for Jira Cloud app.

A GitLab instance can serve as a proxy for other GitLab instances through the GitLab for Jira Cloud app. You might want to use a proxy if you're managing multiple GitLab instances but only want to manually install the app once.

To configure your GitLab instance to serve as a proxy:

  1. In the upper-right corner, select Admin.
  2. Select Settings > General.
  3. Expand GitLab for Jira App.
  4. Select Enable public key storage.
  5. Select Save changes.
  6. Install the GitLab for Jira Cloud app manually.

Other GitLab instances that use the proxy must configure the following settings to point to the proxy instance:

Security considerations

The following security considerations are specific to administering the app. For considerations related to using the app, see security considerations.

GitLab.com handling of app lifecycle events

When you Install the GitLab for Jira Cloud app from the Atlassian Marketplace, GitLab.com receives lifecycle events from Jira. These events are limited to when the app is installed in or uninstalled from your Jira Project.

In the install event, GitLab.com receives a secret token from Jira. GitLab.com stores this token encrypted with AES256-GCM to later verify incoming lifecycle events from Jira.

GitLab.com then forwards the token to your GitLab Self-Managed instance so your instance can authenticate its requests to Jira with the same token. Your GitLab Self-Managed instance is also notified that the GitLab for Jira Cloud app has been installed or uninstalled.

When data is sent from your GitLab Self-Managed instance to the Jira development panel, it is sent from your GitLab Self-Managed instance directly to Jira and not to GitLab.com. GitLab.com does not use the token to access data in your Jira project. Your GitLab Self-Managed instance uses the token to access the data.

For more information about the lifecycle events and payloads that GitLab.com receives, see the Atlassian documentation.

mermaid
sequenceDiagram
accTitle: Dataflow of the GitLab for Jira Cloud app installed from the Atlassian Marketplace
accDescr: How GitLab.com handles lifecycle events when the GitLab for Jira Cloud app was installed from the Atlassian Marketplace

    participant Jira
    participant Your instance
    participant GitLab.com
    Jira->>+GitLab.com: App install/uninstall event
    GitLab.com->>-Your instance: App install/uninstall event
    Your instance->>Jira: Your development data

GitLab.com handling of branch creation

When you have installed the GitLab for Jira Cloud app from the Atlassian Marketplace, the links to create a branch from the development panel initially send the user to GitLab.com.

Jira sends GitLab.com a JWT token. GitLab.com handles the request by verifying the token and then redirects the request to your GitLab instance.

Access to GitLab through OAuth

GitLab does not share an access token with Jira. However, users must authenticate through OAuth to configure the app.

An access token is retrieved through a PKCE OAuth flow and stored only on the client side. The app frontend that initializes the OAuth flow is a JavaScript application that's loaded from GitLab through an iframe on Jira.

The OAuth application must have the api scope, which grants complete read and write access to the API. This access includes all groups and projects, the container registry, and the package registry. However, the GitLab for Jira Cloud app only uses this access to:

  • Display groups to link.
  • Link groups.

Access through OAuth is only needed for the time a user configures the GitLab for Jira Cloud app. For more information, see Access token expiration.

Using a reverse proxy

You should avoid using a reverse proxy in front of your GitLab Self-Managed instance if possible. Instead, consider using a public IP address and securing the domain with a firewall.

If you must use a reverse proxy for the GitLab for Jira Cloud app on a GitLab Self-Managed instance that cannot be accessed directly from the internet, keep the following in mind:

External NGINX

This server block is an example of how to configure a reverse proxy for GitLab that works with Jira Cloud:

nginx
server {
  listen *:80;
  server_name gitlab.mycompany.com;
  server_tokens off;
  location /.well-known/acme-challenge/ {
    root /var/www/;
  }
  location / {
    return 301 https://gitlab.mycompany.com:443$request_uri;
  }
}
server {
  listen *:443 ssl;
  server_tokens off;
  server_name gitlab.mycompany.com;
  ssl_certificate /etc/letsencrypt/live/gitlab.mycompany.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/gitlab.mycompany.com/privkey.pem;
  ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
  ssl_protocols  TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  ssl_session_cache  shared:SSL:10m;
  ssl_session_tickets off;
  ssl_session_timeout  1d;
  access_log "/var/log/nginx/proxy_access.log";
  error_log "/var/log/nginx/proxy_error.log";
  location / {
    proxy_pass https://gitlab.internal;
    proxy_hide_header upgrade;
    proxy_set_header Host             gitlab.mycompany.com:443;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
  }
}

In this example:

  • Replace gitlab.mycompany.com with the reverse proxy FQDN and gitlab.internal with the internal GitLab FQDN.
  • Set ssl_certificate and ssl_certificate_key to a valid certificate (the example uses Certbot).
  • Set the Host proxy header to the reverse proxy FQDN to ensure GitLab and Jira Cloud can connect successfully.

You must use the reverse proxy FQDN only to connect Jira Cloud to GitLab. You must continue to access GitLab from the internal GitLab FQDN. If you access GitLab from the reverse proxy FQDN, GitLab might not work as expected. For more information, see issue 21319.

Set an additional JWT audience

{{< history >}}

{{< /history >}}

When GitLab receives a JWT token from Jira, GitLab verifies the token by checking the JWT audience. By default, the audience is derived from your internal GitLab FQDN.

In some reverse proxy configurations, you might have to set the reverse proxy FQDN as an additional JWT audience. To set an additional JWT audience:

  1. In the upper-right corner, select Admin.
  2. Select Settings > General.
  3. Expand GitLab for Jira App.
  4. In Jira Connect Additional Audience URL, enter the additional audience (for example, https://gitlab.mycompany.com).
  5. Select Save changes.