# ------------------------------------------------------------------------------ # ExternalSecret — ArgoCD Secrets # # Pulls two secrets from 1Password: # 1. Authentik OIDC client ID + secret (for Dex connector) # 2. Gitea personal access token (for repo access) # # In 1Password (mk-labs vault), create: # Item: "argocd-oidc" # Field: client-id → Authentik OAuth2 client ID # Field: client-secret → Authentik OAuth2 client secret # # Item: "gitea-argocd-token" # Field: token → Gitea personal access token with repo read permissions # (Create in Gitea: Settings → Applications → Generate Token) # # These materialize into argocd-secret, which ArgoCD reads natively. # The $dex.authentik.clientID / $dex.authentik.clientSecret references # in argocd-cm.yaml are resolved by ArgoCD from this secret automatically. # ------------------------------------------------------------------------------ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: argocd-secrets namespace: argocd spec: secretStoreRef: kind: ClusterSecretStore name: onepassword-connect refreshInterval: "1h" target: # Must be named argocd-secret — ArgoCD reads this specific secret name name: argocd-secret creationPolicy: Merge # Merge into existing argocd-secret, don't replace it data: # Authentik OIDC credentials — referenced as $dex.authentik.* in argocd-cm - secretKey: dex.authentik.clientID remoteRef: key: argocd-oidc property: client-id - secretKey: dex.authentik.clientSecret remoteRef: key: argocd-oidc property: client-secret # Gitea token — used by the Repository credential below - secretKey: sshPrivateKey remoteRef: key: gitea-argocd-ssh property: private-key