From 86317315edbb17a4013b1de9a8bf77325db7658f Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 21 Apr 2026 10:38:26 -0700 Subject: [PATCH] C0: remove argocd OIDC client_secret wiring Now that argocd's Authentik OAuth2 client is public (PKCE-only), the client_secret plumbing is dead code: - delete argocd-oidc-authentik ExternalSecret and drop it from kustomization - remove AUTHENTIK_ARGOCD_CLIENT_SECRET env from authentik-worker - remove argocd-client-secret mapping from authentik-config ExternalSecret The argocd-client-secret field in the 1Password "Authentik (blumeops)" item is now unreferenced and can be deleted there. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../external-secret-oidc-authentik.yaml | 31 ------------------- argocd/manifests/argocd/kustomization.yaml | 1 - .../authentik/deployment-worker.yaml | 5 --- .../manifests/authentik/external-secret.yaml | 4 --- 4 files changed, 41 deletions(-) delete mode 100644 argocd/manifests/argocd/external-secret-oidc-authentik.yaml diff --git a/argocd/manifests/argocd/external-secret-oidc-authentik.yaml b/argocd/manifests/argocd/external-secret-oidc-authentik.yaml deleted file mode 100644 index 475a713..0000000 --- a/argocd/manifests/argocd/external-secret-oidc-authentik.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# ExternalSecret for ArgoCD OIDC client secret (Authentik) -# -# Referenced from argocd-cm as $argocd-oidc-authentik:client-secret -# Must have app.kubernetes.io/part-of: argocd label for ArgoCD to read it -# ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argocd-oidc-authentik - namespace: argocd -spec: - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-blumeops - target: - name: argocd-oidc-authentik - creationPolicy: Owner - template: - metadata: - labels: - app.kubernetes.io/part-of: argocd - data: - - secretKey: client-secret - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: "Authentik (blumeops)" - metadataPolicy: None - property: argocd-client-secret diff --git a/argocd/manifests/argocd/kustomization.yaml b/argocd/manifests/argocd/kustomization.yaml index 9bdac10..6deb7ec 100644 --- a/argocd/manifests/argocd/kustomization.yaml +++ b/argocd/manifests/argocd/kustomization.yaml @@ -9,7 +9,6 @@ resources: - https://raw.githubusercontent.com/argoproj/argo-cd/998fb59dc355653c0657908a6ea2f87136e022d1/manifests/install.yaml - ingress-tailscale.yaml - external-secret-repo-forge.yaml - - external-secret-oidc-authentik.yaml patches: - path: argocd-cmd-params-cm.yaml diff --git a/argocd/manifests/authentik/deployment-worker.yaml b/argocd/manifests/authentik/deployment-worker.yaml index b81ec32..053fa3d 100644 --- a/argocd/manifests/authentik/deployment-worker.yaml +++ b/argocd/manifests/authentik/deployment-worker.yaml @@ -75,11 +75,6 @@ spec: secretKeyRef: name: authentik-config key: jellyfin-client-secret - - name: AUTHENTIK_ARGOCD_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: authentik-config - key: argocd-client-secret - name: AUTHENTIK_MEALIE_CLIENT_SECRET valueFrom: secretKeyRef: diff --git a/argocd/manifests/authentik/external-secret.yaml b/argocd/manifests/authentik/external-secret.yaml index 9abf699..93de499 100644 --- a/argocd/manifests/authentik/external-secret.yaml +++ b/argocd/manifests/authentik/external-secret.yaml @@ -53,10 +53,6 @@ spec: remoteRef: key: "Authentik (blumeops)" property: jellyfin-client-secret - - secretKey: argocd-client-secret - remoteRef: - key: "Authentik (blumeops)" - property: argocd-client-secret - secretKey: mealie-client-secret remoteRef: key: "Authentik (blumeops)"