feat(headlamp): OIDC mobile login via ArgoCD Dex (JDWLABS-15)

[jdwillmsen]

Summary

• Configure ArgoCD's bundled Dex with a static password user and Headlamp OIDC client — no new services required
• Add argocd-dex Vault seed spec to platformctl for seeding bcrypt hash + client secret
• Wire ExternalSecrets in argocd and headlamp namespaces; add app.kubernetes.io/part-of: argocd label so ArgoCD resolves $dex-secrets:* substitution in dex.config
• Update OPERATIONS.md: Headlamp in day-2 table, §1.2 mobile login + password rotation guide, CI env var table

Mobile login flow (after seeding Vault)

1. Open https://dashboard.jdwlabs.com → redirects to Dex login at argocd.jdwlabs.com
2. 1Password autofills credentials
3. Redirected back → dashboard

≤3 taps, works off home network. No Google/GitHub dependency.

Bootstrap (operator, one-time)

# Generate bcrypt hash
htpasswd -bnBC 10 "" <password> | tr -d ':\n'

# Seed Vault
platformctl bootstrap seed argocd-dex

Test Plan

• Seed Vault: platformctl bootstrap seed argocd-dex
• Verify dex-secrets ExternalSecret syncs in argocd namespace with app.kubernetes.io/part-of: argocd label
• Verify headlamp-oidc-secret ExternalSecret syncs in headlamp namespace
• ArgoCD syncs → Dex pod restarts with new config
• curl https://argocd.jdwlabs.com/api/dex/.well-known/openid-configuration returns valid issuer
• Mobile: open dashboard.jdwlabs.com → Dex login → authenticated in ≤3 taps

Closes JDWLABS-15

🤖 Generated with Claude Code