FEAT(authelia): configure immich oidc

- Add ExternalSecret for OIDC client secret
- Add OAuth environment variables
- Remove Authelia middleware (using direct OIDC)

immich/helm-values.yaml

@@ -18,6 +18,19 @@ controllers:
               secretKeyRef:
                 name: immich-postgres-password
                 key: password
+          # OAuth/OIDC configuration
+          OAUTH_ENABLED: "true"
+          OAUTH_ISSUER_URL: https://auth0213.kro.kr
+          OAUTH_CLIENT_ID: immich
+          OAUTH_CLIENT_SECRET:
+            valueFrom:
+              secretKeyRef:
+                name: immich-oidc
+                key: OAUTH_CLIENT_SECRET
+          OAUTH_SCOPE: "openid profile email"
+          OAUTH_AUTO_REGISTER: "true"
+          OAUTH_BUTTON_TEXT: "Login with Authelia"
+          OAUTH_AUTO_LAUNCH: "true"
 
 # Immich configuration
 immich:
@@ -55,7 +68,6 @@ server:
       className: traefik
       annotations:
         cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
       hosts:
         - host: immich0213.kro.kr
           paths:

immich/kustomization.yaml

@@ -3,4 +3,5 @@ kind: Kustomization
 resources:
 - pvc.yaml
 - vault/immich-postgres-password.yaml
+- vault/immich-oidc.yaml
 namespace: immich

immich/vault/immich-oidc.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: immich-oidc
+  namespace: immich
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: immich-oidc
+    creationPolicy: Owner
+  data:
+    - secretKey: OAUTH_CLIENT_SECRET
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: IMMICH_CLIENT_SECRET