Switch Dex storage from Kubernetes CRD to sqlite3

The Kubernetes CRD storage backend crashes on k3s due to a Go URL
parsing bug with the in-cluster API address. sqlite3 with emptyDir
avoids the k8s API entirely and is sufficient for single-replica Dex.
Also removes now-unnecessary RBAC resources (ServiceAccount, ClusterRole,
ClusterRoleBinding).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

argocd/manifests/dex/clusterrole.yaml

@@ -1,12 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: dex
-rules:
-  - apiGroups: ["dex.coreos.com"]
-    resources: ["*"]
-    verbs: ["*"]
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["create"]

argocd/manifests/dex/clusterrolebinding.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: dex
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: dex
-subjects:
-  - kind: ServiceAccount
-    name: dex
-    namespace: dex

argocd/manifests/dex/deployment.yaml

@@ -14,7 +14,6 @@ spec:
       labels:
         app: dex
     spec:
-      serviceAccountName: dex
       containers:
         - name: dex
           image: registry.ops.eblu.me/blumeops/dex:v1.0.0-nix
@@ -25,6 +24,8 @@ spec:
             - name: config
               mountPath: /etc/dex/cfg
               readOnly: true
+            - name: data
+              mountPath: /var/dex
           livenessProbe:
             httpGet:
               path: /healthz
@@ -48,3 +49,5 @@ spec:
         - name: config
           secret:
             secretName: dex-config
+        - name: data
+          emptyDir: {}

argocd/manifests/dex/external-secret.yaml

@@ -17,9 +17,9 @@ spec:
         config.yaml: |
           issuer: https://dex.ops.eblu.me
           storage:
-            type: kubernetes
+            type: sqlite3
             config:
-              inCluster: true
+              file: /var/dex/dex.db
           web:
             http: 0.0.0.0:5556
           oauth2:

argocd/manifests/dex/kustomization.yaml

@@ -3,9 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: dex
 resources:
-  - serviceaccount.yaml
-  - clusterrole.yaml
-  - clusterrolebinding.yaml
   - external-secret.yaml
   - deployment.yaml
   - service.yaml

argocd/manifests/dex/serviceaccount.yaml

@@ -1,6 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: dex
-  namespace: dex