Status

Table of Contents

GitLab OAuth Application Setup

Phase: 1 - Prerequisites & Secrets
Duration: 10-15 minutes
Purpose: Create GitLab OAuth application for ArgoCD authentication

Overview

ArgoCD requires a GitLab OAuth application to enable GitLab-based authentication. This guide walks through creating the OAuth application in GitLab and recording the credentials for Terraform.

📋 Prerequisites

  • GitLab account with appropriate permissions
  • Access to GitLab profile settings
  • Knowledge of your ArgoCD domain (e.g., argocd.florenciacomuzzi.com)

🔧 Setup Steps

Step 1: Access GitLab Applications

  1. Login to GitLab
  2. Go to GitLab.com or your GitLab instance

  3. Sign in with your account

  4. Navigate to Applications

  5. Click on your profile picture (top right)
  6. Select "Edit Profile"
  7. In the left sidebar, click "Applications"

Step 2: Create OAuth Application

  1. Application Details

  2. Name: Argo CD - Blueberry [Environment]

    • Use Blueberry Development for dev environment
    • Use Blueberry Production for prod environment

  3. Redirect URIs (Add both):
    https://argocd.florenciacomuzzi.com/auth/callback https://argocd.florenciacomuzzi.com/api/dex/callback

Note: Replace argocd.florenciacomuzzi.com with your actual ArgoCD domain

  1. Scopes (Select these checkboxes):
  2. openid
  3. profile
  4. email

  5. read_api

  6. Confidentiality

  7. ✅ Check "Confidential" (should be default)

Step 3: Save Application

  1. Click "Save Application"
  2. Record the Credentials:
  3. Application ID: Copy this value (not secret)
  4. Secret: Copy this value (sensitive - handle with care)

📝 Configuration Records

After creating the application, you'll need to record these values:

For Terraform Variables

Add to your blueberry-terraform/.env file:

# GitLab OAuth Application (for ArgoCD)
TF_VAR_gitlab_oauth_client_id="your-application-id-here"
TF_VAR_gitlab_oauth_client_secret="your-secret-here"

For Terraform tfvars

Add to your blueberry-terraform/variables/dev.auto.tfvars file:

# GitLab OAuth Application (created manually in GitLab UI)
gitlab_oauth_client_id = "your-application-id-here"
# gitlab_oauth_client_secret should be set via TF_VAR_gitlab_oauth_client_secret in .env file

🔒 Security Considerations

  1. Secret Protection
  2. Never commit the client secret to version control
  3. Store the secret in environment variables only

  4. Use different OAuth apps for different environments

  5. Scope Limitations

  6. Only grant minimal required scopes
  7. read_api is needed for group membership validation

  8. Other scopes are for basic profile information

  9. Redirect URI Validation

  10. Ensure redirect URIs match your actual ArgoCD domain
  11. GitLab validates these URIs for security

✅ Verification

After setup, verify the configuration:

  1. Check Application List
  2. Return to GitLab Applications page
  3. Verify your application is listed

  4. Note the Application ID matches your records

  5. Test Redirect URIs

  6. Ensure ArgoCD domain is correct
  7. Both callback URLs should be identical except for the path

🚨 Common Issues

Issue: "Invalid redirect URI"

Cause: Redirect URI doesn't match exactly
Solution: Verify the ArgoCD domain and ensure both callback URLs are added

Issue: "Scope not granted"

Cause: Required scopes not selected
Solution: Edit the application and ensure all 4 scopes are checked

Issue: "Application not found"

Cause: Application ID copied incorrectly
Solution: Double-check the Application ID from GitLab

📚 Additional Resources

⏭️ Next Steps

Once you have the GitLab OAuth application configured:

  1. Record the credentials in your .env file
  2. Continue with Slack Webhook Setup
  3. Complete all prerequisites before proceeding to Phase 2

Related: Phase 1 Overview | Secrets Checklist

Document ID: setup/01-prerequisites/gitlab-oauth-setup