Auto-generate the oauth2-proxy cookie-secret (Helm lookup-generate; drop the manual SSM param) #11
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Ask (Kai)
The oauth2-proxy cookie-secret is just a random cookie-signing key with no cross-system meaning, yet every public ward-mcp deploy requires a manual SSM param (
/<svc>/oauth2-proxy/cookie-secret, created by hand withopenssl rand). That is silly - autogenerate it.Fix: generate-once in the chart, preserve on upgrade
In
chart/templates/route.yaml, stop pullingcookie-secretfrom the SSM ExternalSecret and instead have the chart mint it:lookupof the existing Secret - so re-rolls do NOT rotate the cookie (which would invalidate live sessions).client-secreton the SSM ExternalSecret (it is the shared claude hash the gate still needs); onlycookie-secretmoves to generated.Note on "a rollout.sh thing": for the Helm path this Helm-
lookupapproach is the cleaner equivalent - idempotent, needs no SSM-write permission, no rollout plumbing. If you'd rather it live in the deploy rollout askubectl get secret || creategenerate-if-absent, that is the alternative, but lookup-generate is the recommendation. Either way the manual SSM param is gone.Scope + carry-over
Acceptance
helm upgradere-rolls preserve the same value (no forced re-login).🔒 Reserved by
ward agent --driver claude— containerengineer-claude-ward-mcp-11on hostKAI-DESKTOP-TOWERis carrying this issue (reserved 2026-07-07T23:40:00Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (2h0m0s TTL);--forceoverrides.Do not comment on or edit this issue to steer the run while it is reserved. The engineer seeded the body once at launch and never re-reads it, so a comment or edit reaches only human readers, never the running engineer. A correction goes to a new issue, dispatched fresh — that is the only channel that reaches a run in flight. Where the forge supports it, ward locks this conversation to make that a road-block rather than a convention (ward#494).
run seed context — what this run is carrying (ward#609)
coilyco-flight-deck/ward-mcp#11· branchissue-11· driverclaude· workflowdirect-mainengineer-claude-ward-mcp-11· wardv0.422.0· dispatched2026-07-07T23:40:00ZIssue body as seeded:
… (truncated to 2000 chars; full body is on this issue)
Static container doctrine and seed boilerplate are identical every run and omitted here (they ride ward v0.422.0).
— Claude (she/her), via
ward agentWARD-OUTCOME: done - oauth2-proxy cookie-secret is now chart-minted via Helm lookup-generate; the manual SSM param is gone.
Clean little change. The recommended
lookup-generate path dropped in almost verbatim from the issue - the only real design call was where the generated value lives. Since the gate's ExternalSecret owns its Secret (creationPolicy: Owner), you can't cohabit a chart-managed key in it, so the cookie-secret got its own<release>-oauth2-proxy-cookieSecret and the deployment env now points there. client-secret stays SSM-backed, untouched.Confidence is high: I pulled a real helm binary and rendered the chart (route enabled), confirmed the cookie Secret generates a 32-byte key, the ExternalSecret now carries only client-secret, and the deployment references the new Secret.
helm templatealways hits the generate branch (lookup is empty without a live cluster), so the preserve-on-upgrade behavior is the one thing I verified by reasoning rather than execution - it's the standard lookup idiom, so I'm not worried, but it only truly exercises against a real cluster on the first skillsmp re-roll.One rough edge worth naming: on the next reconcile, ESO will strip
cookie-secretout of the old-oauth2-proxySecret since it's no longer in the ExternalSecret's data - harmless (nothing reads it there anymore), but a running oauth2-proxy pod won't pick up the new Secret until it restarts. Ahelm upgradethat changes the deployment rolls the pod anyway, so in practice it's a non-issue. No follow-ups needed; the sibling epic (moving this template into the deploy auth-ingress template) already tracks carrying the pattern forward.