oidc support for openprject login

apps/openproject/templates/external-secret.yaml

@@ -12,6 +12,7 @@ spec:
     name: openproject-db-credentials
     creationPolicy: Owner
   data:
+
     - secretKey: postgres-password
       remoteRef:
         key: secret/apps/openproject
@@ -20,4 +21,14 @@ spec:
     - secretKey: password
       remoteRef:
         key: secret/apps/openproject
-        property: password
+        property: password
+
+    - secretKey: clientId
+      remoteRef:
+        key: secret/apps/openproject
+        property: oidc_client_id
+
+    - secretKey: clientSecret
+      remoteRef:
+        key: secret/apps/openproject
+        property: oidc_client_secret

apps/openproject/values.yaml

@@ -46,3 +46,26 @@ openproject:
   # 5. Memcached
   memcached:
     enabled: true
+
+  # OIDC Authentik Provider
+  oidc:
+    enabled: true
+    provider: "openproject"
+    displayName: "Authentik"
+    host: "https://auth.apps.k3s.stabify.de"
+    authorizationEndpoint: "https://auth.apps.k3s.stabify.de/application/o/authorize/"
+    tokenEndpoint: "https://auth.apps.k3s.stabify.de/application/o/token/"
+    userinfoEndpoint: "https://auth.apps.k3s.stabify.de/application/o/userinfo/"
+    endSessionEndpoint: "https://auth.apps.k3s.stabify.de/application/o/openproject/end-session/"
+    scope: "[openid]"
+
+    # Optional attribute mappings from the id token
+    attribute_map: {}
+
+    ## To avoid having sensitive credentials in your values.yaml, the preferred way is to
+    ## use an existing secret containing the OIDC compatible access credentials.
+    ## Specify the name of this existing secret here.
+    existingSecret:
+    secretKeys:
+      identifier: "clientId"
+      secret: "clientSecret"