Restart Server deployment if oidc secret changes

[ricardojdsilva87]

Hello everyone,

Asking here if anyone might have a solution to restart the argocd server deployment upon oidc secret change. It's a particular case and I have already tried to use the checksum annotation to template a secret.

In this case I'm using the following documentation:
https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets

Mentioning the secret on the argocd values.yaml as:

oidc.config: |
    name: oidc
    issuer: $$argocd-secret:issuer
    clientID: $$argocd-secret:clientID
    clientSecret: $$argocd-secret:clientSecret

Ideally if the secrets were hardcoded here the server deployment would restart due to a change on the configmap using the checksum/cm here.
But in that case the secrets would be printed in clear text in the configmap.

Those values are created on the helm chart:

              secret:
                # -- Create the argocd-secret
                createSecret: true

                # -- add additional secrets to be added to argocd-secret
                extra:
                  issuer: <path:secretpath#issuer>
                  clientID: <path:secretpath#clientID>
                  clientSecret: <path:secretpath#clientSecret>

To fill out the values of the secret we have integrated the ArgoCD Vault Plugin.

Everything is working and if there is an update on the OIDC configuration, the secret is updated.
The issue here is that even trying to use a checksum similar to the one here like:

checksum/secret: {{ include (print $.Template.BasePath "/argocd-configs/argocd-secret.yaml") . | sha256sum }}

Does not detect any drift, because the helm template is done before the secret replacement. In this case the argocd-secret.yaml will not change and will always have the following lines set in thevalues.yaml:

issuer: <path:secretpath#issuer>
clientID: <path:secretpath#clientID>
clientSecret: <path:secretpath#clientSecret>

Asking this because it seems that the Argocd server pods need to be restarted to reload the configuration otherwise the old clientID is used. Using Chart version 7.8.27 and argocd version 2.13.7.

The only way I can see this working would be setting the secrets in clear text directly on the extra: field. This way the configmap would be changed and the deployment restarted. Also it would imply that the secrets would be on clear text on the values.yaml

Thank you