tobikris/with-sso-gitlab.yaml

## with-sso-gitlab.yaml
---
apiVersion: v1
kind: Namespace
metadata:
  name: netbox
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: netbox
  namespace: netbox
spec:
  repo: https://charts.boo.tc
  chart: netbox
  version: 4.1.0
  targetNamespace: netbox
  valuesContent: |-
    image:
      tag: v3.2.7

    # ...

    remoteAuth:
      enabled: true
      backend: social_core.backends.gitlab.GitLabOAuth2
      autoCreateUser: true

    extraConfig:
      - secret:
          secretName: gitlab-client
      - values:
          SOCIAL_AUTH_PIPELINE:
            [
              "social_core.pipeline.social_auth.social_details",
              "social_core.pipeline.social_auth.social_uid",
              "social_core.pipeline.social_auth.social_user",
              "social_core.pipeline.user.get_username",
              "social_core.pipeline.social_auth.associate_by_email",
              "social_core.pipeline.user.create_user",
              "social_core.pipeline.social_auth.associate_user",
              "netbox.authentication.user_default_groups_handler",
              "social_core.pipeline.social_auth.load_extra_data",
              "social_core.pipeline.user.user_details",
              "netbox.sso_pipeline_roles.set_role",
            ]

    extraVolumes:
      - name: sso-pipeline-roles
        configMap:
          name: sso-pipeline-roles
    extraVolumeMounts:
      - name: sso-pipeline-roles
        mountPath: /opt/netbox/netbox/netbox/sso_pipeline_roles.py
        subPath: sso_pipeline_roles.py
        readOnly: true

---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-client
  namespace: netbox
type: Opaque
stringData:
  oidc-gitlab.yaml: |
    SOCIAL_AUTH_GITLAB_API_URL: https://git.example.com
    SOCIAL_AUTH_GITLAB_AUTHORIZATION_URL: https://git.example.com/oauth/authorize
    SOCIAL_AUTH_GITLAB_ACCESS_TOKEN_URL: https://git.example.com/oauth/token
    SOCIAL_AUTH_GITLAB_KEY: <OAUTH_CLIENT_ID>
    SOCIAL_AUTH_GITLAB_SECRET: <OAUTH_CLIENT_SECRET>
    SOCIAL_AUTH_GITLAB_SCOPE: ['read_user', 'openid']

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: sso-pipeline-roles
  namespace: netbox
data:
  sso_pipeline_roles.py: |
    from django.contrib.auth.models import Group

    import jwt
    from jwt import PyJWKClient

    def set_role(response, user, backend, *args, **kwargs):
      jwks_client = PyJWKClient("https://git.example.com/oauth/discovery/keys")
      signing_key = jwks_client.get_signing_key_from_jwt(response['id_token'])

      decoded = jwt.decode(
          response['id_token'],
          signing_key.key,
          algorithms=["RS256"],
          audience="<OAUTH_CLIENT_ID>",
      )

      roles = []
      try:
        roles = decoded.get('groups_direct')
      except KeyError:
        pass

      user.is_staff = ('network' in roles)
      user.is_superuser = ('network' in roles)
      user.save()

      groups = Group.objects.all()

      for group in groups:
        try:
          if group.name in roles:
            group.user_set.add(user)
          else:
            group.user_set.remove(user)
        except Group.DoesNotExist:
          continue

## with-sso-keycloak.yaml
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
  name: netbox
  namespace: flux-system
spec:
  interval: 10m0s
  url: https://charts.boo.tc

---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: netbox
  namespace: flux-system
spec:
  releaseName: netbox
  interval: 10m0s
  chart:
    spec:
      chart: netbox
      sourceRef:
        kind: HelmRepository
        name: netbox
        namespace: flux-system
      version: 4.1.0
  targetNamespace: netbox
  values:
    image:
      repository: netboxcommunity/netbox
      tag: v3.2.7-2.1.0

    # ...

    remoteAuth:
      enabled: true
      backend: social_core.backends.keycloak.KeycloakOAuth2
      autoCreateUser: true

    extraConfig:
      - secret:
          secretName: keycloak-client
      - values:
          SOCIAL_AUTH_PIPELINE:
            [
              "social_core.pipeline.social_auth.social_details",
              "social_core.pipeline.social_auth.social_uid",
              "social_core.pipeline.social_auth.social_user",
              "social_core.pipeline.user.get_username",
              "social_core.pipeline.social_auth.associate_by_email",
              "social_core.pipeline.user.create_user",
              "social_core.pipeline.social_auth.associate_user",
              "netbox.authentication.user_default_groups_handler",
              "social_core.pipeline.social_auth.load_extra_data",
              "social_core.pipeline.user.user_details",
              "netbox.sso_pipeline_roles.set_role",
            ]

    extraVolumes:
      - name: sso-pipeline-roles
        configMap:
          name: sso-pipeline-roles
    extraVolumeMounts:
      - name: sso-pipeline-roles
        mountPath: /opt/netbox/netbox/netbox/sso_pipeline_roles.py
        subPath: sso_pipeline_roles.py
        readOnly: true

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: sso-pipeline-roles
  namespace: netbox
data:
  sso_pipeline_roles.py: |
    from django.contrib.auth.models import Group

    def set_role(response, user, backend, *args, **kwargs):
      client_id = 'netbox'
      roles = []

      try:
        roles = response['resource_access'][client_id]['roles']
      except KeyError:
        pass

      user.is_staff = ('admin' in roles)
      user.is_superuser = ('superuser' in roles)
      user.save()

      groups = Group.objects.all()

      for group in groups:
        try:
          if group.name in roles:
            group.user_set.add(user)
          else:
            group.user_set.remove(user)
        except Group.DoesNotExist:
          continue
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: netbox
	---
	apiVersion: helm.cattle.io/v1
	kind: HelmChart
	metadata:
	name: netbox
	namespace: netbox
	spec:
	repo: https://charts.boo.tc
	chart: netbox
	version: 4.1.0
	targetNamespace: netbox
	valuesContent: \|-
	image:
	tag: v3.2.7

	# ...

	remoteAuth:
	enabled: true
	backend: social_core.backends.gitlab.GitLabOAuth2
	autoCreateUser: true

	extraConfig:
	- secret:
	secretName: gitlab-client
	- values:
	SOCIAL_AUTH_PIPELINE:
	[
	"social_core.pipeline.social_auth.social_details",
	"social_core.pipeline.social_auth.social_uid",
	"social_core.pipeline.social_auth.social_user",
	"social_core.pipeline.user.get_username",
	"social_core.pipeline.social_auth.associate_by_email",
	"social_core.pipeline.user.create_user",
	"social_core.pipeline.social_auth.associate_user",
	"netbox.authentication.user_default_groups_handler",
	"social_core.pipeline.social_auth.load_extra_data",
	"social_core.pipeline.user.user_details",
	"netbox.sso_pipeline_roles.set_role",
	]

	extraVolumes:
	- name: sso-pipeline-roles
	configMap:
	name: sso-pipeline-roles
	extraVolumeMounts:
	- name: sso-pipeline-roles
	mountPath: /opt/netbox/netbox/netbox/sso_pipeline_roles.py
	subPath: sso_pipeline_roles.py
	readOnly: true

	---
	apiVersion: v1
	kind: Secret
	metadata:
	name: gitlab-client
	namespace: netbox
	type: Opaque
	stringData:
	oidc-gitlab.yaml: \|
	SOCIAL_AUTH_GITLAB_API_URL: https://git.example.com
	SOCIAL_AUTH_GITLAB_AUTHORIZATION_URL: https://git.example.com/oauth/authorize
	SOCIAL_AUTH_GITLAB_ACCESS_TOKEN_URL: https://git.example.com/oauth/token
	SOCIAL_AUTH_GITLAB_KEY: <OAUTH_CLIENT_ID>
	SOCIAL_AUTH_GITLAB_SECRET: <OAUTH_CLIENT_SECRET>
	SOCIAL_AUTH_GITLAB_SCOPE: ['read_user', 'openid']

	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: sso-pipeline-roles
	namespace: netbox
	data:
	sso_pipeline_roles.py: \|
	from django.contrib.auth.models import Group

	import jwt
	from jwt import PyJWKClient

	def set_role(response, user, backend, args, *kwargs):
	jwks_client = PyJWKClient("https://git.example.com/oauth/discovery/keys")
	signing_key = jwks_client.get_signing_key_from_jwt(response['id_token'])

	decoded = jwt.decode(
	response['id_token'],
	signing_key.key,
	algorithms=["RS256"],
	audience="<OAUTH_CLIENT_ID>",
	)

	roles = []
	try:
	roles = decoded.get('groups_direct')
	except KeyError:
	pass

	user.is_staff = ('network' in roles)
	user.is_superuser = ('network' in roles)
	user.save()

	groups = Group.objects.all()

	for group in groups:
	try:
	if group.name in roles:
	group.user_set.add(user)
	else:
	group.user_set.remove(user)
	except Group.DoesNotExist:
	continue
	apiVersion: source.toolkit.fluxcd.io/v1beta1
	kind: HelmRepository
	metadata:
	name: netbox
	namespace: flux-system
	spec:
	interval: 10m0s
	url: https://charts.boo.tc

	---
	apiVersion: helm.toolkit.fluxcd.io/v2beta1
	kind: HelmRelease
	metadata:
	name: netbox
	namespace: flux-system
	spec:
	releaseName: netbox
	interval: 10m0s
	chart:
	spec:
	chart: netbox
	sourceRef:
	kind: HelmRepository
	name: netbox
	namespace: flux-system
	version: 4.1.0
	targetNamespace: netbox
	values:
	image:
	repository: netboxcommunity/netbox
	tag: v3.2.7-2.1.0

	# ...

	remoteAuth:
	enabled: true
	backend: social_core.backends.keycloak.KeycloakOAuth2
	autoCreateUser: true

	extraConfig:
	- secret:
	secretName: keycloak-client
	- values:
	SOCIAL_AUTH_PIPELINE:
	[
	"social_core.pipeline.social_auth.social_details",
	"social_core.pipeline.social_auth.social_uid",
	"social_core.pipeline.social_auth.social_user",
	"social_core.pipeline.user.get_username",
	"social_core.pipeline.social_auth.associate_by_email",
	"social_core.pipeline.user.create_user",
	"social_core.pipeline.social_auth.associate_user",
	"netbox.authentication.user_default_groups_handler",
	"social_core.pipeline.social_auth.load_extra_data",
	"social_core.pipeline.user.user_details",
	"netbox.sso_pipeline_roles.set_role",
	]

	extraVolumes:
	- name: sso-pipeline-roles
	configMap:
	name: sso-pipeline-roles
	extraVolumeMounts:
	- name: sso-pipeline-roles
	mountPath: /opt/netbox/netbox/netbox/sso_pipeline_roles.py
	subPath: sso_pipeline_roles.py
	readOnly: true

	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: sso-pipeline-roles
	namespace: netbox
	data:
	sso_pipeline_roles.py: \|
	from django.contrib.auth.models import Group

	def set_role(response, user, backend, args, *kwargs):
	client_id = 'netbox'
	roles = []

	try:
	roles = response['resource_access'][client_id]['roles']
	except KeyError:
	pass

	user.is_staff = ('admin' in roles)
	user.is_superuser = ('superuser' in roles)
	user.save()

	groups = Group.objects.all()

	for group in groups:
	try:
	if group.name in roles:
	group.user_set.add(user)
	else:
	group.user_set.remove(user)
	except Group.DoesNotExist:
	continue