FIX(authelia): configure OIDC claims and scopes

- Remove groups scope (not provided by Authelia)
- Add claims_policy for preferred_username
- Remove sub from claims_policy (standard claim)

authelia/helm-values.yaml

@@ -122,6 +122,12 @@ configMap:
           use: 'sig'
           key:
             path: /secrets/jwks.pem
+      claims_policies:
+        default:
+          id_token:
+            - name
+            - preferred_username
+            - email
       cors:
         endpoints:
           - authorization
@@ -137,13 +143,13 @@ configMap:
             path: /secrets/HEADLAMP_CLIENT_SECRET
           public: false
           authorization_policy: one_factor
+          claims_policy: default
           redirect_uris:
             - https://kubernetes0213.kro.kr/oidc-callback
           scopes:
             - openid
             - profile
             - email
-            - groups
           token_endpoint_auth_method: client_secret_basic
         - client_id: vault
           client_name: Vault
@@ -158,7 +164,6 @@ configMap:
             - openid
             - profile
             - email
-            - groups
           token_endpoint_auth_method: client_secret_post
 
 # Secret configuration - use existing secret from Vault

external-secrets/helm-values.yaml

@@ -8,10 +8,10 @@ replicaCount: 2
 resources:
   requests:
     cpu: 5m  # Reduced from 20m based on actual usage (1m)
-    memory: 64Mi
+    memory: 128Mi
   limits:
     # cpu: removed to prevent throttling
-    memory: 64Mi
+    memory: 128Mi
 
 # 동시 실행 제한
 concurrent: 3
@@ -29,10 +29,10 @@ webhook:
   resources:
     requests:
       cpu: 2m  # Reduced from 10m based on actual usage (1m)
-      memory: 64Mi
+      memory: 128Mi
     limits:
       # cpu: removed to prevent throttling
-      memory: 64Mi
+      memory: 128Mi
   # Affinity - Soft Anti-Affinity to spread pods across nodes
   affinity:
     podAntiAffinity:

vault/kustomization.yaml

@@ -5,4 +5,3 @@ resources:
 - manifests/external-secret.yaml
 - manifests/rbac.yaml
 - manifests/oidc-secret.yaml
-- manifests/oidc-setup-job.yaml

vault/manifests/oidc-setup-job.yaml

@@ -1,89 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: vault-oidc-setup
-  namespace: vault
-  annotations:
-    argocd.argoproj.io/hook: PostSync
-    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
-spec:
-  ttlSecondsAfterFinished: 300
-  template:
-    spec:
-      serviceAccountName: vault
-      restartPolicy: OnFailure
-      containers:
-        - name: vault-oidc-setup
-          image: hashicorp/vault:1.17.2
-          env:
-            - name: VAULT_ADDR
-              value: "http://vault.vault.svc.cluster.local:8200"
-            - name: VAULT_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: vault-oidc-secret
-                  key: VAULT_CLIENT_SECRET
-          command:
-            - /bin/sh
-            - -c
-            - |
-              set -e
-
-              # Login with Kubernetes auth
-              echo "Logging in with Kubernetes auth..."
-              VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
-                role=vault-setup \
-                jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token))
-              export VAULT_TOKEN
-
-              # Check if OIDC is already enabled
-              if vault auth list | grep -q "oidc/"; then
-                echo "OIDC auth method already enabled"
-              else
-                echo "Enabling OIDC auth method..."
-                vault auth enable oidc
-              fi
-
-              # Configure OIDC with Authelia
-              echo "Configuring OIDC..."
-              vault write auth/oidc/config \
-                oidc_discovery_url="https://auth0213.kro.kr" \
-                oidc_client_id="vault" \
-                oidc_client_secret="${VAULT_CLIENT_SECRET}" \
-                default_role="default"
-
-              # Create default role
-              echo "Creating default role..."
-              vault write auth/oidc/role/default \
-                user_claim="sub" \
-                groups_claim="" \
-                allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
-                allowed_redirect_uris="http://localhost:8250/oidc/callback" \
-                token_policies="admin" \
-                token_ttl="1h" \
-                token_max_ttl="24h"
-
-              # Create admin policy
-              echo "Creating admin policy..."
-              vault policy write admin - <<POLICY
-              path "*" {
-                capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-              }
-              POLICY
-
-              # Create admin role
-              echo "Creating admin role..."
-              vault write auth/oidc/role/admin \
-                user_claim="sub" \
-                groups_claim="" \
-                allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
-                allowed_redirect_uris="http://localhost:8250/oidc/callback" \
-                token_policies="admin" \
-                token_ttl="1h" \
-                token_max_ttl="24h"
-
-              echo "OIDC setup complete!"
-      tolerations:
-        - key: "node-role.kubernetes.io/control-plane"
-          operator: "Exists"
-          effect: "NoSchedule"