Skip to content

Commit

Permalink
Add example overlay for netbox-lars namespace
Browse files Browse the repository at this point in the history
Deploy netbox behind an oauth2 proxy configured to authenticate
against the MOC keycloak instance.

Deploys into the netbox-lars namespace. The changes in
overlays/lars-devel-2 should ultimately be moved over to the ocp-prod
overlay (if we think they make sense), and this commit should probably
just be discarded.

This includes a patched netbox image that includes a solution for
netbox-community/netbox#7671.
  • Loading branch information
larsks committed Oct 28, 2021
1 parent aec61fd commit 2e1766f
Show file tree
Hide file tree
Showing 9 changed files with 149 additions and 0 deletions.
12 changes: 12 additions & 0 deletions netbox/overlays/lars-devel-2/config/extra.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
CORS_ORIGIN_ALLOW_ALL = True
LOGIN_REQUIRED = True
REMOTE_AUTH_AUTO_CREATE_GROUPS = True
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_GROUP_HEADER = 'HTTP_X_FORWARDED_GROUPS'
REMOTE_AUTH_GROUP_SEPARATOR = ','
REMOTE_AUTH_GROUP_SYNC_ENABLED = True
REMOTE_AUTH_HEADER = 'HTTP_X_FORWARDED_PREFERRED_USERNAME'
REMOTE_AUTH_STAFF_GROUPS = ['netbox-admin']
REMOTE_AUTH_SUPERUSER_GROUPS = ['netbox-admin']
SKIP_SUPERUSER = True
26 changes: 26 additions & 0 deletions netbox/overlays/lars-devel-2/deployments/netbox_config_patch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: netbox
spec:
template:
spec:
containers:
- name: netbox
envFrom: &envFrom
- secretRef:
name: netbox-secret
volumeMounts: &volumeMounts
- name: netbox-config
mountPath: /etc/netbox/config/extra.py
subPath: extra.py
- name: netbox-worker
envFrom: *envFrom
volumeMounts: *volumeMounts
- name: netbox-housekeeping
envFrom: *envFrom
volumeMounts: *volumeMounts
volumes:
- name: netbox-config
configMap:
name: netbox-config
18 changes: 18 additions & 0 deletions netbox/overlays/lars-devel-2/deployments/netbox_oauth_patch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: netbox
spec:
template:
spec:
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
ports:
- containerPort: 8081
name: netbox-auth
envFrom:
- configMapRef:
name: oauth2-config
- secretRef:
name: oauth2-secret
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres
spec:
template:
spec:
containers:
- name: postgres
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: netbox-secret
key: DB_PASSWORD
15 changes: 15 additions & 0 deletions netbox/overlays/lars-devel-2/externalsecrets/netbox-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: "kubernetes-client.io/v1"
kind: ExternalSecret
metadata:
name: netbox-secret
spec:
backendType: secretsManager
data:
- key: cluster/ocp-prod/netbox/postgres_password
name: DB_PASSWORD
- key: cluster/ocp-prod/netbox/secret_key
name: SECRET_KEY
- key: cluster/ocp-prod/netbox/superuser_api_token
name: SUPERUSER_API_TOKEN
- key: cluster/ocp-prod/netbox/superuser_password
name: SUPERUSER_PASSWORD
11 changes: 11 additions & 0 deletions netbox/overlays/lars-devel-2/externalsecrets/oauth2-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: "kubernetes-client.io/v1"
kind: ExternalSecret
metadata:
name: oauth2-secret
spec:
backendType: secretsManager
data:
- key: cluster/ocp-prod/netbox/sso-clientsecret-moc-testing
name: OAUTH2_PROXY_CLIENT_SECRET
- key: cluster/ocp-prod/netbox/oauth2-cookie-secret
name: OAUTH2_PROXY_COOKIE_SECRET
29 changes: 29 additions & 0 deletions netbox/overlays/lars-devel-2/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: netbox-lars
commonLabels:
app: netbox

resources:
- ../../base
- externalsecrets/netbox-secret.yaml
- externalsecrets/oauth2-secret.yaml

configMapGenerator:
- name: netbox-config
files:
- config/extra.py
- name: oauth2-config
envs:
- oauth2.env

patches:
- path: deployments/netbox_oauth_patch.yaml
- path: deployments/netbox_config_patch.yaml
- path: services/netbox_patch.yaml
- path: deployments/postgres_config_patch.yaml

images:
- name: quay.io/netboxcommunity/netbox
newName: quay.io/larsks/netbox
newTag: remote-group-autocreate-1.4.1-4
12 changes: 12 additions & 0 deletions netbox/overlays/lars-devel-2/oauth2.env
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
OAUTH2_PROXY_CLIENT_ID=netbox
OAUTH2_PROXY_EMAIL_DOMAINS=*
OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:8081
OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL=1
OAUTH2_PROXY_OIDC_ISSUER_URL=https://sso.massopen.cloud/auth/realms/moc-testing
OAUTH2_PROXY_PASS_USER_HEADERS=1
OAUTH2_PROXY_PROVIDER=keycloak-oidc
OAUTH2_PROXY_REDIRECT_URL=https://netbox-netbox-lars.apps.ocp-prod.massopen.cloud/oauth2/callback
OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://redis
OAUTH2_PROXY_SCOPE=openid
OAUTH2_PROXY_SESSION_STORE_TYPE=redis
OAUTH2_PROXY_UPSTREAMS=http://localhost:8080
11 changes: 11 additions & 0 deletions netbox/overlays/lars-devel-2/services/netbox_patch.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: netbox
spec:
selector:
component: netbox
ports:
- protocol: TCP
port: 8080
targetPort: netbox-auth

0 comments on commit 2e1766f

Please sign in to comment.