From 36efafb2aa93668bae7bc94bcae2606b6a010e10 Mon Sep 17 00:00:00 2001
From: Ubuntu <nick@vm-management-200.stabify.de>
Date: Mon, 12 Jan 2026 19:38:18 +0000
Subject: [PATCH] enable oidc support for argocd

---
 apps/argocd-config-app.yaml             | 18 +++++++++++++++++
 apps/argocd-config/external-secret.yaml | 27 +++++++++++++++++++++++++
 apps/argocd-config/kustomization.yaml   | 24 ++++++++++++++++++++++
 3 files changed, 69 insertions(+)
 create mode 100644 apps/argocd-config-app.yaml
 create mode 100644 apps/argocd-config/external-secret.yaml
 create mode 100644 apps/argocd-config/kustomization.yaml

diff --git a/apps/argocd-config-app.yaml b/apps/argocd-config-app.yaml
new file mode 100644
index 0000000..92e2df5
--- /dev/null
+++ b/apps/argocd-config-app.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-config
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git
+    targetRevision: HEAD
+    path: apps/argocd-config
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: false # Safety: Don't delete ArgoCD resources not managed by this app
+      selfHeal: true
diff --git a/apps/argocd-config/external-secret.yaml b/apps/argocd-config/external-secret.yaml
new file mode 100644
index 0000000..ace924e
--- /dev/null
+++ b/apps/argocd-config/external-secret.yaml
@@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-oidc-secret-source
+  namespace: argocd
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: argocd-oidc-secret
+    template:
+      engineVersion: v2
+      data:
+        # ArgoCD erwartet diese Keys für OIDC Config
+        oidc.authentik.clientId: "{{ .client_id }}"
+        oidc.authentik.clientSecret: "{{ .client_secret }}"
+  data:
+    - secretKey: client_id
+      remoteRef:
+        key: secret/apps/argocd
+        property: client_id
+    - secretKey: client_secret
+      remoteRef:
+        key: secret/apps/argocd
+        property: client_secret
diff --git a/apps/argocd-config/kustomization.yaml b/apps/argocd-config/kustomization.yaml
new file mode 100644
index 0000000..ede3aae
--- /dev/null
+++ b/apps/argocd-config/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - external-secret.yaml
+
+patches:
+  - target:
+      kind: ConfigMap
+      name: argocd-cm
+    patch: |-
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: argocd-cm
+      data:
+        url: "https://argocd.k3s.stabify.de"
+        oidc.config: |
+          name: Authentik
+          issuer: https://auth.apps.k3s.stabify.de/application/o/argocd/
+          clientID: $argocd-oidc-secret:oidc.authentik.clientId
+          clientSecret: $argocd-oidc-secret:oidc.authentik.clientSecret
+          requestedScopes: ["openid", "profile", "email", "groups"]
+          # Optional: Admin-Gruppe mappen
+          # requestedIDTokenClaims: {"groups": {"essential": true}}