C0: argocd OIDC — switch to public client for CLI SSO

Changes argocd's Authentik OAuth2 client from confidential to public and
drops the clientSecret from argocd-cm. Public + PKCE works for both the
web UI (argocd-server backend) and the argocd CLI (`argocd login --sso`)
without a shared secret, matching OAuth 2.1 guidance.

Confidential → public was needed because the CLI can't hold a client
secret; Authentik's per-app issuer model made the alternative
("cliClientID" pattern with separate public client) awkward since it
requires a shared issuer across apps which Authentik doesn't serve.

Follow-up: deadcode AUTHENTIK_ARGOCD_CLIENT_SECRET env wiring and the
argocd-oidc-authentik ExternalSecret once verified.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

argocd/manifests/argocd/argocd-cm-patch.yaml

@@ -16,7 +16,6 @@ data:
     name: Authentik
     issuer: https://authentik.ops.eblu.me/application/o/argocd/
     clientID: argocd
-    clientSecret: $argocd-oidc-authentik:client-secret
     requestedScopes:
       - openid
       - profile

argocd/manifests/authentik/configmap-blueprint.yaml

@@ -262,9 +262,8 @@ data:
           name: ArgoCD
           authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
           invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
-          client_type: confidential
+          client_type: public
           client_id: argocd
-          client_secret: !Env AUTHENTIK_ARGOCD_CLIENT_SECRET
           redirect_uris:
             - matching_mode: strict
               url: https://argocd.ops.eblu.me/auth/callback