home-server/clusters/noble/bootstrap/argocd/values-authentik-oidc.yaml

# OIDC with Authentik (merged on `helm upgrade` after **noble_authentik** provisions providers + Secret **authentik-oidc**).
# Issuer path uses provider slug **argocd** (see noble_authentik/configure_authentik.py).

configs:
  cm:
    oidc.config: |
      name: Authentik
      issuer: https://auth.apps.noble.lab.pcenicni.dev/application/o/argocd/
      clientID: argocd
      clientSecret: $authentik-oidc:clientSecret
      requestedScopes:
        - openid
        - profile
        - email
        - groups
  rbac:
    policy.default: role:readonly
    policy.csv: |
      g, admin, role:admin
      g, noble-admins, role:admin