Skip to content

Argo CD Break Glass

Recover Argo CD access when GitHub OAuth via Dex is unavailable.

Purpose

Emergency admin access when argocd.unipuka.app GitHub OAuth is broken (GitHub down, Dex misconfigured, OAuth app revoked).

When to use

  • GitHub OAuth flow fails for all team members
  • Dex pod is crashlooping
  • OAuth App credentials rotated without updating Argo CD

Steps

Retrieve the initial admin password

kubectl -n argocd get secret argocd-initial-admin-secret \
  -o jsonpath="{.data.password}" | base64 -d && echo

Log in via CLI

argocd login argocd.unipuka.app \
  --username admin \
  --password <password-from-above> \
  --grpc-web

Or port-forward (if Gateway is also broken)

kubectl port-forward svc/argocd-server -n argocd 8080:443
# Then: https://localhost:8080

Fix the root cause

Common causes:

Symptom Fix
Dex pod crashlooping Check ESO - argocd-dex-github Secret may be stale. Run kubectl get externalsecret -n argocd.
OAuth callback mismatch Verify GitHub OAuth App callback URL = https://argocd.unipuka.app/api/dex/callback
Client secret rotated Update ARGOCD_DEX_GITHUB_CLIENT_SECRET in Doppler base config; ESO will sync within 60s

Rollback

N/A - this is the recovery procedure.

V&V

  • argocd app list returns successfully
  • Re-test GitHub OAuth login after fix
  • Confirm built-in admin re-disabled: admin.enabled: false in argocd-cm