Erich Blume
0e62ad5596
Changes argocd's Authentik OAuth2 client from confidential to public and
drops the clientSecret from argocd-cm. Public + PKCE works for both the
web UI (argocd-server backend) and the argocd CLI (`argocd login --sso`)
without a shared secret, matching OAuth 2.1 guidance.
Confidential → public was needed because the CLI can't hold a client
secret; Authentik's per-app issuer model made the alternative
("cliClientID" pattern with separate public client) awkward since it
requires a shared issuer across apps which Authentik doesn't serve.
Follow-up: deadcode AUTHENTIK_ARGOCD_CLIENT_SECRET env wiring and the
argocd-oidc-authentik ExternalSecret once verified.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| configmap-blueprint.yaml | ||
| deployment-redis.yaml | ||
| deployment-server.yaml | ||
| deployment-worker.yaml | ||
| external-secret.yaml | ||
| ingress-tailscale.yaml | ||
| kustomization.yaml | ||
| service-redis.yaml | ||
| service.yaml | ||