# OAuth2/OIDC provider + application for the in-cluster ArgoCD # (argocd.k8s.syd1.au.unkin.net). client_secret is read from Vault, not committed. name: ArgoCD authorization_flow: default-provider-authorization-implicit-consent invalidation_flow: default-provider-invalidation-flow client_type: confidential client_id: argocd client_secret_vault: mount: kv path: kubernetes/namespace/argocd/default/oauth-credentials scope_mappings: - goauthentik.io/providers/oauth2/scope-openid - goauthentik.io/providers/oauth2/scope-email - goauthentik.io/providers/oauth2/scope-profile redirect_uris: # Web UI SSO callback. - matching_mode: strict url: https://argocd.k8s.syd1.au.unkin.net/auth/callback # `argocd login --sso` CLI callback (local listener). - matching_mode: strict url: http://localhost:8085/auth/callback