C0: remove argocd OIDC client_secret wiring

Now that argocd's Authentik OAuth2 client is public (PKCE-only), the
client_secret plumbing is dead code:

- delete argocd-oidc-authentik ExternalSecret and drop it from kustomization
- remove AUTHENTIK_ARGOCD_CLIENT_SECRET env from authentik-worker
- remove argocd-client-secret mapping from authentik-config ExternalSecret

The argocd-client-secret field in the 1Password "Authentik (blumeops)"
item is now unreferenced and can be deleted there.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

argocd/manifests/argocd/external-secret-oidc-authentik.yaml

@@ -1,31 +0,0 @@
-# ExternalSecret for ArgoCD OIDC client secret (Authentik)
-#
-# Referenced from argocd-cm as $argocd-oidc-authentik:client-secret
-# Must have app.kubernetes.io/part-of: argocd label for ArgoCD to read it
-#
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argocd-oidc-authentik
-  namespace: argocd
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-blumeops
-  target:
-    name: argocd-oidc-authentik
-    creationPolicy: Owner
-    template:
-      metadata:
-        labels:
-          app.kubernetes.io/part-of: argocd
-  data:
-    - secretKey: client-secret
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: "Authentik (blumeops)"
-        metadataPolicy: None
-        property: argocd-client-secret

argocd/manifests/argocd/kustomization.yaml

@@ -9,7 +9,6 @@ resources:
   - https://raw.githubusercontent.com/argoproj/argo-cd/998fb59dc355653c0657908a6ea2f87136e022d1/manifests/install.yaml
   - ingress-tailscale.yaml
   - external-secret-repo-forge.yaml
-  - external-secret-oidc-authentik.yaml
 
 patches:
   - path: argocd-cmd-params-cm.yaml

argocd/manifests/authentik/deployment-worker.yaml

@@ -75,11 +75,6 @@ spec:
                 secretKeyRef:
                   name: authentik-config
                   key: jellyfin-client-secret
-            - name: AUTHENTIK_ARGOCD_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: authentik-config
-                  key: argocd-client-secret
             - name: AUTHENTIK_MEALIE_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:

argocd/manifests/authentik/external-secret.yaml

@@ -53,10 +53,6 @@ spec:
       remoteRef:
         key: "Authentik (blumeops)"
         property: jellyfin-client-secret
-    - secretKey: argocd-client-secret
-      remoteRef:
-        key: "Authentik (blumeops)"
-        property: argocd-client-secret
     - secretKey: mealie-client-secret
       remoteRef:
         key: "Authentik (blumeops)"