GitLab Integration and Shared Secrets

GitLab OAuth for SCM Integration

Connecting Dev Spaces to GitLab allows automatic Git credential injection into workspaces — developers can clone, push, and pull without manually configuring tokens.

Create a GitLab OAuth Application

  1. In GitLab, go to Admin Area  Applications (or your group settings for group-level OAuth)

  2. Create a new application with the following settings:

    Name

    devspaces

    Redirect URI

    https://devspaces.apps./api/oauth/callback

    Confidential

    Checked

    Scopes

    api, write_repository, openid

  3. Note the Application ID and Secret

Create the OAuth Secret

Create a Kubernetes secret that Dev Spaces will use to authenticate against GitLab. The labels and annotations are required — Dev Spaces discovers the secret automatically based on them.

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-oauth-config
  namespace: openshift-devspaces
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: oauth-scm-configuration
  annotations:
    che.eclipse.org/oauth-scm-server: gitlab
    che.eclipse.org/scm-server-endpoint: https://<gitlab_host> (1)
type: Opaque
stringData:
  id: <application_id>
  secret: <application_secret>
1 Replace with your GitLab instance URL (e.g. https://gitlab.apps.cluster.example.com).

Apply it:

oc apply -f gitlab-oauth-config.yaml

Register GitLab in the CheCluster

Add the gitServices section to your CheCluster CR:

oc patch checluster/devspaces -n openshift-devspaces \
  --type='merge' \
  -p '{"spec":{"gitServices":{"gitlab":[{"secretName":"gitlab-oauth-config","endpoint":"https://<gitlab_host>"}]}}}'

When a user opens a workspace that references a GitLab repository, they will be prompted to authenticate with GitLab via OAuth. This grants push/pull access using their personal GitLab credentials.

Mounting Shared Secrets into Workspaces

Dev Spaces can automatically mount Kubernetes Secrets (and ConfigMaps) into every workspace pod using labels and annotations. This is useful for providing API keys, service credentials, or shared configuration to all developers without them having to configure it manually.

How It Works

Any Secret or ConfigMap in the openshift-devspaces namespace with the label app.kubernetes.io/part-of: che.eclipse.org and the annotation controller.devfile.io/mount-as will be automatically mounted into workspace containers.

Mount options:

  • mount-as: env — Inject as environment variables

  • mount-as: file — Mount as files at a specified path

  • mount-as: subpath — Mount individual keys as separate files

Example: AI Code Assistant (Continue) Credentials

This example creates a secret that injects LLM API credentials as environment variables into every workspace. These can be provided to an extension such as Roo, Cline, or Continue to enable LLM-assisted coding.

First, obtain an API key from the Red Hat Demo Platform MaaS:

  1. Navigate to Models and find qwen3

  2. Click Subscribe to subscribe to the model

  3. Go to API Keys and click Create API Key

  4. Provide a name for the key and select the qwen3 subscription

  5. Save the generated key somewhere safe

Then create the secret:

apiVersion: v1
kind: Secret
metadata:
  name: continue-llm-credentials
  namespace: openshift-devspaces
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
  annotations:
    controller.devfile.io/mount-as: env
type: Opaque
stringData:
  LLM_API_KEY: <your_api_key>
  LLM_BASE_URL: https://litellm-prod.apps.maas.redhatworkshops.io

Apply it:

oc apply -f continue-llm-credentials.yaml

Every new workspace will now have LLM_API_KEY and LLM_BASE_URL available as environment variables. The devfile’s postStart command can use these to configure the Continue extension automatically (see Devfiles).

Example: Mounting a Shared .npmrc

You can also mount ConfigMaps as files. For example, to provide a shared .npmrc that points at a private registry for all workspaces:

apiVersion: v1
kind: ConfigMap
metadata:
  name: npmrc-config
  namespace: openshift-devspaces
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: workspaces-config
  annotations:
    controller.devfile.io/mount-as: subpath
    controller.devfile.io/mount-path: /home/user/
data:
  .npmrc: |
    registry=https://npm.registry.example.com/
    //npm.registry.example.com/:_authToken=${NPM_TOKEN}

Summary

You now have:

  • GitLab OAuth integration for seamless Git access from workspaces

  • A pattern for mounting shared secrets and configuration into all workspaces automatically

Next Steps

Proceed to Dev Spaces & IDE Setup to create your workspace.