apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - external-secret.yaml

patches:
  - target:
      kind: ConfigMap
      name: argocd-cm
    patch: |-
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: argocd-cm
      data:
        url: "https://argocd.k3s.stabify.de"
        oidc.config: |
          name: Authentik
          issuer: https://auth.apps.k3s.stabify.de/application/o/argocd/
          clientID: $argocd-oidc-secret:oidc.authentik.clientId
          clientSecret: $argocd-oidc-secret:oidc.authentik.clientSecret
          requestedScopes: ["openid", "profile", "email", "groups"]
          # Optional: Admin-Gruppe mappen
          # requestedIDTokenClaims: {"groups": {"essential": true}}