From 5f9573133ee4ed76b3707fbf942260a15d2ae40f Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Fri, 9 Jan 2026 20:10:36 +0900 Subject: [PATCH] FIX(authelia): configure OIDC claims and scopes - Remove groups scope (not provided by Authelia) - Add claims_policy for preferred_username - Remove sub from claims_policy (standard claim) --- authelia/helm-values.yaml | 9 ++- external-secrets/helm-values.yaml | 8 +-- vault/kustomization.yaml | 1 - vault/manifests/oidc-setup-job.yaml | 89 ----------------------------- 4 files changed, 11 insertions(+), 96 deletions(-) delete mode 100644 vault/manifests/oidc-setup-job.yaml diff --git a/authelia/helm-values.yaml b/authelia/helm-values.yaml index 9ed7a8a..56b67aa 100644 --- a/authelia/helm-values.yaml +++ b/authelia/helm-values.yaml @@ -122,6 +122,12 @@ configMap: use: 'sig' key: path: /secrets/jwks.pem + claims_policies: + default: + id_token: + - name + - preferred_username + - email cors: endpoints: - authorization @@ -137,13 +143,13 @@ configMap: path: /secrets/HEADLAMP_CLIENT_SECRET public: false authorization_policy: one_factor + claims_policy: default redirect_uris: - https://kubernetes0213.kro.kr/oidc-callback scopes: - openid - profile - email - - groups token_endpoint_auth_method: client_secret_basic - client_id: vault client_name: Vault @@ -158,7 +164,6 @@ configMap: - openid - profile - email - - groups token_endpoint_auth_method: client_secret_post # Secret configuration - use existing secret from Vault diff --git a/external-secrets/helm-values.yaml b/external-secrets/helm-values.yaml index 0dfcab9..0b28a09 100644 --- a/external-secrets/helm-values.yaml +++ b/external-secrets/helm-values.yaml @@ -8,10 +8,10 @@ replicaCount: 2 resources: requests: cpu: 5m # Reduced from 20m based on actual usage (1m) - memory: 64Mi + memory: 128Mi limits: # cpu: removed to prevent throttling - memory: 64Mi + memory: 128Mi # 동시 실행 제한 concurrent: 3 @@ -29,10 +29,10 @@ webhook: resources: requests: cpu: 2m # Reduced from 10m based on actual usage (1m) - memory: 64Mi + memory: 128Mi limits: # cpu: removed to prevent throttling - memory: 64Mi + memory: 128Mi # Affinity - Soft Anti-Affinity to spread pods across nodes affinity: podAntiAffinity: diff --git a/vault/kustomization.yaml b/vault/kustomization.yaml index 397a4cc..ba15028 100644 --- a/vault/kustomization.yaml +++ b/vault/kustomization.yaml @@ -5,4 +5,3 @@ resources: - manifests/external-secret.yaml - manifests/rbac.yaml - manifests/oidc-secret.yaml -- manifests/oidc-setup-job.yaml diff --git a/vault/manifests/oidc-setup-job.yaml b/vault/manifests/oidc-setup-job.yaml deleted file mode 100644 index cfa602f..0000000 --- a/vault/manifests/oidc-setup-job.yaml +++ /dev/null @@ -1,89 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: vault-oidc-setup - namespace: vault - annotations: - argocd.argoproj.io/hook: PostSync - argocd.argoproj.io/hook-delete-policy: BeforeHookCreation -spec: - ttlSecondsAfterFinished: 300 - template: - spec: - serviceAccountName: vault - restartPolicy: OnFailure - containers: - - name: vault-oidc-setup - image: hashicorp/vault:1.17.2 - env: - - name: VAULT_ADDR - value: "http://vault.vault.svc.cluster.local:8200" - - name: VAULT_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: vault-oidc-secret - key: VAULT_CLIENT_SECRET - command: - - /bin/sh - - -c - - | - set -e - - # Login with Kubernetes auth - echo "Logging in with Kubernetes auth..." - VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \ - role=vault-setup \ - jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)) - export VAULT_TOKEN - - # Check if OIDC is already enabled - if vault auth list | grep -q "oidc/"; then - echo "OIDC auth method already enabled" - else - echo "Enabling OIDC auth method..." - vault auth enable oidc - fi - - # Configure OIDC with Authelia - echo "Configuring OIDC..." - vault write auth/oidc/config \ - oidc_discovery_url="https://auth0213.kro.kr" \ - oidc_client_id="vault" \ - oidc_client_secret="${VAULT_CLIENT_SECRET}" \ - default_role="default" - - # Create default role - echo "Creating default role..." - vault write auth/oidc/role/default \ - user_claim="sub" \ - groups_claim="" \ - allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \ - allowed_redirect_uris="http://localhost:8250/oidc/callback" \ - token_policies="admin" \ - token_ttl="1h" \ - token_max_ttl="24h" - - # Create admin policy - echo "Creating admin policy..." - vault policy write admin - <