Skip to content

fix(argocd): point OIDC at the new Sentinel client_id#66

Merged
BK1031 merged 1 commit into
mainfrom
bk1031/argocd-oidc-client-id
Jun 5, 2026
Merged

fix(argocd): point OIDC at the new Sentinel client_id#66
BK1031 merged 1 commit into
mainfrom
bk1031/argocd-oidc-client-id

Conversation

@BK1031

@BK1031 BK1031 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

The previous client (`XwwQhdCWZ9Cn`) lived in the sentinel Postgres database that got wiped during the gr-postgres recreate. Re-registering the ArgoCD app in Sentinel post-recovery produced a fresh auto-generated client_id (`b9OrCRXdo1VQ`).

After this merges

  1. terraform-apply re-renders `argocd-cm` with the new `clientID`:
    ```bash
    gh workflow run terraform-apply.yml -f env=prod -R Gaucho-Racing/infrastructure
    ```
  2. Rotate the matching clientSecret in the argocd namespace (the secret is deliberately out-of-Git, see the argocd module's header comment):
    ```bash
    kubectl -n argocd delete secret argocd-sentinel-oidc
    kubectl -n argocd create secret generic argocd-sentinel-oidc \
    --from-literal=oidc.clientSecret=''
    kubectl -n argocd label secret argocd-sentinel-oidc \
    app.kubernetes.io/part-of=argocd
    kubectl -n argocd rollout restart deploy argocd-server
    ```
  3. Try to log in via argocd.gauchoracing.com → Sentinel SSO → ArgoCD; admin-group users land on `role:admin`, everyone else `role:readonly`.

Test plan

  • `terraform validate` + `fmt -check`
  • After apply: `kubectl -n argocd get cm argocd-cm -o jsonpath='{.data.oidc\.config}' | grep clientID` returns `b9OrCRXdo1VQ`
  • After secret rotation + rollout: ArgoCD login flow completes through Sentinel without `invalid_client` errors

@BK1031
fix(argocd): point OIDC at the new Sentinel client_id
8fad833 
The previous client (XwwQhdCWZ9Cn) lived in the sentinel Postgres
database that got wiped during the gr-postgres recreate. Re-registering
the ArgoCD app in Sentinel post-recovery produced a fresh
auto-generated client_id (b9OrCRXdo1VQ).

The matching clientSecret is rotated in the argocd-sentinel-oidc k8s
Secret out-of-band — see the module's main.tf header comment.
@BK1031 BK1031 merged commit d8e31f9 into main Jun 5, 2026
1 check failed
@BK1031 BK1031 deleted the bk1031/argocd-oidc-client-id branch June 5, 2026 08:58
@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Terraform plan: prod

step result
fmt success
init success
validate success
plan failure
plan output 




      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    
















  
  

    

      

  










  








  
      

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  










      

  

    
    

    

  

    Reviewers
  


    

    No reviews




  




    

  


      
  

    Assignees
  



        


    No one assigned







      


  


  

    Labels
  



    

    None yet







      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
  

    Development
  



            


Successfully merging this pull request may close these issues.





  
  



      
    

  




      

    

  
        

  

    

      1 participant
    

    

        
          @BK1031