new file: apps/argocd-config/OIDC_SECRET_SETUP.md

modified:   apps/argocd-config/argocd-cm.yaml
	modified:   apps/argocd-config/external-secret.yaml

apps/argocd-config/argocd-cm.yaml

@@ -9,13 +9,22 @@ metadata:
 data:
   url: "https://argocd.k3s.stabify.de"
   
-  # OIDC Direct Config (Dex Bypass)
-  oidc.config: |
-    name: Authentik
-    issuer: https://auth.apps.k3s.stabify.de/application/o/argo-cd/
-    clientID: kfQ0L0Z4JSjlgFkciBisEtOMxDMc4ECA729nFujN
-    clientSecret: dRMFCvAVp8MaTIMjmg9ICYpL84nzpR6FPtvqMvULXyOq4nv4XO7CljScm8satk8kpUSAYxLB1taFuQxY0m0y7qfpxjZZcsbJGxgoCsLMqEEEJQTI6kgsaMsjD8Ak677q
-    requestedScopes: ["openid", "profile", "email", "groups"]
+  # Dex Config (Native ArgoCD SSO)
+  dex.config: |
+    connectors:
+    - type: oidc
+      id: authentik
+      name: Authentik
+      config:
+        issuer: https://auth.apps.k3s.stabify.de/application/o/argo-cd/
+        clientID: kfQ0L0Z4JSjlgFkciBisEtOMxDMc4ECA729nFujN
+        clientSecret: $dex.authentik.clientSecret
+        insecureEnableGroups: true
+        scopes:
+        - openid
+        - profile
+        - email
+        - groups
 
   # Resource Customizations (unverändert)
   resource.customizations.ignoreResourceUpdates.ConfigMap: |