FIX(authelia): configure OIDC claims and scopes

- Remove groups scope (not provided by Authelia) - Add claims_policy for preferred_username - Remove sub from claims_policy (standard claim)
2026-01-09 20:10:36 +09:00
parent fa4521e946
commit 5f9573133e
4 changed files with 11 additions and 96 deletions
--- a/authelia/helm-values.yaml
+++ b/authelia/helm-values.yaml
@@ -122,6 +122,12 @@ configMap:
          use: 'sig'
          key:
            path: /secrets/jwks.pem
+      claims_policies:
+        default:
+          id_token:
+            - name
+            - preferred_username
+            - email
      cors:
        endpoints:
          - authorization
@@ -137,13 +143,13 @@ configMap:
            path: /secrets/HEADLAMP_CLIENT_SECRET
          public: false
          authorization_policy: one_factor
+          claims_policy: default
          redirect_uris:
            - https://kubernetes0213.kro.kr/oidc-callback
          scopes:
            - openid
            - profile
            - email
-            - groups
          token_endpoint_auth_method: client_secret_basic
        - client_id: vault
          client_name: Vault
@@ -158,7 +164,6 @@ configMap:
            - openid
            - profile
            - email
-            - groups
          token_endpoint_auth_method: client_secret_post

 # Secret configuration - use existing secret from Vault
--- a/external-secrets/helm-values.yaml
+++ b/external-secrets/helm-values.yaml
@@ -8,10 +8,10 @@ replicaCount: 2
 resources:
  requests:
    cpu: 5m  # Reduced from 20m based on actual usage (1m)
-    memory: 64Mi
+    memory: 128Mi
  limits:
    # cpu: removed to prevent throttling
-    memory: 64Mi
+    memory: 128Mi

 # 동시 실행 제한
 concurrent: 3
@@ -29,10 +29,10 @@ webhook:
  resources:
    requests:
      cpu: 2m  # Reduced from 10m based on actual usage (1m)
-      memory: 64Mi
+      memory: 128Mi
    limits:
      # cpu: removed to prevent throttling
-      memory: 64Mi
+      memory: 128Mi
  # Affinity - Soft Anti-Affinity to spread pods across nodes
  affinity:
    podAntiAffinity:
--- a/vault/kustomization.yaml
+++ b/vault/kustomization.yaml
@@ -5,4 +5,3 @@ resources:
 - manifests/external-secret.yaml
 - manifests/rbac.yaml
 - manifests/oidc-secret.yaml
- manifests/oidc-setup-job.yaml
--- a/vault/manifests/oidc-setup-job.yaml
+++ b/vault/manifests/oidc-setup-job.yaml
@@ -1,89 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: vault-oidc-setup
-  namespace: vault
-  annotations:
-    argocd.argoproj.io/hook: PostSync
-    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
-spec:
-  ttlSecondsAfterFinished: 300
-  template:
-    spec:
-      serviceAccountName: vault
-      restartPolicy: OnFailure
-      containers:
-        - name: vault-oidc-setup
-          image: hashicorp/vault:1.17.2
-          env:
-            - name: VAULT_ADDR
-              value: "http://vault.vault.svc.cluster.local:8200"
-            - name: VAULT_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: vault-oidc-secret
-                  key: VAULT_CLIENT_SECRET
-          command:
-            - /bin/sh
-            - -c
-            - |
-              set -e
-
-              # Login with Kubernetes auth
-              echo "Logging in with Kubernetes auth..."
-              VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
-                role=vault-setup \
-                jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token))
-              export VAULT_TOKEN
-
-              # Check if OIDC is already enabled
-              if vault auth list | grep -q "oidc/"; then
-                echo "OIDC auth method already enabled"
-              else
-                echo "Enabling OIDC auth method..."
-                vault auth enable oidc
-              fi
-
-              # Configure OIDC with Authelia
-              echo "Configuring OIDC..."
-              vault write auth/oidc/config \
-                oidc_discovery_url="https://auth0213.kro.kr" \
-                oidc_client_id="vault" \
-                oidc_client_secret="${VAULT_CLIENT_SECRET}" \
-                default_role="default"
-
-              # Create default role
-              echo "Creating default role..."
-              vault write auth/oidc/role/default \
-                user_claim="sub" \
-                groups_claim="" \
-                allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
-                allowed_redirect_uris="http://localhost:8250/oidc/callback" \
-                token_policies="admin" \
-                token_ttl="1h" \
-                token_max_ttl="24h"
-
-              # Create admin policy
-              echo "Creating admin policy..."
-              vault policy write admin - <<POLICY
-              path "*" {
-                capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-              }
-              POLICY
-
-              # Create admin role
-              echo "Creating admin role..."
-              vault write auth/oidc/role/admin \
-                user_claim="sub" \
-                groups_claim="" \
-                allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
-                allowed_redirect_uris="http://localhost:8250/oidc/callback" \
-                token_policies="admin" \
-                token_ttl="1h" \
-                token_max_ttl="24h"
-
-              echo "OIDC setup complete!"
-      tolerations:
-        - key: "node-role.kubernetes.io/control-plane"
-          operator: "Exists"
-          effect: "NoSchedule"