K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FEAT(vault): add OIDC auth for Authelia SSO

Browse Source 
- Add ExternalSecret for VAULT_CLIENT_SECRET
- Configure default and admin roles for OIDC login
- Fix claim settings (use sub instead of preferred_username)
- Remove oidc-setup-job (already configured)
This commit is contained in:
Mayne0213
2026-01-09 19:41:38 +09:00
parent bb4af2638e
commit 507cb61ec4
3 changed files with 109 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
vault/kustomization.yaml
View File

@@ -4,3 +4,5 @@ resources:
- manifests/cluster-secret-store.yaml - manifests/cluster-secret-store.yaml
- manifests/external-secret.yaml - manifests/external-secret.yaml
- manifests/rbac.yaml - manifests/rbac.yaml
- manifests/oidc-secret.yaml
- manifests/oidc-setup-job.yaml

18
vault/manifests/oidc-secret.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-oidc-secret
namespace: vault
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
name: vault-oidc-secret
creationPolicy: Owner
data:
- secretKey: VAULT_CLIENT_SECRET
remoteRef:
key: authelia
property: VAULT_CLIENT_SECRET

89
vault/manifests/oidc-setup-job.yaml Normal file
View File

@@ -0,0 +1,89 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-oidc-setup
namespace: vault
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
ttlSecondsAfterFinished: 300
template:
spec:
serviceAccountName: vault
restartPolicy: OnFailure
containers:
- name: vault-oidc-setup
image: hashicorp/vault:1.17.2
env:
- name: VAULT_ADDR
value: "http://vault.vault.svc.cluster.local:8200"
- name: VAULT_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vault-oidc-secret
key: VAULT_CLIENT_SECRET
command:
- /bin/sh
- -c
- |
set -e
# Login with Kubernetes auth
echo "Logging in with Kubernetes auth..."
VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
role=vault-setup \
jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token))
export VAULT_TOKEN
# Check if OIDC is already enabled
if vault auth list | grep -q "oidc/"; then
echo "OIDC auth method already enabled"
else
echo "Enabling OIDC auth method..."
vault auth enable oidc
fi
# Configure OIDC with Authelia
echo "Configuring OIDC..."
vault write auth/oidc/config \
oidc_discovery_url="https://auth0213.kro.kr" \
oidc_client_id="vault" \
oidc_client_secret="${VAULT_CLIENT_SECRET}" \
default_role="default"
# Create default role
echo "Creating default role..."
vault write auth/oidc/role/default \
user_claim="sub" \
groups_claim="" \
allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
token_policies="admin" \
token_ttl="1h" \
token_max_ttl="24h"
# Create admin policy
echo "Creating admin policy..."
vault policy write admin - <<POLICY
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
POLICY
# Create admin role
echo "Creating admin role..."
vault write auth/oidc/role/admin \
user_claim="sub" \
groups_claim="" \
allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
token_policies="admin" \
token_ttl="1h" \
token_max_ttl="24h"
echo "OIDC setup complete!"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"