feat(sentinel): wire INTERNAL_BOOTSTRAP_SECRET + Discord login env#86
Merged
Conversation
Two related additions from recent Sentinel PRs: 1. INTERNAL_BOOTSTRAP_SECRET (PR #79: s2s auth) Each non-core service now exchanges this shared secret at startup for its pre-seeded bearer JWT, then uses the JWT on every outbound sentinel-client call. Wired to core/discord/oauth/saml from a new key on sentinel-secrets. 2. Discord OAuth client config (PR #76: Login with Discord) The "Continue with Discord" button was merged + deployed via image bumps, but the env vars to make it actually work were never added to the oauth deployment. Adds DISCORD_CLIENT_ID + DISCORD_CLIENT_SECRET from sentinel-secrets and a prod-URL DISCORD_REDIRECT_URI inline. Operator todo before this rolls: Add three new keys to the sentinel-secrets Secret. Same value across every service for INTERNAL_BOOTSTRAP_SECRET — generate with `openssl rand -hex 32`. Discord client id/secret come from the registered application at discord.com/developers. kubectl -n sentinel edit secret sentinel-secrets # Add (base64-encoded values): # INTERNAL_BOOTSTRAP_SECRET # DISCORD_CLIENT_ID # DISCORD_CLIENT_SECRET Then make sure the Discord application has https://sentinel-v5.gauchoracing.com/auth/login/discord registered as an authorized redirect URI. After the secret is populated, the auto-image-bump PR for the next Sentinel release will roll this into prod cleanly. If the secret isn't populated when this lands, the new bootstrap call from non-core services will fail closed (each retries with backoff, then the pod restarts) — no silent data corruption, just CrashLoopBackOff until the operator catches up.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Catches the prod env-var config up to two recent Sentinel changes that the image-bump deploy workflow didn't carry across (it only handles image tags).
Operator todo before rolling
Three new keys need to land in `sentinel-secrets`:
```bash
Pick a strong shared secret for s2s bootstrap
openssl rand -hex 32
→ use the same value across every service
kubectl -n sentinel edit secret sentinel-secrets
Add base64-encoded:
INTERNAL_BOOTSTRAP_SECRET
DISCORD_CLIENT_ID
DISCORD_CLIENT_SECRET
```
Also register `https://sentinel-v5.gauchoracing.com/auth/login/discord\` as an authorized redirect URI on the Discord application at discord.com/developers (if not already).
Failure mode if secrets aren't populated when this rolls
The new bootstrap call at non-core service startup fails closed — each service retries with linear backoff (~10s), then pod restarts (compose/k8s `restart: always`). You'll see CrashLoopBackOff on discord/oauth/saml until the secret is in place. No silent data corruption.
Test plan (post-deploy)