chart: cookie-secret lookup-generate is un-applyable by the fleet CD deployer (secrets RBAC); default SSM paths derive from fullname, not release name #12
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Found while fixing coilyco-bridge/deploy#71 (both ward-mcp public routes 500ing on every gated request).
Two chart problems:
#11's lookup-generate cookie-secret breaks CD.
chart/templates/route.yamlat5659d5frenders the oauth2-proxy cookie-secret as a chart-ownedkind: Secret, seeded vialookup. The fleet CD deployer SA has nosecretsverbs in the MCP namespaces by design (deploy#65, infrastructure forgejo-runner-deploy.yml keeps them out of the cluster-wide deployer-apps ClusterRole) - so thelookup403s at render and the Secret apply would 403 anyway. Everyhelm upgradefrom the deploy runner fails; deploy pinned its rollouts tod6b2fae(the last ExternalSecret-cookie revision) to route around it (deploy#74 tracks the unpin). A CD-compatible cookie autogen must not require the installer to read or write Secrets - or the auth overlay moves out of the chart entirely (deploy#68).Default oauth2-proxy SSM paths derive from the Helm fullname, not the release name.
route.auth.clientSecretRef/cookieSecretRefdefault to/<fullname>/oauth2-proxy/...where fullname is<release>-ward-mcp(e.g./skillsmp-ward-mcp/oauth2-proxy/cookie-secret), while values.yaml's comment says the defaults 'derive from the release name'. Deploy-side docs repeated that and the operator minted params at the release-name paths, so the gate ExternalSecrets never synced, oauth2-proxy never started, and Traefik ForwardAuth returned empty 500s for every gated request - the deploy#71 outage. Fix the comment or the derivation, and consider defaulting clientSecretRef to the shared/authelia/oidc-claude-client-secret(the deploy#69 endpoint).🔒 Reserved by
ward agent --harness codex— containerengineer-codex-ward-mcp-12on hostkais-macbook-pro-2.localis carrying this issue (reserved 2026-07-08T17:08:11Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (2h0m0s TTL);--forceoverrides.Do not comment on or edit this issue to steer the run while it is reserved. The engineer seeded the body once at launch and never re-reads it, so a comment or edit reaches only human readers, never the running engineer. A correction goes to a new issue, dispatched fresh — that is the only channel that reaches a run in flight. Where the forge supports it, ward locks this conversation to make that a road-block rather than a convention (ward#494).
run seed context — what this run is carrying (ward#609)
coilyco-flight-deck/ward-mcp#12· branchissue-12· harnesscodex· workflowdirect-mainengineer-codex-ward-mcp-12· wardv0.451.0· dispatched2026-07-08T17:08:11ZIssue body as seeded:
Static container doctrine and seed boilerplate are identical every run and omitted here (they ride ward v0.451.0).
— Codex, via
ward agentWARD-OUTCOME: done - cookie-secret now comes from an ESO password generator and the auth client-secret defaults to the shared Authelia path.
The chart stopped fighting me once I replaced the Helm lookup Secret with an ESO-backed generator/ExternalSecret pair. The only surprise was that the review panel was advisory-only because no second model family was available, so the change got an extra docs pass but not a real gate.
PR-BODY-NOTE: ADVISORY-ONLY REVIEW: no heterogeneous reviewer family was available besides the worker (codex), so the adversarial panel could not run and did NOT gate this diff. Dropped: opencode (unavailable: opencode not on PATH); codex (worker's own family - never reviews its own diff). A human should review this change with the extra scrutiny an unrun panel would have applied.