Skip to content

[Feature]: kubara bootstrap Argo CD Dex/OIDC starts before External Secrets are ready #100

Description

@Matthiator

Summary

kubara bootstrap can hit a startup race where Argo CD Dex/OIDC starts before External Secrets has created the referenced OAuth secret keys.

🧩 Type of Issue

🐛 Bug

🔍 Description

  • Expected: Argo CD starts cleanly during bootstrap when SSO/Dex is configured with secret refs.
  • Actual: Dex logs missing secret/key errors on first start (for refs like $<secret>:<key>), and Argo CD is only healthy after a manual server restart.

This happens because OAuth/OIDC secrets are delivered asynchronously via External Secrets, while argocd-server may start earlier.

Observed error message

Failed to query provider "": Get "/.well-known/openid-configuration": unsupported protocol scheme ""

Proposed fix

  • After Argo CD apply, read argocd-cm.
  • Parse dex.config / oidc.config for $<secretName>:<key> references.
  • If refs exist, wait with bounded timeout (e.g. 75s) for secret+key availability.
  • If refs become available after initial miss, perform one-time argocd-server restart.
  • On timeout, fail with explicit missing refs in error output.

🧪 Steps to Reproduce (for bugs)

  1. Configure control plane with SSO enabled (oauth2Proxy: enabled) and Dex/OIDC secret refs in Argo CD values.
  2. Use External Secrets to provide referenced OAuth credentials.
  3. Run kubara bootstrap <cluster-name> --with-es-crds ....
  4. Observe argocd-server / Dex logs on first startup.

💻 Environment

  • Kubara version: v0.6.1
  • Deployment mode: control plane bootstrap
  • External Secrets: enabled
  • Argo CD: Dex/OIDC configured via secret refs ($secret:key)

✅ Checklist

  • I have searched existing issues
  • I am using the latest version of Kubara
  • The issue is reproducible
  • This is not a duplicate

🔗 Related Issues / References

  • N/A

📎 Additional Context / Logs

Workaround (for users currently affected)

After External Secrets synced, restart Argo CD server once:

kubectl -n argocd rollout restart deploy/argocd-server
kubectl -n argocd rollout status deploy/argocd-server

Acceptance criteria

  • No manual restart needed after fresh bootstrap with SSO enabled.
  • No extra wait when no secret refs are configured.
  • Timeout remains bounded and errors are actionable.
  • Provider-agnostic behavior (GitHub, Forgejo, Google, generic OIDC).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinghelmHelm chart, templates, and release config topicsintended

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions