Checklist:
Describe the bug
When an extension is configured with a secret reference in a header (e.g. value: '$my-api-key'), rotating the underlying secret in argocd-secret has no effect on the running proxy. The proxy keeps forwarding the old (or unresolved literal) value until either the ExtensionConfig itself is modified or the server is restarted.
This is particularly painful when using something like External Secrets Operator, where secrets may be populated or rotated after initial startup — the proxy never picks up the resolved values at all, and requests to the backend fail with 401s indefinitely.
The root cause is in watchSettings() in server/server.go: it only calls UpdateExtensionRegistry() when ExtensionConfig (ConfigMap data) changes, and completely ignores changes to settings.Secrets. Since ReplaceMapSecrets() is called inside UpdateExtensionRegistry(), the secret substitution never runs unless something else triggers a rebuild.
To Reproduce
- Configure a proxy extension with a secret reference in a header:
extensions:
- name: my-api
backend:
services:
- url: https://api.example.com
headers:
- name: Authorization
value: '$my-api-key'
- Store the token in
argocd-secret:
stringData:
my-api-key: Bearer old-token
- Send a request through the extension — it works, the backend receives
Bearer old-token.
- Rotate the secret (update
argocd-secret with Bearer new-token).
- Send another request — the backend still receives
Bearer old-token.
- The only way to force an update is to either touch
ExtensionConfig or restart the server.
Expected behavior
Updating a secret referenced by an extension config should cause the proxy registry to rebuild and start using the new value, the same way editing ExtensionConfig does.
Version
Logs
No errors logged — the proxy silently continues using the stale value.
Checklist:
argocd version.Describe the bug
When an extension is configured with a secret reference in a header (e.g.
value: '$my-api-key'), rotating the underlying secret inargocd-secrethas no effect on the running proxy. The proxy keeps forwarding the old (or unresolved literal) value until either theExtensionConfigitself is modified or the server is restarted.This is particularly painful when using something like External Secrets Operator, where secrets may be populated or rotated after initial startup — the proxy never picks up the resolved values at all, and requests to the backend fail with 401s indefinitely.
The root cause is in
watchSettings()inserver/server.go: it only callsUpdateExtensionRegistry()whenExtensionConfig(ConfigMap data) changes, and completely ignores changes tosettings.Secrets. SinceReplaceMapSecrets()is called insideUpdateExtensionRegistry(), the secret substitution never runs unless something else triggers a rebuild.To Reproduce
argocd-secret:Bearer old-token.argocd-secretwithBearer new-token).Bearer old-token.ExtensionConfigor restart the server.Expected behavior
Updating a secret referenced by an extension config should cause the proxy registry to rebuild and start using the new value, the same way editing
ExtensionConfigdoes.Version
Logs
No errors logged — the proxy silently continues using the stale value.