diff --git a/headlamp/external-secret.yaml b/headlamp/external-secret.yaml
new file mode 100644
index 0000000..cc9c89d
--- /dev/null
+++ b/headlamp/external-secret.yaml
@@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: headlamp-oidc
+  namespace: headlamp
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: headlamp-oidc
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        OIDC_CLIENT_ID: headlamp
+        OIDC_CLIENT_SECRET: "{{ .clientSecret }}"
+        OIDC_ISSUER_URL: https://auth0213.kro.kr
+        OIDC_SCOPES: "openid profile email groups"
+        OIDC_VALIDATOR_CLIENT_ID: headlamp
+        OIDC_VALIDATOR_ISSUER_URL: https://auth0213.kro.kr
+  data:
+    - secretKey: clientSecret
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: HEADLAMP_CLIENT_SECRET
diff --git a/headlamp/helm-values.yaml b/headlamp/helm-values.yaml
index 2eadb1d..e6f8a05 100644
--- a/headlamp/helm-values.yaml
+++ b/headlamp/helm-values.yaml
@@ -33,3 +33,9 @@ ingress:
 # Config
 config:
   baseURL: ""
+  oidc:
+    secret:
+      create: false
+    externalSecret:
+      enabled: true
+      name: headlamp-oidc
diff --git a/headlamp/ingress.yaml b/headlamp/ingress.yaml
index d111c7e..e052d71 100644
--- a/headlamp/ingress.yaml
+++ b/headlamp/ingress.yaml
@@ -5,7 +5,6 @@ metadata:
   namespace: headlamp
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/headlamp/kustomization.yaml b/headlamp/kustomization.yaml
index bd43e8a..6c563b1 100644
--- a/headlamp/kustomization.yaml
+++ b/headlamp/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ingress.yaml
+- external-secret.yaml