C0: remove argocd OIDC client_secret wiring

Now that argocd's Authentik OAuth2 client is public (PKCE-only), the client_secret plumbing is dead code: - delete argocd-oidc-authentik ExternalSecret and drop it from kustomization - remove AUTHENTIK_ARGOCD_CLIENT_SECRET env from authentik-worker - remove argocd-client-secret mapping from authentik-config ExternalSecret The argocd-client-secret field in the 1Password "Authentik (blumeops)" item is now unreferenced and can be deleted there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 10:38:26 -07:00 · 2026-04-21 10:38:26 -07:00 · 86317315ed
commit 86317315ed
parent 0e62ad5596
4 changed files with 0 additions and 41 deletions
--- a/argocd/manifests/argocd/external-secret-oidc-authentik.yaml
+++ b/argocd/manifests/argocd/external-secret-oidc-authentik.yaml
@ -1,31 +0,0 @@
-# ExternalSecret for ArgoCD OIDC client secret (Authentik)
-#
-# Referenced from argocd-cm as $argocd-oidc-authentik:client-secret
-# Must have app.kubernetes.io/part-of: argocd label for ArgoCD to read it
-#
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argocd-oidc-authentik
-  namespace: argocd
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-blumeops
-  target:
-    name: argocd-oidc-authentik
-    creationPolicy: Owner
-    template:
-      metadata:
-        labels:
-          app.kubernetes.io/part-of: argocd
-  data:
-    - secretKey: client-secret
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: "Authentik (blumeops)"
-        metadataPolicy: None
-        property: argocd-client-secret
--- a/argocd/manifests/argocd/kustomization.yaml
+++ b/argocd/manifests/argocd/kustomization.yaml
@ -9,7 +9,6 @@ resources:
  - https://raw.githubusercontent.com/argoproj/argo-cd/998fb59dc355653c0657908a6ea2f87136e022d1/manifests/install.yaml
  - ingress-tailscale.yaml
  - external-secret-repo-forge.yaml
-  - external-secret-oidc-authentik.yaml

 patches:
  - path: argocd-cmd-params-cm.yaml
--- a/argocd/manifests/authentik/deployment-worker.yaml
+++ b/argocd/manifests/authentik/deployment-worker.yaml
@ -75,11 +75,6 @@ spec:
                secretKeyRef:
                  name: authentik-config
                  key: jellyfin-client-secret
-            - name: AUTHENTIK_ARGOCD_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-config
-                  key: argocd-client-secret
            - name: AUTHENTIK_MEALIE_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
--- a/argocd/manifests/authentik/external-secret.yaml
+++ b/argocd/manifests/authentik/external-secret.yaml
@ -53,10 +53,6 @@ spec:
      remoteRef:
        key: "Authentik (blumeops)"
        property: jellyfin-client-secret
-    - secretKey: argocd-client-secret
-      remoteRef:
-        key: "Authentik (blumeops)"
-        property: argocd-client-secret
    - secretKey: mealie-client-secret
      remoteRef:
        key: "Authentik (blumeops)"