--- # Secret containing OIDC client secret apiVersion: v1 kind: Secret metadata: name: netbox-oidc-azuread-secret namespace: default type: Opaque stringData: # Client secret from Azure AD app registration clientSecret: "YourClientSecretHere" --- # NetBoxEnterprise with Microsoft Entra ID (Azure AD) OIDC authentication apiVersion: netboxlabs.com/v1alpha1 kind: NetBoxEnterprise metadata: name: netbox-oidc-azuread namespace: default spec: imagePullPolicy: IfNotPresent netbox: replicas: 1 image: pullPolicy: IfNotPresent config: auth: # Auto-create users on first login (default: true) autoCreateUser: true # OIDC authentication configuration for Microsoft Entra ID (Azure AD) oidc: # Provider type - must be "azureAd" for Microsoft Entra ID provider: azureAd # Application (client) ID from Azure AD app registration # Found in: Azure Portal > App registrations > [Your App] > Overview > Application (client) ID applicationId: "12345678-1234-1234-1234-123456789012" # Azure AD tenant ID # Found in: Azure Portal > App registrations > [Your App] > Overview > Directory (tenant) ID tenantId: "87654321-4321-4321-4321-210987654321" # Reference to secret containing client secret # Client secret created in: Azure Portal > App registrations > [Your App] > Certificates & secrets clientSecret: name: netbox-oidc-azuread-secret key: clientSecret # Group mapping configuration (optional) # Requires Azure AD app to have Group.Read.All permission # Uncomment to enable group-based permissions # groupMapping: # # Maps Azure AD groups to NetBox user flags # userFlagsByGroup: # # Users in these groups get staff (admin interface) access # isStaff: # - "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" # NetBox-Staff group ID # # Users in these groups get superuser status (use with caution!) # isSuperuser: # - "ffffffff-1111-2222-3333-444444444444" # NetBox-Superusers group ID # # Maps Azure AD groups to NetBox groups # groupMap: # "11111111-2222-3333-4444-555555555555": "Network-Engineers" # "66666666-7777-8888-9999-000000000000": "Security-Team" worker: replicas: 1 # Diode configuration (optional) diode: enabled: false # PostgreSQL configuration (operator-managed) postgresql: external: false # Redis configuration (operator-managed) redis: external: false --- # Azure AD App Registration Configuration Notes: # # To configure Azure AD authentication, you need to create an app registration in Azure Portal: # # 1. Create App Registration: # - Navigate to: Azure Portal > Azure Active Directory > App registrations > New registration # - Name: "NetBox" # - Supported account types: "Accounts in this organizational directory only" # - Redirect URI: Web - https://netbox.example.com/oauth/complete/azuread-oauth2/ # # 2. Generate Client Secret: # - Go to: Certificates & secrets > New client secret # - Description: "NetBox client secret" # - Expires: Choose appropriate expiration (180 days, 1 year, etc.) # - Copy the secret value immediately (it won't be shown again) # # 3. Configure API Permissions: # - Go to: API permissions # - Add: Microsoft Graph > Delegated permissions # - Select: User.Read (to read user profile) # - For group mapping, also add: Group.Read.All (to read group memberships) # - Grant admin consent if required by your organization # # 3a. Configure Groups Claim (required for group mapping): # - Go to: Token configuration > Add groups claim # - Select: Security groups (or All groups) # - For ID token, select: Group ID # - Click Add # # 4. Note the IDs: # - Application (client) ID: Found in Overview page # - Directory (tenant) ID: Found in Overview page # - Client secret value: Copied when created # # 5. Update this manifest: # - Set applicationId to your Application (client) ID # - Set tenantId to your Directory (tenant) ID # - Update the clientSecret in the Secret resource # - Update the redirect URI to match your NetBox instance URL