FEAT(headlamp): enable authelia oidc provider

- with headlamp client
- Add OIDC identity provider configuration
- Add Headlamp as OIDC client
- Update ExternalSecret for OIDC secrets (HMAC, JWKS, Headlamp client
  secret)

authelia/helm-values.yaml

@@ -71,6 +71,33 @@ configMap:
     enabled: true
     issuer: mayne.kro.kr
 
+  # OIDC Identity Provider
+  identity_providers:
+    oidc:
+      enabled: true
+      cors:
+        endpoints:
+          - authorization
+          - token
+          - revocation
+          - introspection
+          - userinfo
+        allowed_origins_from_client_redirect_uris: true
+      clients:
+        - client_id: headlamp
+          client_name: Headlamp
+          client_secret: '$plaintext${{ secret "HEADLAMP_CLIENT_SECRET" }}'
+          public: false
+          authorization_policy: one_factor
+          redirect_uris:
+            - https://kubernetes0213.kro.kr/oidc-callback
+          scopes:
+            - openid
+            - profile
+            - email
+            - groups
+          token_endpoint_auth_method: client_secret_post
+
 # Secret configuration - use existing secret from Vault
 secret:
   existingSecret: authelia-secrets

authelia/vault/authelia-secrets.yaml

@@ -32,3 +32,18 @@ spec:
       remoteRef:
         key: cluster-infrastructure/authelia
         property: JWT_HMAC_KEY
+    # OIDC HMAC secret
+    - secretKey: identity_providers.oidc.hmac.secret
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: OIDC_HMAC_SECRET
+    # OIDC JWKS private key
+    - secretKey: identity_providers.oidc.jwks.key
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: OIDC_JWKS_PRIVATE_KEY
+    # Headlamp OIDC client secret
+    - secretKey: HEADLAMP_CLIENT_SECRET
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: HEADLAMP_CLIENT_SECRET