FEAT(authelia): enable Authelia OIDC provider with MinIO client

- Enable OIDC identity provider
- Add MinIO as OIDC client
- Configure secrets from Vault

authelia/helm-values.yaml

@@ -18,11 +18,17 @@ pod:
     - name: users-database
       configMap:
         name: authelia-config
+    - name: oidc-clients
+      secret:
+        secretName: authelia-oidc-clients
   extraVolumeMounts:
     - name: users-database
       mountPath: /config/users_database.yml
       subPath: users_database.yml
       readOnly: true
+    - name: oidc-clients
+      mountPath: /secrets/oidc
+      readOnly: true
 
 # ConfigMap configuration
 configMap:
@@ -71,10 +77,31 @@ configMap:
     enabled: true
     issuer: mayne.kro.kr
 
-  # Identity providers (OIDC) - can be enabled later
+  # Identity providers (OIDC)
   identity_providers:
     oidc:
-      enabled: false
+      enabled: true
+      cors:
+        endpoints:
+          - authorization
+          - token
+          - revocation
+          - introspection
+          - userinfo
+        allowed_origins_from_client_redirect_uris: true
+      clients:
+        - client_id: minio
+          client_name: MinIO Console
+          client_secret: '{{ secret "/secrets/oidc/MINIO_CLIENT_SECRET" }}'
+          authorization_policy: one_factor
+          redirect_uris:
+            - https://minio.minio0213.kro.kr/oauth_callback
+            - https://minio0213.kro.kr/oauth_callback
+          scopes:
+            - openid
+            - profile
+            - email
+          token_endpoint_auth_method: client_secret_post
 
 # Secret configuration - use existing secret from Vault
 secret:

authelia/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- vault/authelia-secrets.yaml
 - ingress.yaml
 - middleware.yaml
 - config.yaml

authelia/vault/authelia-secrets.yaml

@@ -0,0 +1,58 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: authelia-secrets
+  namespace: authelia
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: authelia-secrets
+    creationPolicy: Owner
+  data:
+    # Storage password (PostgreSQL)
+    - secretKey: STORAGE_PASSWORD
+      remoteRef:
+        key: databases/postgresql
+        property: PASSWORD
+    # Session secret
+    - secretKey: SESSION_SECRET
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: SESSION_SECRET
+    # Storage encryption key
+    - secretKey: STORAGE_ENCRYPTION_KEY
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: STORAGE_ENCRYPTION_KEY
+    # OIDC HMAC secret
+    - secretKey: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: OIDC_HMAC_SECRET
+    # OIDC JWKS private key (base64 encoded)
+    - secretKey: IDENTITY_PROVIDERS_OIDC_JWKS_KEY
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: OIDC_JWKS_PRIVATE_KEY
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: authelia-oidc-clients
+  namespace: authelia
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: authelia-oidc-clients
+    creationPolicy: Owner
+  data:
+    - secretKey: MINIO_CLIENT_SECRET
+      remoteRef:
+        key: databases/minio
+        property: OIDC_CLIENT_SECRET