apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  url: "https://argocd.k3s.stabify.de"
  
  # Dex Config (Native ArgoCD SSO)
  dex.config: |
    connectors:
    - type: oidc
      id: authentik
      name: Authentik
      config:
        issuer: https://auth.apps.k3s.stabify.de/application/o/argo-cd/
        clientID: kfQ0L0Z4JSjlgFkciBisEtOMxDMc4ECA729nFujN
        clientSecret: $dex.authentik.clientSecret
        insecureEnableGroups: true
        scopes:
        - openid
        - profile
        - email
        - groups

  # Resource Customizations (unverändert)
  resource.customizations.ignoreResourceUpdates.ConfigMap: |
    jqPathExpressions:
      - '.metadata.annotations."cluster-autoscaler.kubernetes.io/last-updated"'
      - '.metadata.annotations."control-plane.alpha.kubernetes.io/leader"'
  # Ignoriere ExternalSecret Status-Updates (wird von External Secrets Controller verwaltet)
  resource.customizations.ignoreResourceUpdates.external-secrets.io_ExternalSecret: |
    jsonPointers:
      - /status
      - /metadata/annotations
      - /metadata/labels
  resource.customizations.ignoreResourceUpdates.Endpoints: |
    jsonPointers:
      - /metadata
      - /subsets
  resource.customizations.ignoreResourceUpdates.all: |
    jsonPointers:
      - /status
  resource.customizations.ignoreResourceUpdates.apps_ReplicaSet: |
    jqPathExpressions:
      - '.metadata.annotations."deployment.kubernetes.io/desired-replicas"'
      - '.metadata.annotations."deployment.kubernetes.io/max-replicas"'
      - '.metadata.annotations."rollout.argoproj.io/desired-replicas"'
  resource.customizations.ignoreResourceUpdates.argoproj.io_Application: |
    jqPathExpressions:
      - '.metadata.annotations."notified.notifications.argoproj.io"'
      - '.metadata.annotations."argocd.argoproj.io/refresh"'
      - '.metadata.annotations."argocd.argoproj.io/hydrate"'
      - '.operation'
  resource.customizations.ignoreResourceUpdates.argoproj.io_Rollout: |
    jqPathExpressions:
      - '.metadata.annotations."notified.notifications.argoproj.io"'
  resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: |
    jqPathExpressions:
      - '.metadata.annotations."autoscaling.alpha.kubernetes.io/behavior"'
      - '.metadata.annotations."autoscaling.alpha.kubernetes.io/conditions"'
      - '.metadata.annotations."autoscaling.alpha.kubernetes.io/metrics"'
      - '.metadata.annotations."autoscaling.alpha.kubernetes.io/current-metrics"'
  resource.customizations.ignoreResourceUpdates.discovery.k8s.io_EndpointSlice: |
    jsonPointers:
      - /metadata
      - /endpoints
      - /ports
  resource.exclusions: |
    - apiGroups:
      - ''
      - discovery.k8s.io
      kinds:
      - Endpoints
      - EndpointSlice
    - apiGroups:
      - coordination.k8s.io
      kinds:
      - Lease
    - apiGroups:
      - authentication.k8s.io
      - authorization.k8s.io
      kinds:
      - SelfSubjectReview
      - TokenReview
      - LocalSubjectAccessReview
      - SelfSubjectAccessReview
      - SelfSubjectRulesReview
      - SubjectAccessReview
    - apiGroups:
      - certificates.k8s.io
      kinds:
      - CertificateSigningRequest
    - apiGroups:
      - cert-manager.io
      kinds:
      - CertificateRequest
    - apiGroups:
      - cilium.io
      kinds:
      - CiliumIdentity
      - CiliumEndpoint
      - CiliumEndpointSlice
    - apiGroups:
      - kyverno.io
      - reports.kyverno.io
      - wgpolicyk8s.io
      kinds:
      - PolicyReport
      - ClusterPolicyReport
      - EphemeralReport
      - ClusterEphemeralReport
      - AdmissionReport
      - ClusterAdmissionReport
      - BackgroundScanReport
      - ClusterBackgroundScanReport
      - UpdateRequest