fix(server): rebuild extension proxy registry when secrets change#1
Open
fix(server): rebuild extension proxy registry when secrets change#1
Conversation
…proj#27701) Signed-off-by: Kanika Rana <krana@redhat.com>
saidsef
force-pushed
the
fix/extension-proxy-rebuild-on-secret-change
branch
from
6b9fad6 to
17617fc
Compare
…proj#27728) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…7679) (argoproj#27703) Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
…oj#27674) Signed-off-by: Marco Groß (Marco Gross) <gross@b1-systems.de> Co-authored-by: Marco Groß (Marco Gross) <gross@b1-systems.de>
…#25371) Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Oliver Gondža <ogondza@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: rumstead <37445536+rumstead@users.noreply.github.com>
Signed-off-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com>
Signed-off-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com>
argoproj#27744) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…iner (argoproj#27748) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…container (argoproj#27747) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…rgoproj#27742) Signed-off-by: renovate[bot] <renovate[bot]@users.noreply.github.com> Co-authored-by: argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com>
…j#27745) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…argoproj#27009) Signed-off-by: boostrack <boostrack@users.noreply.github.com> Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com> Co-authored-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
saidsef
force-pushed
the
fix/extension-proxy-rebuild-on-secret-change
branch
from
17617fc to
6b9fad6
Compare
The watchSettings() loop only called UpdateExtensionRegistry() when ExtensionConfig (ConfigMap data) changed, but not when settings.Secrets changed. This meant that if secrets were populated after initial startup (e.g. by External Secrets Operator), the proxy registry was never rebuilt with resolved secret values. UpdateExtensionRegistry() runs parseAndValidateConfig() which calls ReplaceMapSecrets() to substitute $key references with actual secret values. Without rebuilding the registry on secret changes, proxies continued sending literal strings like $openai-api-key to backends, causing 401 errors. Add a check for settings.Secrets changes alongside ExtensionConfig changes, and update prevSecrets accordingly. Also add a test that verifies proxy headers are updated when secrets change. Signed-off-by: Said Sef <saidsef@gmail.com>
saidsef
force-pushed
the
fix/extension-proxy-rebuild-on-secret-change
branch
from
6b9fad6 to
28c0dd6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
watchSettings()loop inserver.goonly calledUpdateExtensionRegistry()whenExtensionConfig(ConfigMap data) changed, but not whensettings.Secretschanged. This meant that if theargocd-secretSecret was populated or updated after initial startup — for example by External Secrets Operator — the proxy extension registry was never rebuilt with resolved secret values.UpdateExtensionRegistry()internally callsparseAndValidateConfig(), which invokesReplaceMapSecrets()to substitute$keyreferences with actual secret values. Without rebuilding the registry on secret changes, proxies continued sending literal strings like$openai-api-keyto backend services, causing 401 authentication errors.This PR adds a
settings.Secretschange check alongside the existingExtensionConfigcheck, ensuring the proxy registry is rebuilt whenever either the config or secrets change.Changes
server/server.go: TrackprevSecretsand rebuild registry when secrets changeserver/extension/extension_test.go: AddTestUpdateExtensionRegistryWithSecretsto verify proxy headers update when secrets changeTest plan
TestUpdateExtensionRegistryWithSecretspassessettings.SecretschangesChecklist
Related
$openai-api-key) to work correctly when secrets are managed externally.