From 520261d36eb0a0c649c21c277f2d3e90d286407f Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Fri, 2 Jan 2026 00:00:39 +0900 Subject: [PATCH] FEAT(authelia): enable Authelia OIDC provider with MinIO client - Enable OIDC identity provider - Add MinIO as OIDC client - Configure secrets from Vault --- authelia/helm-values.yaml | 31 ++++++++++++++- authelia/kustomization.yaml | 1 + authelia/vault/authelia-secrets.yaml | 58 ++++++++++++++++++++++++++++ 3 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 authelia/vault/authelia-secrets.yaml diff --git a/authelia/helm-values.yaml b/authelia/helm-values.yaml index 0b5f159..81f9609 100644 --- a/authelia/helm-values.yaml +++ b/authelia/helm-values.yaml @@ -18,11 +18,17 @@ pod: - name: users-database configMap: name: authelia-config + - name: oidc-clients + secret: + secretName: authelia-oidc-clients extraVolumeMounts: - name: users-database mountPath: /config/users_database.yml subPath: users_database.yml readOnly: true + - name: oidc-clients + mountPath: /secrets/oidc + readOnly: true # ConfigMap configuration configMap: @@ -71,10 +77,31 @@ configMap: enabled: true issuer: mayne.kro.kr - # Identity providers (OIDC) - can be enabled later + # Identity providers (OIDC) identity_providers: oidc: - enabled: false + enabled: true + cors: + endpoints: + - authorization + - token + - revocation + - introspection + - userinfo + allowed_origins_from_client_redirect_uris: true + clients: + - client_id: minio + client_name: MinIO Console + client_secret: '{{ secret "/secrets/oidc/MINIO_CLIENT_SECRET" }}' + authorization_policy: one_factor + redirect_uris: + - https://minio.minio0213.kro.kr/oauth_callback + - https://minio0213.kro.kr/oauth_callback + scopes: + - openid + - profile + - email + token_endpoint_auth_method: client_secret_post # Secret configuration - use existing secret from Vault secret: diff --git a/authelia/kustomization.yaml b/authelia/kustomization.yaml index b852651..ba12a71 100644 --- a/authelia/kustomization.yaml +++ b/authelia/kustomization.yaml @@ -1,6 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: +- vault/authelia-secrets.yaml - ingress.yaml - middleware.yaml - config.yaml diff --git a/authelia/vault/authelia-secrets.yaml b/authelia/vault/authelia-secrets.yaml new file mode 100644 index 0000000..70e8eb1 --- /dev/null +++ b/authelia/vault/authelia-secrets.yaml @@ -0,0 +1,58 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: authelia-secrets + namespace: authelia +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: authelia-secrets + creationPolicy: Owner + data: + # Storage password (PostgreSQL) + - secretKey: STORAGE_PASSWORD + remoteRef: + key: databases/postgresql + property: PASSWORD + # Session secret + - secretKey: SESSION_SECRET + remoteRef: + key: cluster-infrastructure/authelia + property: SESSION_SECRET + # Storage encryption key + - secretKey: STORAGE_ENCRYPTION_KEY + remoteRef: + key: cluster-infrastructure/authelia + property: STORAGE_ENCRYPTION_KEY + # OIDC HMAC secret + - secretKey: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET + remoteRef: + key: cluster-infrastructure/authelia + property: OIDC_HMAC_SECRET + # OIDC JWKS private key (base64 encoded) + - secretKey: IDENTITY_PROVIDERS_OIDC_JWKS_KEY + remoteRef: + key: cluster-infrastructure/authelia + property: OIDC_JWKS_PRIVATE_KEY +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: authelia-oidc-clients + namespace: authelia +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: authelia-oidc-clients + creationPolicy: Owner + data: + - secretKey: MINIO_CLIENT_SECRET + remoteRef: + key: databases/minio + property: OIDC_CLIENT_SECRET