fix(argo-cd): add allowed audiences parameter to values.yaml (argoproj#3299)

* fix(argo-cd): add allowed audiences parameter to values.yaml

Signed-off-by: Brynn Crowley <[email protected]>

* fix(argo-cd): remove previous version change annotation

Signed-off-by: Brynn Crowley <[email protected]>

* fix(argo-cd): add comments to align with upstream)

Signed-off-by: Brynn Crowley <[email protected]>

* fix(argo-cd): add missing keys from upstream docs

Signed-off-by: Brynn Crowley <[email protected]>

* chore: Summarize changelog in one line

Signed-off-by: Marco Maurer (-Kilchhofer) <[email protected]>

---------

Signed-off-by: Brynn Crowley <[email protected]>
Signed-off-by: Marco Maurer (-Kilchhofer) <[email protected]>
Co-authored-by: Marco Maurer (-Kilchhofer) <[email protected]>

Author: Crowley723

charts/argo-cd/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v3.1.5
 kubeVersion: ">=1.25.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 8.4.0
+version: 8.4.1
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@@ -26,5 +26,5 @@ annotations:
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
-    - kind: added
-      description: support VerticalPodAutoscaler for application controller
+    - kind: changed
+      description: Added more example code regarding `oidc.config` from upstream docs to align better

charts/argo-cd/values.yaml

@@ -222,20 +222,45 @@ configs:
     # oidc.config: |
     #   name: AzureAD
     #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
-    #   clientID: CLIENT_ID
+    #   clientID: aaaabbbbccccddddeee
     #   clientSecret: $oidc.azuread.clientSecret
+
+    # Some OIDC providers require a separate clientID for different callback URLs.
+    # For example, if configuring Argo CD with self-hosted Dex, you will need a separate client ID
+    # for the 'localhost' (CLI) client to Dex. This field is optional. If omitted, the CLI will
+    # use the same clientID as the Argo CD server
+    #   cliClientID: vvvvwwwwxxxxyyyyzzzz
+
     #   rootCA: |
     #     -----BEGIN CERTIFICATE-----
     #     ... encoded certificate data here ...
     #     -----END CERTIFICATE-----
+
+    # Optional list of allowed aud claims. If omitted or empty, defaults to the clientID value above (and the
+    # cliClientID, if that is also specified). If you specify a list and want the clientID to be allowed, you must
+    # explicitly include it in the list.
+    # Token verification will pass if any of the token's audiences matches any of the audiences in this list.
+    #   allowedAudiences:
+    #     - aaaabbbbccccddddeee
+    #     - qqqqwwwweeeerrrrttt
+
+    # Optional set of OIDC claims to request on the ID token.
     #   requestedIDTokenClaims:
     #     groups:
     #       essential: true
+
+    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
     #   requestedScopes:
     #     - openid
     #     - profile
     #     - email
 
+    # PKCE authentication flow processes authorization flow from browser only - default false
+    # uses the clientID
+    # make sure the Identity Provider (IdP) is public and doesn't need clientSecret
+    # make sure the Identity Provider (IdP) has this redirect URI registered: https://argocd.example.com/pkce/verify
+    #   enablePKCEAuthentication: true
+
     # Extension Configuration
     ## Ref: https://argo-cd.readthedocs.io/en/latest/developer-guide/extensions/proxy-extensions/
     # extension.config: |