FEAT(vault): add OIDC auth for Authelia SSO

- Add ExternalSecret for VAULT_CLIENT_SECRET
- Configure default and admin roles for OIDC login
- Fix claim settings (use sub instead of preferred_username)
- Remove oidc-setup-job (already configured)

vault/manifests/oidc-setup-job.yaml

@@ -0,0 +1,89 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vault-oidc-setup
+  namespace: vault
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      serviceAccountName: vault
+      restartPolicy: OnFailure
+      containers:
+        - name: vault-oidc-setup
+          image: hashicorp/vault:1.17.2
+          env:
+            - name: VAULT_ADDR
+              value: "http://vault.vault.svc.cluster.local:8200"
+            - name: VAULT_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: vault-oidc-secret
+                  key: VAULT_CLIENT_SECRET
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -e
+
+              # Login with Kubernetes auth
+              echo "Logging in with Kubernetes auth..."
+              VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
+                role=vault-setup \
+                jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token))
+              export VAULT_TOKEN
+
+              # Check if OIDC is already enabled
+              if vault auth list | grep -q "oidc/"; then
+                echo "OIDC auth method already enabled"
+              else
+                echo "Enabling OIDC auth method..."
+                vault auth enable oidc
+              fi
+
+              # Configure OIDC with Authelia
+              echo "Configuring OIDC..."
+              vault write auth/oidc/config \
+                oidc_discovery_url="https://auth0213.kro.kr" \
+                oidc_client_id="vault" \
+                oidc_client_secret="${VAULT_CLIENT_SECRET}" \
+                default_role="default"
+
+              # Create default role
+              echo "Creating default role..."
+              vault write auth/oidc/role/default \
+                user_claim="sub" \
+                groups_claim="" \
+                allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
+                allowed_redirect_uris="http://localhost:8250/oidc/callback" \
+                token_policies="admin" \
+                token_ttl="1h" \
+                token_max_ttl="24h"
+
+              # Create admin policy
+              echo "Creating admin policy..."
+              vault policy write admin - <<POLICY
+              path "*" {
+                capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+              }
+              POLICY
+
+              # Create admin role
+              echo "Creating admin role..."
+              vault write auth/oidc/role/admin \
+                user_claim="sub" \
+                groups_claim="" \
+                allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
+                allowed_redirect_uris="http://localhost:8250/oidc/callback" \
+                token_policies="admin" \
+                token_ttl="1h" \
+                token_max_ttl="24h"
+
+              echo "OIDC setup complete!"
+      tolerations:
+        - key: "node-role.kubernetes.io/control-plane"
+          operator: "Exists"
+          effect: "NoSchedule"