fix: configure OIDC after bootstrap

When the OIDC issuer runs on the devops-stack, it cannot be configured
at bootstrap time.

bootstrap/local.tf

@@ -18,14 +18,6 @@ locals {
 
   argocd_server_secretkey = var.argocd_server_secretkey == null ? random_password.argocd_server_secretkey.result : var.argocd_server_secretkey
 
-  oidc_default = {
-    client_id     = "alive"
-    client_secret = "alive"
-    issuer_url    = "http://z"
-  }
-
-  oidc = merge(local.oidc_default, var.oidc)
-
   argocd_default = {
     namespace                = "argocd"
     domain                   = "argocd.apps.${var.cluster_name}.${var.base_domain}"

bootstrap/values.tf

@@ -9,9 +9,8 @@ locals {
           argocdServerAdminPassword      = "${htpasswd_password.argocd_server_admin.bcrypt}"
           argocdServerAdminPasswordMtime = "2020-07-23T11:31:23Z"
           extra = {
-            "oidc.default.clientSecret" = "${replace(local.oidc.client_secret, "\\\"", "\"")}"
-            "accounts.pipeline.tokens"  = "${replace(local.argocd.accounts_pipeline_tokens, "\\\"", "\"")}"
-            "server.secretkey"          = "${replace(local.argocd.server_secretkey, "\\\"", "\"")}"
+            "accounts.pipeline.tokens" = "${replace(local.argocd.accounts_pipeline_tokens, "\\\"", "\"")}"
+            "server.secretkey"         = "${replace(local.argocd.server_secretkey, "\\\"", "\"")}"
           }
         }
       })
@@ -66,20 +65,6 @@ locals {
                     args: ["echo \"$HELM_VALUES\" | helm template . --name-template $ARGOCD_APP_NAME --namespace $ARGOCD_APP_NAMESPACE $HELM_ARGS -f - --include-crds > all.yaml && kustomize build"]
                         EOT
           url                       = "https://${local.argocd.domain}"
-          # TODO check and potentially change the following var references
-          "oidc.config" = <<-EOT
-                name: OIDC
-                issuer: "${replace(local.oidc.issuer_url, "\"", "\\\"")}"
-                clientID: "${replace(local.oidc.client_id, "\"", "\\\"")}"
-                clientSecret: "${local.oidc.client_secret}"
-                requestedIDTokenClaims:
-                  groups:
-                    essential: true
-                requestedScopes:
-                  - openid
-                  - profile
-                  - email
-                EOT
         }
         ingress = {
           enabled = true

main.tf

@@ -2,6 +2,16 @@ resource "null_resource" "dependencies" {
   triggers = var.dependency_ids
 }
 
+locals {
+  oidc_default = {
+    client_id     = "alive"
+    client_secret = "alive"
+    issuer_url    = "http://z"
+  }
+
+  oidc = merge(local.oidc_default, var.oidc)
+}
+
 resource "argocd_project" "this" {
   metadata {
     name      = "argocd"
@@ -32,7 +42,7 @@ resource "argocd_project" "this" {
 }
 
 data "utils_deep_merge_yaml" "values" {
-  input = [for i in concat(var.bootstrap_values, var.helm_values) : yamlencode(i)]
+  input = [for i in concat(var.bootstrap_values, local.helm_values, var.helm_values) : yamlencode(i)]
 }
 
 resource "argocd_application" "this" {

values.tf

@@ -0,0 +1,31 @@
+locals {
+  helm_values = [{
+    argo-cd = {
+      configs = {
+        secret = {
+          extra = {
+            "oidc.default.clientSecret" = "${replace(local.oidc.client_secret, "\\\"", "\"")}"
+          }
+        }
+      }
+      server = {
+        config = {
+          # TODO check and potentially change the following var references
+          "oidc.config" = <<-EOT
+            name: OIDC
+            issuer: "${replace(local.oidc.issuer_url, "\"", "\\\"")}"
+            clientID: "${replace(local.oidc.client_id, "\"", "\\\"")}"
+            clientSecret: "${local.oidc.client_secret}"
+            requestedIDTokenClaims:
+              groups:
+                essential: true
+            requestedScopes:
+              - openid
+              - profile
+              - email
+          EOT
+        }
+      }
+    }
+  }]
+}