From 5839c1d7063bd06ac4858f29743a9c428e636c13 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Tue, 26 Mar 2024 11:17:44 +0000 Subject: [PATCH 1/4] add support for AAD roles --- components/13-dexidp/values.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/components/13-dexidp/values.yaml b/components/13-dexidp/values.yaml index fd999474b..27a2151f3 100644 --- a/components/13-dexidp/values.yaml +++ b/components/13-dexidp/values.yaml @@ -42,13 +42,10 @@ config: - openid - email insecureSkipEmailVerified: true - # enabling insecureEnableGroups adds the list of group UUIDs to the - # access token, which in turn results in a HTTP headers for requests to - # https://dexidp.local/userinfo being way too large for Ingress - # controller and python requests library. Even after adjusting ingress - # controlloer, the Nautobot still cannot handle token that large. - insecureEnableGroups: false + insecureEnableGroups: true getUserInfo: true + claimMapping: + groups: "roles" logger: level: info From de8d3b2ff0218d112ddb5d84c167c2ab920ee619 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Tue, 26 Mar 2024 20:14:35 +0000 Subject: [PATCH 2/4] nautobot: configure staff and admin groups This allows dev instance of nautobot to recognize groups from AD --- components/09-nautobot/base/nautobot/templates/configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/components/09-nautobot/base/nautobot/templates/configmap.yaml b/components/09-nautobot/base/nautobot/templates/configmap.yaml index 2f7fd3c61..0889c595e 100644 --- a/components/09-nautobot/base/nautobot/templates/configmap.yaml +++ b/components/09-nautobot/base/nautobot/templates/configmap.yaml @@ -29,6 +29,8 @@ data: NAUTOBOT_REDIS_SSL: "False" NAUTOBOT_SUPERUSER_EMAIL: "admin@example.com" NAUTOBOT_SUPERUSER_NAME: "admin" + RAX_SUPERUSER_GROUPS: undercloud-dev + RAX_STAFF_GROUPS: undercloud-dev --- # Source: nautobot/templates/configmap.yaml apiVersion: v1 From d12cd95b69736ffb9c94f77fac8a383689e67596 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Tue, 26 Mar 2024 20:38:05 +0000 Subject: [PATCH 3/4] azure: add offline_access claim This makes Dex request refresh token to be provided by Azure when the user is authenticated. --- components/13-dexidp/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/components/13-dexidp/values.yaml b/components/13-dexidp/values.yaml index 27a2151f3..a16aafb0f 100644 --- a/components/13-dexidp/values.yaml +++ b/components/13-dexidp/values.yaml @@ -31,7 +31,7 @@ config: keystoneUsername: demo keystonePassword: DEMO_PASS - type: oidc - name: azure + name: Azure id: azure config: issuer: $AZURE_ISSUER @@ -41,6 +41,7 @@ config: scopes: - openid - email + - offline_access insecureSkipEmailVerified: true insecureEnableGroups: true getUserInfo: true From 87671ff42821066e377270ceee6ebb81ee0769f1 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Tue, 26 Mar 2024 20:41:37 +0000 Subject: [PATCH 4/4] dex: skip unnecessary approval screen --- components/13-dexidp/values.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/13-dexidp/values.yaml b/components/13-dexidp/values.yaml index a16aafb0f..4717c80f1 100644 --- a/components/13-dexidp/values.yaml +++ b/components/13-dexidp/values.yaml @@ -14,8 +14,9 @@ config: config: inCluster: true - # Enable at least one connector - # See https://dexidp.io/docs/connectors/ for more options + oauth2: + skipApprovalScreen: true + enablePasswordDB: false connectors: - type: keystone