From e4fb804b3d6f2388276d284c77385deeb954c827 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Fri, 2 Jan 2026 19:30:02 +0900
Subject: [PATCH] FEAT(headlamp): enable authelia oidc provider

- with headlamp client
- Add OIDC identity provider configuration
- Add Headlamp as OIDC client
- Update ExternalSecret for OIDC secrets (HMAC, JWKS, Headlamp client
  secret)
---
 authelia/helm-values.yaml            | 27 +++++++++++++++++++++++++++
 authelia/vault/authelia-secrets.yaml | 15 +++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/authelia/helm-values.yaml b/authelia/helm-values.yaml
index 677f3fa..3a92b6c 100644
--- a/authelia/helm-values.yaml
+++ b/authelia/helm-values.yaml
@@ -71,6 +71,33 @@ configMap:
     enabled: true
     issuer: mayne.kro.kr
 
+  # OIDC Identity Provider
+  identity_providers:
+    oidc:
+      enabled: true
+      cors:
+        endpoints:
+          - authorization
+          - token
+          - revocation
+          - introspection
+          - userinfo
+        allowed_origins_from_client_redirect_uris: true
+      clients:
+        - client_id: headlamp
+          client_name: Headlamp
+          client_secret: '$plaintext${{ secret "HEADLAMP_CLIENT_SECRET" }}'
+          public: false
+          authorization_policy: one_factor
+          redirect_uris:
+            - https://kubernetes0213.kro.kr/oidc-callback
+          scopes:
+            - openid
+            - profile
+            - email
+            - groups
+          token_endpoint_auth_method: client_secret_post
+
 # Secret configuration - use existing secret from Vault
 secret:
   existingSecret: authelia-secrets
diff --git a/authelia/vault/authelia-secrets.yaml b/authelia/vault/authelia-secrets.yaml
index fc08b1e..78fcbb9 100644
--- a/authelia/vault/authelia-secrets.yaml
+++ b/authelia/vault/authelia-secrets.yaml
@@ -32,3 +32,18 @@ spec:
       remoteRef:
         key: cluster-infrastructure/authelia
         property: JWT_HMAC_KEY
+    # OIDC HMAC secret
+    - secretKey: identity_providers.oidc.hmac.secret
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: OIDC_HMAC_SECRET
+    # OIDC JWKS private key
+    - secretKey: identity_providers.oidc.jwks.key
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: OIDC_JWKS_PRIVATE_KEY
+    # Headlamp OIDC client secret
+    - secretKey: HEADLAMP_CLIENT_SECRET
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: HEADLAMP_CLIENT_SECRET