From 6d19c01bf1dc7cc63b6638a588b63cad1b677276 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Fri, 2 Jan 2026 19:33:01 +0900
Subject: [PATCH] FIX(headlamp): use ExternalSecret for OIDC config

- Use externalSecret.enabled instead of env
- Add template to ExternalSecret with all OIDC fields
---
 headlamp/external-secret.yaml |  7 +++++++
 headlamp/helm-values.yaml     | 17 +++++------------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/headlamp/external-secret.yaml b/headlamp/external-secret.yaml
index f35d0c7..d541998 100644
--- a/headlamp/external-secret.yaml
+++ b/headlamp/external-secret.yaml
@@ -11,6 +11,13 @@ spec:
   target:
     name: headlamp-oidc
     creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        clientID: headlamp
+        clientSecret: "{{ .clientSecret }}"
+        issuerURL: https://auth0213.kro.kr
+        scopes: "openid profile email groups"
   data:
     - secretKey: clientSecret
       remoteRef:
diff --git a/headlamp/helm-values.yaml b/headlamp/helm-values.yaml
index 093917b..88a1eda 100644
--- a/headlamp/helm-values.yaml
+++ b/headlamp/helm-values.yaml
@@ -34,15 +34,8 @@ ingress:
 config:
   baseURL: "https://kubernetes0213.kro.kr"
   oidc:
-    clientID: "headlamp"
-    clientSecret: ""
-    issuerURL: "https://auth0213.kro.kr"
-    scopes: "openid profile email groups"
-
-# OIDC client secret from ExternalSecret
-env:
-  - name: HEADLAMP_CONFIG_OIDC_clientSecret
-    valueFrom:
-      secretKeyRef:
-        name: headlamp-oidc
-        key: clientSecret
+    secret:
+      create: false
+    externalSecret:
+      enabled: true
+      name: headlamp-oidc