authelia: Enable OIDC provider

Authelia can act as an Open ID Connect identity provider.  This allows
it to provide authentication/authorization for other applications
besides those inside the Kubernetes cluster using it for Ingress
authentication.

To start with, we'll configure an OIDC client for Jenkins.

authelia/authelia.yaml

@@ -81,6 +81,10 @@ spec:
           value: /run/authelia/secrets/session.secret
         - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
           value: /run/authelia/secrets/storage.encryption_key
+        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
+          value: /run/authelia/secrets/oidc.hmac_secret
+        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
+          value: /run/authelia/secrets/oidc.issuer_private_key
         startupProbe:
           httpGet:
             port: 9091

authelia/configuration.yml

@@ -10,6 +10,23 @@ authentication_backend:
     url: ldaps://pyrocufflink.blue
     user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
 
+identity_providers:
+  oidc:
+    clients:
+    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+      description: Jenkins
+      secret: >-
+        $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
+      redirect_uris:
+      - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
+      scopes:
+      - openid
+      - groups
+      - profile
+      - email
+      - offline_access
+      authorization_policy: one_factor
+
 log:
   level: trace
 

authelia/kustomization.yaml

@@ -20,5 +20,7 @@ secretGenerator:
   - ldap.password
   - session.secret
   - storage.encryption_key
+  - oidc.hmac_secret
+  - oidc.issuer_private_key
   options:
     disableNameSuffixHash: true