FEAT(authelia): add Vault as OIDC client in Authelia

- Add Vault OIDC client configuration
- Add VAULT_CLIENT_SECRET to ExternalSecret
- Mount VAULT_CLIENT_SECRET in pod

authelia/helm-values.yaml

@@ -24,6 +24,8 @@ pod:
         items:
           - key: HEADLAMP_CLIENT_SECRET
             path: HEADLAMP_CLIENT_SECRET
+          - key: VAULT_CLIENT_SECRET
+            path: VAULT_CLIENT_SECRET
           - key: identity_providers.oidc.jwks.key
             path: jwks.pem
   extraVolumeMounts:
@@ -35,6 +37,10 @@ pod:
       mountPath: /secrets/HEADLAMP_CLIENT_SECRET
       subPath: HEADLAMP_CLIENT_SECRET
       readOnly: true
+    - name: oidc-secrets
+      mountPath: /secrets/VAULT_CLIENT_SECRET
+      subPath: VAULT_CLIENT_SECRET
+      readOnly: true
     - name: oidc-secrets
       mountPath: /secrets/jwks.pem
       subPath: jwks.pem
@@ -120,6 +126,21 @@ configMap:
             - email
             - groups
           token_endpoint_auth_method: client_secret_post
+        - client_id: vault
+          client_name: Vault
+          client_secret:
+            path: /secrets/VAULT_CLIENT_SECRET
+          public: false
+          authorization_policy: one_factor
+          redirect_uris:
+            - https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback
+            - http://localhost:8250/oidc/callback
+          scopes:
+            - openid
+            - profile
+            - email
+            - groups
+          token_endpoint_auth_method: client_secret_post
 
 # Secret configuration - use existing secret from Vault
 secret:

authelia/vault/authelia-secrets.yaml

@@ -47,3 +47,8 @@ spec:
       remoteRef:
         key: cluster-infrastructure/authelia
         property: HEADLAMP_CLIENT_SECRET
+    # Vault OIDC client secret
+    - secretKey: VAULT_CLIENT_SECRET
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: VAULT_CLIENT_SECRET