K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FEAT(authelia): enable Authelia OIDC provider with MinIO client

Browse Source 
- Enable OIDC identity provider
- Add MinIO as OIDC client
- Configure secrets from Vault
This commit is contained in:
Mayne0213
2026-01-02 00:00:39 +09:00
parent 7de57fc936
commit 520261d36e
3 changed files with 88 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
authelia/helm-values.yaml
View File

@@ -18,11 +18,17 @@ pod:
- name: users-database - name: users-database
configMap: configMap:
name: authelia-config name: authelia-config
- name: oidc-clients
secret:
secretName: authelia-oidc-clients
extraVolumeMounts: extraVolumeMounts:
- name: users-database - name: users-database
mountPath: /config/users_database.yml mountPath: /config/users_database.yml
subPath: users_database.yml subPath: users_database.yml
readOnly: true readOnly: true
- name: oidc-clients
mountPath: /secrets/oidc
readOnly: true
# ConfigMap configuration # ConfigMap configuration
configMap: configMap:
@@ -71,10 +77,31 @@ configMap:
enabled: true enabled: true
issuer: mayne.kro.kr issuer: mayne.kro.kr
# Identity providers (OIDC) - can be enabled later # Identity providers (OIDC)
identity_providers: identity_providers:
oidc: oidc:
enabled: false enabled: true
cors:
endpoints:
- authorization
- token
- revocation
- introspection
- userinfo
allowed_origins_from_client_redirect_uris: true
clients:
- client_id: minio
client_name: MinIO Console
client_secret: '{{ secret "/secrets/oidc/MINIO_CLIENT_SECRET" }}'
authorization_policy: one_factor
redirect_uris:
- https://minio.minio0213.kro.kr/oauth_callback
- https://minio0213.kro.kr/oauth_callback
scopes:
- openid
- profile
- email
token_endpoint_auth_method: client_secret_post
# Secret configuration - use existing secret from Vault # Secret configuration - use existing secret from Vault
secret: secret:

1
authelia/kustomization.yaml
View File

@@ -1,6 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- vault/authelia-secrets.yaml
- ingress.yaml - ingress.yaml
- middleware.yaml - middleware.yaml
- config.yaml - config.yaml

58
authelia/vault/authelia-secrets.yaml Normal file
View File

@@ -0,0 +1,58 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authelia-secrets
namespace: authelia
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
name: authelia-secrets
creationPolicy: Owner
data:
# Storage password (PostgreSQL)
- secretKey: STORAGE_PASSWORD
remoteRef:
key: databases/postgresql
property: PASSWORD
# Session secret
- secretKey: SESSION_SECRET
remoteRef:
key: cluster-infrastructure/authelia
property: SESSION_SECRET
# Storage encryption key
- secretKey: STORAGE_ENCRYPTION_KEY
remoteRef:
key: cluster-infrastructure/authelia
property: STORAGE_ENCRYPTION_KEY
# OIDC HMAC secret
- secretKey: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
remoteRef:
key: cluster-infrastructure/authelia
property: OIDC_HMAC_SECRET
# OIDC JWKS private key (base64 encoded)
- secretKey: IDENTITY_PROVIDERS_OIDC_JWKS_KEY
remoteRef:
key: cluster-infrastructure/authelia
property: OIDC_JWKS_PRIVATE_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authelia-oidc-clients
namespace: authelia
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
name: authelia-oidc-clients
creationPolicy: Owner
data:
- secretKey: MINIO_CLIENT_SECRET
remoteRef:
key: databases/minio
property: OIDC_CLIENT_SECRET