C0: docs — default argocd login to --sso; drop extraneous --grpc-web

Now that argocd's Authentik OAuth2 client is public, `argocd login --sso`
works for day-to-day use. Promote it to the default in AGENTS.md,
argocd-cli reference, and troubleshooting; keep the admin/password flow
documented as a break-glass fallback for when Authentik is unavailable.

Also drops --grpc-web from every interactive login command — confirmed
extraneous (login succeeds without it). Left in CI workflows and
`argocd cluster add` untouched; those are different contexts that I
didn't re-test.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

AGENTS.md

@@ -86,7 +86,7 @@ Most services run in minikube on indri via ArgoCD (app-of-apps, manual sync). GP
 
 **Commands:** `argocd app list|get|diff|sync <app>`
 
-**Login:** `argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"`
+**Login:** `argocd login argocd.ops.eblu.me --sso` (opens browser for Authentik SSO). Admin fallback for break-glass: `argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"`
 
 ### Indri (Ansible)
 

argocd/manifests/argocd/README.md

@@ -25,7 +25,7 @@ kubectl wait --for=condition=available deployment/argocd-server -n argocd --time
 kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d && echo
 
 # 5. Login and change password
-argocd login argocd.tail8d86e.ts.net --username admin --grpc-web
+argocd login argocd.tail8d86e.ts.net --username admin
 argocd account update-password
 
 # 6. Apply repo-creds-forge credential template for SSH access to all forge repos
@@ -114,4 +114,4 @@ spec:
   Future improvement: integrate with a secrets operator (e.g., External Secrets).
 - The credential template (`repo-creds`) uses a URL prefix to match all repos on forge.
 - ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination.
-- The `--grpc-web` flag is required for CLI access through the Tailscale ingress.
+- After Authentik is up, prefer `argocd login argocd.ops.eblu.me --sso` over the admin password login above; admin is only needed during bootstrap or as break-glass.

docs/how-to/operations/rebuild-minikube-cluster.md

@@ -108,18 +108,13 @@ kubectl --context=minikube-indri apply -f argocd/apps/apps.yaml
 # 6. Login and sync apps
 argocd login argocd.tail8d86e.ts.net --username admin \
   --password "$(kubectl --context=minikube-indri -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d)" \
-  --grpc-web
-argocd app sync apps --grpc-web
-```
+ argocd app sync apps```
 
 ## Phase 4: Bootstrap 1Password Connect + External Secrets
 
 ```bash
 # 1. Sync foundation
-argocd app sync external-secrets-crds --grpc-web
-argocd app sync external-secrets --grpc-web
-argocd app sync 1password-connect --grpc-web
-
+argocd app sync external-secrets-crdsargocd app sync external-secretsargocd app sync 1password-connect
 # 2. Create 1Password Connect secrets manually
 CREDS_RAW=$(op read "op://blumeops/1Password Connect/credentials-file")
 echo "$CREDS_RAW" | kubectl --context=minikube-indri create secret generic op-credentials -n 1password \
@@ -140,25 +135,20 @@ kubectl --context=minikube-indri get clustersecretstores
 
 ```bash
 # Foundation (CRDs, operators)
-argocd app sync cloudnative-pg kube-state-metrics --grpc-web
-
+argocd app sync cloudnative-pg kube-state-metrics
 # Databases
-argocd app sync blumeops-pg --grpc-web
-
+argocd app sync blumeops-pg
 # Observability
-argocd app sync loki prometheus tempo grafana grafana-config --grpc-web
-
+argocd app sync loki prometheus tempo grafana grafana-config
 # Register ringtail cluster (for authentik, ntfy, ollama, frigate)
 ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml' | \
   sed 's|127.0.0.1|ringtail.tail8d86e.ts.net|' > /tmp/k3s-ringtail.yaml
 KUBECONFIG=/tmp/k3s-ringtail.yaml argocd cluster add default --name k3s-ringtail --grpc-web -y
 
 # Authentik (critical — Zot OIDC depends on it, most image pulls depend on Zot)
-argocd app sync authentik --grpc-web
-
+argocd app sync authentik
 # Everything else
-argocd app sync tailscale-operator alloy-k8s --grpc-web
-# ... remaining apps
+argocd app sync tailscale-operator alloy-k8s# ... remaining apps
 ```
 
 ## Phase 6: Restore Databases from Borgmatic

docs/how-to/operations/troubleshooting.md

@@ -72,6 +72,11 @@ kubectl --context=minikube-indri -n <namespace> get pods --field-selector=status
 
 **ArgoCD login expired:**
 ```bash
+argocd login argocd.ops.eblu.me --sso
+```
+
+If Authentik itself is down, fall back to admin:
+```bash
 argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"
 ```
 

docs/reference/tools/argocd-cli.md

@@ -24,6 +24,14 @@ argocd app sync apps           # Sync the app-of-apps (picks up new Application
 
 ## Login
 
+Default (Authentik SSO, PKCE, opens browser):
+
+```bash
+argocd login argocd.ops.eblu.me --sso
+```
+
+Break-glass admin login (only if Authentik is down):
+
 ```bash
 argocd login argocd.ops.eblu.me \
   --username admin \