feat: opencloud group provisioning via oidc

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>

roles/opencloud/templates/docker-compose.yml.j2

@@ -35,6 +35,12 @@ services:
       PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION: "/etc/opencloud/csp-override.yaml"
 {% endif %}
       IDM_ADMIN_PASSWORD: "{{ opencloud_admin_password }}"
+{% if opencloud_role_assignment_driver == "oidc" %}
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "{{ opencloud_role_assignment_oidc_claim }}"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
+      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
+{% endif %}
 {% if opencloud_oidc_issuer %}
       OC_OIDC_ISSUER: "{{ opencloud_oidc_issuer }}"
       OC_OIDC_CLIENT_ID: "{{ opencloud_oidc_client_id }}"

roles/opencloud/templates/proxy.yaml.j2

@@ -0,0 +1,9 @@
+role_assignment:
+  driver: oidc
+  oidc_role_mapper:
+    role_claim: {{ opencloud_role_assignment_oidc_claim }}
+    role_mapping:
+{% for mapping in opencloud_role_mapping %}
+      - role_name: {{ mapping.role_name }}
+        claim_value: "{{ mapping.claim_value }}"
+{% endfor %}