diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md
index d8d6d7a..8d9462d 100644
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -655,7 +655,58 @@ retry:
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
 | `admin.enabled` | `true` | Enable admin account |
-| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
+| `url` | `https://argocd.forteapps.net` | External URL for ArgoCD UI |
+
+**Git Submodule Disable**: Set via `repoServer.env` (not `configs.cm`):
+```yaml
+repoServer:
+  env:
+  - name: ARGOCD_GIT_MODULES_ENABLED
+    value: "false"
+```
+Submodules (e.g., `shared-prompts`) are not needed for K8s manifest generation.
+
+**OIDC Authentication** (Keycloak):
+```yaml
+configs:
+  cm:
+    oidc.config: |
+      name: Forte SSO
+      issuer: https://id.forteapps.net/realms/forte
+      clientID: argocd
+      clientSecret: $oidc.clientSecret
+      requestedScopes: ["openid", "email", "profile"]
+  rbacConfig:
+    policy.csv: |
+      g, ArgoCD Admins, role:admin
+      g, ArgoCD Viewers, role:readonly
+    policy.default: role:readonly
+    scopes: '[groups]'
+```
+
+- ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
+- Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless
+- `$oidc.clientSecret` references the `oidc.clientSecret` key in `argocd-secret`
+- OIDC secret is synced by CronJob `argocd-oidc-sync` (see `cluster-resources/argocd-oidc-secret-sync.yaml`)
+- The CronJob bridges `argocd-oidc-credentials` (from KC registrar) → `argocd-secret` every 2 min
+- Safe for fresh deploys: no-ops if source secret doesn't exist yet
+
+**Ingress** (Traefik + TLS):
+```yaml
+server:
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls: true
+  extraArgs:
+  - --insecure
+configs:
+  params:
+    "server.insecure": true
+```
+TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
 
 ---
 
@@ -776,6 +827,15 @@ kubeStateMetrics:
 - Loki
 - Tempo
 
+**Ingress**: Exposed via Traefik at `https://grafana.forteapps.net` with cert-manager TLS.
+
+**OIDC Authentication** (Keycloak):
+- Uses `grafana.ini.auth.generic_oauth` with KC `grafana` client
+- Secret `grafana-oidc-credentials` synced by KC registrar, loaded via `envFromSecrets`
+- SSO-only mode: `auth.disable_login_form: true` + `auth.generic_oauth.auto_login: true`
+- Role mapping via JMESPath on `resource_access.grafana.roles` claim (requires KC client role mapper)
+- Roles: KC client roles `Admin`/`Editor` map to Grafana roles; default is `Viewer`
+
 ### Loki
 
 **Chart**: `grafana/loki-stack`
diff --git a/infra/values/base/argocd-values.yaml b/infra/values/base/argocd-values.yaml
index 09c6166..f591d5a 100644
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -29,7 +29,7 @@ configs:
 repoServer:
   # Disable git submodule checkout - submodules (e.g. shared-prompts)
   # are not needed for K8s manifest generation
-  extraEnv:
+  env:
   - name: ARGOCD_GIT_MODULES_ENABLED
     value: "false"
 server: