NetBox with SSO

with-sso-gitlab.yaml

---
apiVersion: v1
kind: Namespace
metadata:
  name: netbox
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: netbox
  namespace: netbox
spec:
  repo: https://charts.boo.tc
  chart: netbox
  version: 4.1.0
  targetNamespace: netbox
  valuesContent: |-
    image:
      tag: v3.2.7

    # ...
    
    remoteAuth:
      enabled: true
      backend: social_core.backends.gitlab.GitLabOAuth2
      autoCreateUser: true

    extraConfig:
      - secret:
          secretName: gitlab-client
      - values:
          SOCIAL_AUTH_PIPELINE:
            [
              "social_core.pipeline.social_auth.social_details",
              "social_core.pipeline.social_auth.social_uid",
              "social_core.pipeline.social_auth.social_user",
              "social_core.pipeline.user.get_username",
              "social_core.pipeline.social_auth.associate_by_email",
              "social_core.pipeline.user.create_user",
              "social_core.pipeline.social_auth.associate_user",
              "netbox.authentication.user_default_groups_handler",
              "social_core.pipeline.social_auth.load_extra_data",
              "social_core.pipeline.user.user_details",
              "netbox.sso_pipeline_roles.set_role",
            ]

    extraVolumes:
      - name: sso-pipeline-roles
        configMap:
          name: sso-pipeline-roles
    extraVolumeMounts:
      - name: sso-pipeline-roles
        mountPath: /opt/netbox/netbox/netbox/sso_pipeline_roles.py
        subPath: sso_pipeline_roles.py
        readOnly: true

---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-client
  namespace: netbox
type: Opaque
stringData:
  oidc-gitlab.yaml: |
    SOCIAL_AUTH_GITLAB_API_URL: https://git.example.com
    SOCIAL_AUTH_GITLAB_AUTHORIZATION_URL: https://git.example.com/oauth/authorize
    SOCIAL_AUTH_GITLAB_ACCESS_TOKEN_URL: https://git.example.com/oauth/token
    SOCIAL_AUTH_GITLAB_KEY: <OAUTH_CLIENT_ID>
    SOCIAL_AUTH_GITLAB_SECRET: <OAUTH_CLIENT_SECRET>
    SOCIAL_AUTH_GITLAB_SCOPE: ['read_user', 'openid']

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: sso-pipeline-roles
  namespace: netbox
data:
  sso_pipeline_roles.py: |
    from django.contrib.auth.models import Group

    import jwt
    from jwt import PyJWKClient

    def set_role(response, user, backend, *args, **kwargs):
      jwks_client = PyJWKClient("https://git.example.com/oauth/discovery/keys")
      signing_key = jwks_client.get_signing_key_from_jwt(response['id_token'])

      decoded = jwt.decode(
          response['id_token'],
          signing_key.key,
          algorithms=["RS256"],
          audience="<OAUTH_CLIENT_ID>",
      )

      roles = []
      try:
        roles = decoded.get('groups_direct')
      except KeyError:
        pass

      user.is_staff = ('network' in roles)
      user.is_superuser = ('network' in roles)
      user.save()

      groups = Group.objects.all()

      for group in groups:
        try:
          if group.name in roles:
            group.user_set.add(user)
          else:
            group.user_set.remove(user)
        except Group.DoesNotExist:
          continue

with-sso-keycloak.yaml

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
  name: netbox
  namespace: flux-system
spec:
  interval: 10m0s
  url: https://charts.boo.tc

---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: netbox
  namespace: flux-system
spec:
  releaseName: netbox
  interval: 10m0s
  chart:
    spec:
      chart: netbox
      sourceRef:
        kind: HelmRepository
        name: netbox
        namespace: flux-system
      version: 4.1.0
  targetNamespace: netbox
  values:
    image:
      repository: netboxcommunity/netbox
      tag: v3.2.7-2.1.0

    # ...

    remoteAuth:
      enabled: true
      backend: social_core.backends.keycloak.KeycloakOAuth2
      autoCreateUser: true

    extraConfig:
      - secret:
          secretName: keycloak-client
      - values:
          SOCIAL_AUTH_PIPELINE:
            [
              "social_core.pipeline.social_auth.social_details",
              "social_core.pipeline.social_auth.social_uid",
              "social_core.pipeline.social_auth.social_user",
              "social_core.pipeline.user.get_username",
              "social_core.pipeline.social_auth.associate_by_email",
              "social_core.pipeline.user.create_user",
              "social_core.pipeline.social_auth.associate_user",
              "netbox.authentication.user_default_groups_handler",
              "social_core.pipeline.social_auth.load_extra_data",
              "social_core.pipeline.user.user_details",
              "netbox.sso_pipeline_roles.set_role",
            ]

    extraVolumes:
      - name: sso-pipeline-roles
        configMap:
          name: sso-pipeline-roles
    extraVolumeMounts:
      - name: sso-pipeline-roles
        mountPath: /opt/netbox/netbox/netbox/sso_pipeline_roles.py
        subPath: sso_pipeline_roles.py
        readOnly: true

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: sso-pipeline-roles
  namespace: netbox
data:
  sso_pipeline_roles.py: |
    from django.contrib.auth.models import Group

    def set_role(response, user, backend, *args, **kwargs):
      client_id = 'netbox'
      roles = []

      try:
        roles = response['resource_access'][client_id]['roles']
      except KeyError:
        pass

      user.is_staff = ('admin' in roles)
      user.is_superuser = ('superuser' in roles)
      user.save()

      groups = Group.objects.all()

      for group in groups:
        try:
          if group.name in roles:
            group.user_set.add(user)
          else:
            group.user_set.remove(user)
        except Group.DoesNotExist:
          continue