fix(vault-seed): seed OIDC client/cookie secrets from the SOPS bootstrap source

k8s/bases/infrastructure/vault-seed/generators.yaml

@@ -6,42 +6,6 @@
 ---
 apiVersion: generators.external-secrets.io/v1alpha1
 kind: Password
-metadata:
-  name: dex-client-secret
-  namespace: openbao
-spec:
-  length: 32
-  digits: 8
-  symbols: 0
-  noUpper: false
-  allowRepeat: true
----
-apiVersion: generators.external-secrets.io/v1alpha1
-kind: Password
-metadata:
-  name: flux-web-client-secret
-  namespace: openbao
-spec:
-  length: 32
-  digits: 8
-  symbols: 0
-  noUpper: false
-  allowRepeat: true
----
-apiVersion: generators.external-secrets.io/v1alpha1
-kind: Password
-metadata:
-  name: oauth2-proxy-cookie-secret
-  namespace: openbao
-spec:
-  length: 32
-  digits: 8
-  symbols: 0
-  noUpper: false
-  allowRepeat: true
----
-apiVersion: generators.external-secrets.io/v1alpha1
-kind: Password
 metadata:
   name: fleetdm-mysql-root-password
   namespace: openbao

k8s/bases/infrastructure/vault-seed/push-generated-secrets.yaml

@@ -1,4 +1,9 @@
 # Randomly-generated secrets, seeded into OpenBao via a durable K8s cache.
+# Only values with NO external system of record belong here (umami / fleetdm
+# app passwords). OIDC client/cookie secrets do NOT: dex and oauth2-proxy
+# consume them from the SOPS bootstrap secret via Flux substitution, so the
+# vault copy must be seeded from that same source — see the seed-* OIDC
+# PushSecrets in push-secrets.yaml.
 #
 # Two-step per secret:
 #   1. An ExternalSecret with a generatorRef source (refreshInterval "0")
@@ -20,117 +25,6 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
-metadata:
-  name: generated-dex-client-secret
-  namespace: openbao
-spec:
-  refreshInterval: "0"
-  target:
-    name: generated-dex-client-secret
-    creationPolicy: Owner
-  dataFrom:
-    - sourceRef:
-        generatorRef:
-          apiVersion: generators.external-secrets.io/v1alpha1
-          kind: Password
-          name: dex-client-secret
----
-apiVersion: external-secrets.io/v1alpha1
-kind: PushSecret
-metadata:
-  name: push-dex-client-secret
-  namespace: openbao
-spec:
-  refreshInterval: 1h
-  secretStoreRefs:
-    - name: openbao
-      kind: ClusterSecretStore
-  selector:
-    secret:
-      name: generated-dex-client-secret
-  data:
-    - match:
-        secretKey: password
-        remoteRef:
-          remoteKey: infrastructure/oidc/dex
-          property: client-secret
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: generated-flux-web-client-secret
-  namespace: openbao
-spec:
-  refreshInterval: "0"
-  target:
-    name: generated-flux-web-client-secret
-    creationPolicy: Owner
-  dataFrom:
-    - sourceRef:
-        generatorRef:
-          apiVersion: generators.external-secrets.io/v1alpha1
-          kind: Password
-          name: flux-web-client-secret
----
-apiVersion: external-secrets.io/v1alpha1
-kind: PushSecret
-metadata:
-  name: push-flux-web-client-secret
-  namespace: openbao
-spec:
-  refreshInterval: 1h
-  secretStoreRefs:
-    - name: openbao
-      kind: ClusterSecretStore
-  selector:
-    secret:
-      name: generated-flux-web-client-secret
-  data:
-    - match:
-        secretKey: password
-        remoteRef:
-          remoteKey: infrastructure/oidc/flux-web
-          property: client-secret
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: generated-oauth2-proxy-cookie-secret
-  namespace: openbao
-spec:
-  refreshInterval: "0"
-  target:
-    name: generated-oauth2-proxy-cookie-secret
-    creationPolicy: Owner
-  dataFrom:
-    - sourceRef:
-        generatorRef:
-          apiVersion: generators.external-secrets.io/v1alpha1
-          kind: Password
-          name: oauth2-proxy-cookie-secret
----
-apiVersion: external-secrets.io/v1alpha1
-kind: PushSecret
-metadata:
-  name: push-oauth2-proxy-cookie-secret
-  namespace: openbao
-spec:
-  refreshInterval: 1h
-  secretStoreRefs:
-    - name: openbao
-      kind: ClusterSecretStore
-  selector:
-    secret:
-      name: generated-oauth2-proxy-cookie-secret
-  data:
-    - match:
-        secretKey: password
-        remoteRef:
-          remoteKey: infrastructure/oidc/oauth2-proxy
-          property: cookie-secret
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
 metadata:
   name: generated-fleetdm-mysql-root-password
   namespace: openbao

k8s/bases/infrastructure/vault-seed/push-secrets.yaml

@@ -131,6 +131,75 @@ spec:
           remoteKey: infrastructure/ghcr/auth
           property: dockerconfigjson
 ---
+# OIDC client/cookie secrets — single source of truth is the SOPS bootstrap
+# secret (variables-cluster), NOT a generator. Dex's staticClients and
+# oauth2-proxy consume these very values via Flux post-build substitution
+# (${dex_client_secret} / ${flux_web_client_secret} /
+# ${oauth2_proxy_cookie_secret}), while headlamp / actual-budget / the
+# OpenBao OIDC auth method read them back from these vault paths. When the
+# vault copy was generated independently (the pre-2026-06-10 design), the
+# two copies could never match — dex rejected every vault-sourced client
+# secret. Seeding from the same SOPS key makes both sides identical.
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: seed-dex-client-secret
+  namespace: flux-system
+spec:
+  refreshInterval: 1h
+  secretStoreRefs:
+    - name: openbao
+      kind: ClusterSecretStore
+  selector:
+    secret:
+      name: variables-cluster
+  data:
+    - match:
+        secretKey: dex_client_secret
+        remoteRef:
+          remoteKey: infrastructure/oidc/dex
+          property: client-secret
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: seed-flux-web-client-secret
+  namespace: flux-system
+spec:
+  refreshInterval: 1h
+  secretStoreRefs:
+    - name: openbao
+      kind: ClusterSecretStore
+  selector:
+    secret:
+      name: variables-cluster
+  data:
+    - match:
+        secretKey: flux_web_client_secret
+        remoteRef:
+          remoteKey: infrastructure/oidc/flux-web
+          property: client-secret
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: seed-oauth2-proxy-cookie-secret
+  namespace: flux-system
+spec:
+  refreshInterval: 1h
+  secretStoreRefs:
+    - name: openbao
+      kind: ClusterSecretStore
+  selector:
+    secret:
+      name: variables-cluster
+  data:
+    - match:
+        secretKey: oauth2_proxy_cookie_secret
+        remoteRef:
+          remoteKey: infrastructure/oidc/oauth2-proxy
+          property: cookie-secret
+---
 # Velero kopia repository password
 # ---------------------------------
 # Velero auto-generates a random password in the `velero-repo-credentials`