---
# Secret containing OIDC client secret
apiVersion: v1
kind: Secret
metadata:
  name: netbox-oidc-okta-secret
  namespace: default
type: Opaque
stringData:
  # Client secret from Okta application
  clientSecret: "YourClientSecretHere"

---
# NetBoxEnterprise with Okta OIDC authentication
apiVersion: netboxlabs.com/v1alpha1
kind: NetBoxEnterprise
metadata:
  name: netbox-oidc-okta
  namespace: default
spec:
  imagePullPolicy: IfNotPresent
  netbox:
    replicas: 1
    image:
      pullPolicy: IfNotPresent
    config:
      auth:
        # Auto-create users on first login (default: true)
        autoCreateUser: true

        # OIDC authentication configuration for Okta
        oidc:
          # Provider type - must be "okta" for Okta
          provider: okta

          # Client ID from Okta application
          # Found in: Okta Admin Console > Applications > [Your App] > General > Client Credentials
          clientId: "0oa1234567890abcdef"

          # Okta domain (without https://)
          # Example: "dev-123456.okta.com" or "example.okta.com"
          # Found in: Okta Admin Console > Settings > Account (top right)
          oktaDomain: "dev-123456.okta.com"

          # Reference to secret containing client secret
          # Client secret found in: Okta Admin Console > Applications > [Your App] > General > Client Credentials
          clientSecret:
            name: netbox-oidc-okta-secret
            key: clientSecret

    worker:
      replicas: 1

  # Diode configuration (optional)
  diode:
    enabled: false

  # PostgreSQL configuration (operator-managed)
  postgresql:
    external: false

  # Redis configuration (operator-managed)
  redis:
    external: false

---
# Okta Application Configuration Notes:
#
# To configure Okta authentication, you need to create an OIDC application in Okta:
#
# 1. Create OIDC Application:
#    - Navigate to: Okta Admin Console > Applications > Create App Integration
#    - Sign-in method: "OIDC - OpenID Connect"
#    - Application type: "Web Application"
#    - Click Next
#
# 2. Configure Application Settings:
#    - App integration name: "NetBox"
#    - Grant type: Check "Authorization Code"
#    - Sign-in redirect URIs: https://netbox.example.com/oauth/complete/okta-openidconnect/
#    - Sign-out redirect URIs: https://netbox.example.com/ (optional)
#    - Controlled access: Choose who can access this application
#    - Click Save
#
# 3. Note the Credentials:
#    - Client ID: Found in General tab > Client Credentials
#    - Client secret: Found in General tab > Client Credentials
#    - Okta domain: Your Okta domain (e.g., dev-123456.okta.com)
#
# 4. Configure User Assignments (optional):
#    - Go to: Assignments tab
#    - Assign: Assign users or groups who should have access to NetBox
#
# 5. Update this manifest:
#    - Set clientId to your Client ID
#    - Set oktaDomain to your Okta domain (without https://)
#    - Update the clientSecret in the Secret resource
#    - Update the redirect URI to match your NetBox instance URL
#
# Note: The operator will automatically construct the Okta OAuth2 API URL:
#       https://{oktaDomain}/oauth2/