C0: remove argocd OIDC client_secret wiring

Now that argocd's Authentik OAuth2 client is public (PKCE-only), the client_secret plumbing is dead code: - delete argocd-oidc-authentik ExternalSecret and drop it from kustomization - remove AUTHENTIK_ARGOCD_CLIENT_SECRET env from authentik-worker - remove argocd-client-secret mapping from authentik-config ExternalSecret The argocd-client-secret field in the 1Password "Authentik (blumeops)" item is now unreferenced and can be deleted there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 10:38:26 -07:00 · 2026-04-21 10:38:26 -07:00 · 86317315ed
commit 86317315ed
parent 0e62ad5596
4 changed files with 0 additions and 41 deletions
--- a/argocd/manifests/authentik/deployment-worker.yaml
+++ b/argocd/manifests/authentik/deployment-worker.yaml
@ -75,11 +75,6 @@ spec:
                secretKeyRef:
                  name: authentik-config
                  key: jellyfin-client-secret
-            - name: AUTHENTIK_ARGOCD_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-config
-                  key: argocd-client-secret
            - name: AUTHENTIK_MEALIE_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
--- a/argocd/manifests/authentik/external-secret.yaml
+++ b/argocd/manifests/authentik/external-secret.yaml
@ -53,10 +53,6 @@ spec:
      remoteRef:
        key: "Authentik (blumeops)"
        property: jellyfin-client-secret
-    - secretKey: argocd-client-secret
-      remoteRef:
-        key: "Authentik (blumeops)"
-        property: argocd-client-secret
    - secretKey: mealie-client-secret
      remoteRef:
        key: "Authentik (blumeops)"