feat: new docs for non-publicly accessible self hosted gitlab (#2655)

Author: ZachGoldberg

docs/2.0/docs/pipelines/installation/addinggitlabrepo.md

@@ -36,6 +36,14 @@ Setting up Gruntwork Pipelines for GitLab involves these main steps:
 
 ## Detailed Setup Instructions
 
+### Step 0: Ensure OIDC configuration and JWKS are publicly accessible
+
+This step only applies if you are using a self-hosted GitLab instance that is not accessible from the public internet. If you are using GitLab.com or a self-hosted instance that is publicly accessible, you can skip this step.
+
+1. [Follow GitLab's instructions](https://docs.gitlab.com/ci/cloud_services/aws/#configure-a-non-public-gitlab-instance) for hosting your OIDC configuration and JWKS in a public location (e.g. S3 Bucket). This is necessary for both Gruntwork and the AWS OIDC provider to access the GitLab OIDC configuration and JWKS when authenticating JWT's generated by your custom instance.
+2. Note the <CustomizableValue id="ISSUER_URL" /> (stored as `ci_id_tokens_issuer_url` in your `gitlab.rb` file per GitLab's instructions) generated above for reuse in the next steps.
+
+
 ### Step 1: Authorize Your GitLab Group with Gruntwork
 
 To use Gruntwork Pipelines with GitLab, your group needs authorization from Gruntwork:
@@ -44,7 +52,7 @@ To use Gruntwork Pipelines with GitLab, your group needs authorization from Grun
 
       ```
       GitLab group name(s): $$GITLAB_GROUP_NAME$$ (e.g. acme-io)
-      GitLab instance URL: $$GITLAB_INSTANCE$$ (e.g., https://gitlab.acme.io)
+      GitLab Issuer URL: $$ISSUER_URL$$ (For most users this is the URL of your GitLab instance e.g. https://gitlab.acme.io. If your instance is not publicly accessible, this should be a separate URL that is publicly accessible per step 0, e.g. https://s3.amazonaws.com/YOUR_BUCKET_NAME/)
       Organization name: $$ORGANIZATION_NAME$$ (e.g. Acme, Inc.)
       ```