Summary
kubara bootstrap can hit a startup race where Argo CD Dex/OIDC starts before External Secrets has created the referenced OAuth secret keys.
🧩 Type of Issue
🐛 Bug
🔍 Description
- Expected: Argo CD starts cleanly during bootstrap when SSO/Dex is configured with secret refs.
- Actual: Dex logs missing secret/key errors on first start (for refs like
$<secret>:<key>), and Argo CD is only healthy after a manual server restart.
This happens because OAuth/OIDC secrets are delivered asynchronously via External Secrets, while argocd-server may start earlier.
Observed error message
Failed to query provider "": Get "/.well-known/openid-configuration": unsupported protocol scheme ""
Proposed fix
- After Argo CD apply, read
argocd-cm.
- Parse
dex.config / oidc.config for $<secretName>:<key> references.
- If refs exist, wait with bounded timeout (e.g. 75s) for secret+key availability.
- If refs become available after initial miss, perform one-time
argocd-server restart.
- On timeout, fail with explicit missing refs in error output.
🧪 Steps to Reproduce (for bugs)
- Configure control plane with SSO enabled (
oauth2Proxy: enabled) and Dex/OIDC secret refs in Argo CD values.
- Use External Secrets to provide referenced OAuth credentials.
- Run
kubara bootstrap <cluster-name> --with-es-crds ....
- Observe
argocd-server / Dex logs on first startup.
💻 Environment
- Kubara version:
v0.6.1
- Deployment mode: control plane bootstrap
- External Secrets: enabled
- Argo CD: Dex/OIDC configured via secret refs (
$secret:key)
✅ Checklist
🔗 Related Issues / References
📎 Additional Context / Logs
Workaround (for users currently affected)
After External Secrets synced, restart Argo CD server once:
kubectl -n argocd rollout restart deploy/argocd-server
kubectl -n argocd rollout status deploy/argocd-server
Acceptance criteria
- No manual restart needed after fresh bootstrap with SSO enabled.
- No extra wait when no secret refs are configured.
- Timeout remains bounded and errors are actionable.
- Provider-agnostic behavior (GitHub, Forgejo, Google, generic OIDC).
Summary
kubara bootstrapcan hit a startup race where Argo CD Dex/OIDC starts before External Secrets has created the referenced OAuth secret keys.🧩 Type of Issue
🐛 Bug
🔍 Description
$<secret>:<key>), and Argo CD is only healthy after a manual server restart.This happens because OAuth/OIDC secrets are delivered asynchronously via External Secrets, while
argocd-servermay start earlier.Observed error message
Proposed fix
argocd-cm.dex.config/oidc.configfor$<secretName>:<key>references.argocd-serverrestart.🧪 Steps to Reproduce (for bugs)
oauth2Proxy: enabled) and Dex/OIDC secret refs in Argo CD values.kubara bootstrap <cluster-name> --with-es-crds ....argocd-server/ Dex logs on first startup.💻 Environment
v0.6.1$secret:key)✅ Checklist
🔗 Related Issues / References
📎 Additional Context / Logs
Workaround (for users currently affected)
After External Secrets synced, restart Argo CD server once:
Acceptance criteria