modified: apps/argocd-config/argocd-cm.yaml

new file:   apps/argocd-config/argocd-rbac-cm.yaml
	modified:   apps/argocd-config/external-secret.yaml
	modified:   apps/argocd-config/kustomization.yaml

apps/argocd-config/argocd-cm.yaml

@@ -8,14 +8,24 @@ metadata:
     app.kubernetes.io/part-of: argocd
 data:
   url: "https://argocd.k3s.stabify.de"
-  oidc.config: |
-    name: Authentik
-    issuer: https://auth.apps.k3s.stabify.de/application/o/argocd/
-    clientID: $argocd-oidc-secret:oidc_client_id
-    clientSecret: $argocd-oidc-secret:oidc_client_secret
-    requestedScopes: ["openid", "profile", "email", "groups"]
   
-  # Existing Config (Standard Resource Customizations)
+  # DEX Config statt OIDC (für CLI Support)
+  dex.config: |
+    connectors:
+    - config:
+        issuer: https://auth.apps.k3s.stabify.de/application/o/argocd/
+        clientID: $argocd-oidc-secret:oidc.authentik.clientId
+        clientSecret: $argocd-oidc-secret:dex.authentik.clientSecret
+        insecureEnableGroups: true
+        scopes:
+          - openid
+          - profile
+          - email
+      name: authentik
+      type: oidc
+      id: authentik
+
+  # Resource Customizations (unverändert)
   resource.customizations.ignoreResourceUpdates.ConfigMap: |
     jqPathExpressions:
       - '.metadata.annotations."cluster-autoscaler.kubernetes.io/last-updated"'

apps/argocd-config/argocd-rbac-cm.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  policy.csv: |
+    g, ArgoCD Admins, role:admin
+    g, ArgoCD Viewers, role:readonly
+  scopes: "[groups, email]" # Optional, falls Dex Scopes braucht

apps/argocd-config/external-secret.yaml

@@ -13,9 +13,12 @@ spec:
     template:
       engineVersion: v2
       data:
-        # ArgoCD erwartet diese Keys für OIDC Config
+        # ArgoCD Dex Config Key
-        oidc.authentik.clientId: "{{ .client_id }}"
+        dex.authentik.clientSecret: "{{ .oidc_client_secret }}"
-        oidc.authentik.clientSecret: "{{ .client_secret }}"
+        # Dex braucht keine clientID im Secret, die steht in der ConfigMap.
+        # Aber wir können sie hier lassen oder entfernen.
+        oidc.authentik.clientId: "{{ .oidc_client_id }}" # Legacy / Optional
+
   data:
     - secretKey: client_id
       remoteRef:

apps/argocd-config/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - external-secret.yaml
   - argocd-cm.yaml
+  - argocd-rbac-cm.yaml