🐛 Fix OAuth2-Proxy sync wave to wait for Keycloak secrets

Ladas · Ladas · commit 029a383a0526 · 2025-11-18T18:19:02.000+01:00
PROBLEM:
- OAuth2-Proxy was sync-wave 0 (deploys FIRST)
- Keycloak was sync-wave 5 (deploys LATER)
- OAuth2-Proxy pods tried to start before secrets existed
- Resulted in CreateContainerConfigError + exponential backoff (5-10 min delays)

FIX:
- Move OAuth2-Proxy to sync-wave 10
- Now deploys AFTER Keycloak (wave 5) is healthy
- Secrets are created and reflected before OAuth2-Proxy starts
- Eliminates CreateContainerConfigError and backoff delays

IMPACT:
- CI: Reduces deployment time by ~5-10 minutes
- Local: No more manual pod restarts needed
- Prevents race condition between secret creation and pod startup
diff --git a/argocd/applications/base/00-infrastructure/oauth2-proxy.yaml b/argocd/applications/base/00-infrastructure/oauth2-proxy.yaml
@@ -4,7 +4,7 @@ metadata:
   name: oauth2-proxy
   namespace: argocd
   annotations:
-    argocd.argoproj.io/sync-wave: "0"
+    argocd.argoproj.io/sync-wave: "10"  # Deploy AFTER Keycloak (wave 5) + secrets extraction + reflection
   labels:
     kagenti.dev/layer: infrastructure
     kagenti.dev/component: oauth2-proxy
