Sentinel v5 rollout: s2s bootstrap + mapache cutover#94
Merged
Conversation
Point both deployments at https://sentinel-v5.gauchoracing.com, drop the standalone SENTINEL_JWKS_URL (v5 hosts JWKS at /api/core/keys, derived from SENTINEL_URL in code), and roll the new client_id TIvD6jCH3mGV. auth additionally renames its env+secret-key SENTINEL_TOKEN -> SENTINEL_SA_TOKEN to match config.go's switch from the v4 static API key to the v5 service-account JWT. Bootstrap comment in apps/mapache.yaml updated to match. Secret keys (SENTINEL_CLIENT_SECRET overwrite + new SENTINEL_SA_TOKEN) have already been patched into the in-cluster mapache-secrets so this rolls cleanly via ArgoCD autosync.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
INTERNAL_BOOTSTRAP_SECRETenv to sentinel core/discord/oauth/saml so non-core services can exchange it for a bearer JWT at startup (Sentinel PR fix(clickhouse-ec2): disable text_log and lower log level in provisioning #79)DISCORD_CLIENT_ID/DISCORD_CLIENT_SECRET/DISCORD_REDIRECT_URIto sentinel oauth so "Continue with Discord" actually works in prod (Sentinel PR foreman: swap to standalone image (v2.0.0) #76)auth+queryover tohttps://sentinel-v5.gauchoracing.com, dropSENTINEL_JWKS_URL(v5 hosts JWKS at/api/core/keysunderSENTINEL_URL), roll new client_idTIvD6jCH3mGVauthenv + secret keySENTINEL_TOKEN→SENTINEL_SA_TOKENto match the v4-API-key → v5-SA-JWT switch inauth/config/config.goapps/mapache.yamlto reference the new keyOperator todo before merge
sentinel-secrets: addINTERNAL_BOOTSTRAP_SECRET(openssl rand -hex 32),DISCORD_CLIENT_ID,DISCORD_CLIENT_SECREThttps://sentinel-v5.gauchoracing.com/auth/login/discordas authorized redirectmapache-secrets: already patched with newSENTINEL_CLIENT_SECRET+SENTINEL_SA_TOKEN; orphanSENTINEL_TOKENkey removedTIvD6jCH3mGV: confirmedhttps://mapache.gauchoracing.com/auth/loginregistered as redirect_uri