GitLab for Jira Cloud app administration
DETAILS: Tier: Free, Premium, Ultimate Offering: Self-managed
NOTE: This page contains administrator documentation for the GitLab for Jira Cloud app. For user documentation, see GitLab for Jira Cloud app.
With the GitLab for Jira Cloud app, you can connect GitLab and Jira Cloud to sync development information in real time. You can view this information in the Jira development panel.
You can use the GitLab for Jira Cloud app to link top-level groups or subgroups. It's not possible to directly link projects or personal namespaces.
To set up the GitLab for Jira Cloud app on your self-managed instance, do one of the following:
- Connect the GitLab for Jira Cloud app (GitLab 15.7 and later).
- Install the GitLab for Jira Cloud app manually.
After you set up the app, you can use the project toolchain developed and maintained by Atlassian to link GitLab repositories to Jira projects. The project toolchain does not affect how development information is synced between GitLab and Jira Cloud.
For Jira Data Center or Jira Server, use the Jira DVCS connector developed and maintained by Atlassian.
Set up OAuth authentication
You must set up OAuth authentication to:
To create an OAuth application on your self-managed instance:
-
On the left sidebar, at the bottom, select Admin Area.
-
Select Applications.
-
Select New application.
-
In Redirect URI:
- If you're installing the app from the official marketplace listing, enter
https://gitlab.com/-/jira_connect/oauth_callbacks
. - If you're installing the app manually, enter
<instance_url>/-/jira_connect/oauth_callbacks
and replace<instance_url>
with the URL of your instance.
- If you're installing the app from the official marketplace listing, enter
-
Clear the Trusted and Confidential checkboxes.
NOTE: You must clear these checkboxes to avoid errors.
-
In Scopes, select the
api
checkbox only. -
Select Save application.
-
Copy the Application ID value.
-
On the left sidebar, select Settings > General.
-
Expand GitLab for Jira App.
-
Paste the Application ID value into Jira Connect Application ID.
-
Select Save changes.
Jira user requirements
- Support for the
org-admins
group introduced in GitLab 16.6.
In your Atlassian organization, you must ensure that the Jira user that is used to set up the GitLab for Jira Cloud app is a member of either:
- The Organization Administrators (
org-admins
) group. Newer Atlassian organizations are using centralized user management, which contains theorg-admins
group. Existing Atlassian organizations are being migrated to centralized user management. If available, you should use theorg-admins
group to indicate which Jira users can manage the GitLab for Jira app. Alternatively you can use thesite-admins
group. - The Site Administrators (
site-admins
) group. Thesite-admins
group was used under original user management.
If necessary:
- Create your preferred group.
- Edit the group to add your Jira user as a member of it.
- If you customized your global permissions in Jira, you might also need to grant the
Browse users and groups
permission to the Jira user.
Connect the GitLab for Jira Cloud app
- Introduced in GitLab 15.7.
You can link your self-managed instance after you install the GitLab for Jira Cloud app from the marketplace. Jira apps can only link to one URL per marketplace listing. The official listing links to GitLab.com.
With this method:
- GitLab.com serves as a proxy for Jira traffic from your instance.
- It's not possible to create branches from Jira Cloud. For more information, see issue 391432.
Install the GitLab for Jira Cloud app manually if:
- Your instance does not meet the prerequisites.
- You do not want to use the official marketplace listing.
- You want to create branches from Jira Cloud.
Prerequisites
- The instance must be publicly available.
- The instance must be on GitLab version 15.7 or later.
- You must set up OAuth authentication.
- If your instance uses HTTPS, your GitLab certificate must be publicly trusted or contain the full chain certificate.
- Your network must allow inbound and outbound connections between GitLab and Jira. For self-managed instances that are behind a
firewall and cannot be directly accessed from the internet:
- Open your firewall and only allow inbound traffic from Atlassian IP addresses.
- Set up an internet-facing reverse proxy in front of your self-managed instance. To secure this proxy further, only allow inbound traffic from Atlassian IP addresses.
- Add GitLab IP addresses to the allowlist of your firewall.
- The Jira user that installs and configures the GitLab for Jira Cloud app must meet certain requirements.
Set up your instance
To set up your self-managed instance for the GitLab for Jira Cloud app in GitLab 15.7 and later:
- On the left sidebar, at the bottom, select Admin Area.
- Select Settings > General.
- Expand GitLab for Jira App.
- In Jira Connect Proxy URL, enter
https://gitlab.com
. - Select Save changes.
Link your instance
To link your self-managed instance to the GitLab for Jira Cloud app:
- Install the GitLab for Jira Cloud app.
- Select GitLab (self-managed).
- Enter your GitLab instance URL.
- Select Save.
- Optional. Check if Jira Cloud is now linked.
Check if Jira Cloud is linked
You can use the Rails console to check if Jira Cloud is linked to:
-
A specific group:
JiraConnectSubscription.where(namespace: Namespace.by_path('group/subgroup'))
-
A specific project:
Project.find_by_full_path('path/to/project').jira_subscription_exists?
-
Any group:
installation = JiraConnectInstallation.find_by_base_url("https://customer_name.atlassian.net") installation.subscriptions
Install the GitLab for Jira Cloud app manually
If you do not want to use the official marketplace listing, install the GitLab for Jira Cloud app manually.
You must install each Jira Cloud app from a single location. Jira fetches a manifest file from the location you provide. The manifest file describes the app to the system.
To support your self-managed instance with Jira Cloud, do one of the following:
Prerequisites
- The instance must be publicly available.
- You must set up OAuth authentication.
- The Jira user that installs and configures the GitLab for Jira Cloud app must meet certain requirements.
Install the app in development mode
To configure your Jira instance so you can install apps from outside the marketplace:
- Sign in to your Jira instance as an administrator.
- Enable development mode on your Jira instance.
- Sign in to GitLab as an administrator.
-
Install GitLab from your Jira instance:
-
On your Jira instance, go to Apps > Manage Apps and select Upload app.
-
In App descriptor URL, provide the full URL to your manifest file based on your instance configuration.
By default, your manifest file is located at
/-/jira_connect/app_descriptor.json
. For example, if your GitLab self-managed instance domain isapp.pet-store.cloud
, your manifest file is located athttps://app.pet-store.cloud/-/jira_connect/app_descriptor.json
. -
Select Upload.
-
Select Get started to configure the integration.
-
- Disable development mode on your Jira instance.
In Apps > Manage Apps, GitLab for Jira Cloud now appears. You can also select Get started to open the configuration page from your GitLab instance.
If a GitLab upgrade makes changes to the app descriptor, you must reinstall the app.
Create a marketplace listing
If you do not want to use development mode, you can create your own marketplace listing. This way, you can install the GitLab for Jira Cloud app from the Atlassian Marketplace.
To create a marketplace listing:
- Register as an Atlassian Marketplace vendor.
- List your application with the application descriptor URL.
- Your manifest file is located at:
https://your.domain/your-path/-/jira_connect/app_descriptor.json
- You should list your application as
private
because public applications can be viewed and installed by any user.
- Your manifest file is located at:
- Generate test license tokens for your application.
Like the GitLab.com marketplace listing, this method uses automatic updates.
For more information about creating a marketplace listing, see the Atlassian documentation.
Configure your GitLab instance to serve as a proxy
A GitLab instance can serve as a proxy for other GitLab instances through the GitLab for Jira Cloud app. You might want to use a proxy if you're managing multiple GitLab instances but only want to manually install the app once.
To configure your GitLab instance to serve as a proxy:
- On the left sidebar, at the bottom, select Admin Area.
- Select Settings > General.
- Expand GitLab for Jira App.
- Select Enable public key storage.
- Select Save changes.
- Install the GitLab for Jira Cloud app manually.
Other GitLab instances that use the proxy must configure the following settings to point to the proxy instance:
Security considerations
The GitLab for Jira Cloud app connects GitLab and Jira. Data must be shared between the two applications, and access must be granted in both directions.
Using GitLab.com as a proxy
When you use GitLab.com as a proxy, the Jira access token is shared with GitLab.com.
The Jira access token is stored on GitLab.com because the token must be used to verify incoming requests from Jira before the requests are sent to your self-managed instance. The token is encrypted and is not used to access data in Jira. Any data from your self-managed instance is sent directly to Jira.
Access to GitLab through OAuth
GitLab does not share an access token with Jira. However, users must authenticate through OAuth to configure the app.
An access token is retrieved through a PKCE OAuth flow and stored only on the client side. The app frontend that initializes the OAuth flow is a JavaScript application that's loaded from GitLab through an iframe on Jira.
The OAuth application must have the api
scope, which grants complete read and write access to the API.
This access includes all groups and projects, the container registry, and the package registry.
However, the GitLab for Jira Cloud app only uses this access to:
- Display groups to link.
- Link groups.
Access through OAuth is only needed for the time a user configures the GitLab for Jira Cloud app. For more information, see Access token expiration.