---
# Secret containing OIDC client secret
apiVersion: v1
kind: Secret
metadata:
  name: netbox-oidc-generic-secret
  namespace: default
type: Opaque
stringData:
  # Client secret from OIDC provider
  clientSecret: "YourClientSecretHere"

---
# NetBoxEnterprise with Generic OIDC authentication
apiVersion: netboxlabs.com/v1alpha1
kind: NetBoxEnterprise
metadata:
  name: netbox-oidc-generic
  namespace: default
spec:
  imagePullPolicy: IfNotPresent
  netbox:
    replicas: 1
    image:
      pullPolicy: IfNotPresent
    config:
      auth:
        # Auto-create users on first login (default: true)
        autoCreateUser: true

        # OIDC authentication configuration for Generic OIDC Provider
        oidc:
          # Provider type - must be "generic" for generic OIDC providers
          provider: generic

          # Client ID from your OIDC provider
          clientId: "netbox-client-id"

          # OIDC discovery endpoint URL (must be HTTPS)
          # This is typically the provider's base URL + "/.well-known/openid-configuration"
          # Examples:
          #   - Keycloak: "https://keycloak.example.com/realms/master/.well-known/openid-configuration"
          #   - Auth0: "https://example.auth0.com/.well-known/openid-configuration"
          #   - Authentik: "https://authentik.example.com/application/o/netbox/.well-known/openid-configuration"
          #   - GitLab: "https://gitlab.example.com/.well-known/openid-configuration"
          oidcEndpoint: "https://oidc.example.com/.well-known/openid-configuration"

          # Reference to secret containing client secret
          clientSecret:
            name: netbox-oidc-generic-secret
            key: clientSecret

    worker:
      replicas: 1

  # Diode configuration (optional)
  diode:
    enabled: false

  # PostgreSQL configuration (operator-managed)
  postgresql:
    external: false

  # Redis configuration (operator-managed)
  redis:
    external: false

---
# Generic OIDC Provider Configuration Notes:
#
# This example works with any OpenID Connect compliant provider including:
# - Keycloak
# - Auth0
# - Authentik
# - GitLab
# - Google Identity
# - GitHub (via OIDC)
# - Dex
# - And many others
#
# To configure generic OIDC authentication:
#
# 1. Create OIDC Client/Application in your provider:
#    - Application name: "NetBox"
#    - Client type: Confidential or Web Application
#    - Redirect URI: https://netbox.example.com/oauth/complete/oidc/
#    - Grant types: Authorization Code
#
# 2. Note the credentials:
#    - Client ID: Provided by your OIDC provider
#    - Client Secret: Provided by your OIDC provider
#    - OIDC Discovery Endpoint: Your provider's .well-known/openid-configuration URL
#
# 3. Verify the discovery endpoint:
#    - The endpoint must be accessible via HTTPS
#    - It should return a JSON document with endpoints like:
#      - authorization_endpoint
#      - token_endpoint
#      - userinfo_endpoint
#      - jwks_uri
#
# 4. Update this manifest:
#    - Set clientId to your Client ID
#    - Set oidcEndpoint to your provider's discovery endpoint
#    - Update the clientSecret in the Secret resource
#    - Update the redirect URI in your OIDC provider to match your NetBox instance URL
#
# 5. Test the configuration:
#    - Access your NetBox instance
#    - You should see an OIDC login option
#    - Click it to be redirected to your OIDC provider
#    - After successful authentication, you'll be redirected back to NetBox
#
# Troubleshooting:
# - Ensure the oidcEndpoint is accessible from the NetBox pods
# - Check that the redirect URI in your OIDC provider matches exactly
# - Verify the client secret is correct
# - Check NetBox logs for authentication errors: kubectl logs -n default deployment/netbox-oidc-generic-netbox