chore(oidc): collect all oidc-clients under keycloak

2025-10-30 01:22:31 +00:00 · 2024-08-17 12:54:40 +02:00
parent d79f57efd3
commit 0048da7ffa
27 changed files with 78 additions and 38 deletions
--- a/k8s/infra/auth/keycloak-realms/homelab/builtin-objects.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/builtin-objects.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/client.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/client.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/credentials.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/credentials.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - client.yaml
+  - credentials.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cloudflare
+  - netbird
+  - netbird-backend
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/credentials.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/credentials.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - client.yaml
+  - credentials.yaml
+  - sa-role-view-users.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/sa-role-view-users.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/sa-role-view-users.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/client.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/client.yaml
@@ -14,7 +14,6 @@ spec:
    baseUrl: "https://netbird.stonegarden.dev"
    validRedirectUris:
      - "http://localhost:53000"
-      - "http://localhost:8080/*"
      - "https://netbird.stonegarden.dev/*"
    validPostLogoutRedirectUris:
      - "https://netbird.stonegarden.dev/*"
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - client.yaml
+  - scopes.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/scopes.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/scopes.yaml
@@ -1,4 +1,22 @@
 apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
+kind: ClientDefaultScopes
+metadata:
+  name: netbird-default-scopes
+spec:
+  forProvider:
+    defaultScopes:
+      - acr
+      - email
+      - profile
+      - roles
+      - web-origins
+      - netbird-api
+    clientIdRef:
+      name: netbird
+    realmIdRef:
+      name: homelab
+---
+apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
 kind: ClientScope
 metadata:
  name: netbird-api
--- a/k8s/infra/auth/keycloak-realms/homelab/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/kustomization.yaml
@@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
-  - realms.yaml
-  - users.yaml
-  - client-cloudflare.yaml
-  - cloudflare-oidc-credentials.yaml
+  - realm.yaml
  - builtin-objects.yaml
+  - clients
+  - users
--- a/k8s/infra/auth/keycloak-realms/homelab/realm.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/realm.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/users/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/users/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - veh.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/users/veh.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/users/veh.yaml
--- a/k8s/infra/auth/keycloak-realms/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - homelab
--- a/k8s/infra/auth/keycloak/kustomization.yaml
+++ b/k8s/infra/auth/keycloak/kustomization.yaml
@@ -7,12 +7,12 @@ resources:
  - secret-keycloak-admin.yaml
  - secret-keycloak-db-credentials.yaml
  - http-route.yaml
-  - config

 helmCharts:
  - name: keycloak
    repo: oci://registry-1.docker.io/bitnamicharts
    releaseName: keycloak
    namespace: keycloak
-    version: 22.1.1
+#    version: 22.1.1
+    version: 21.5.0
    valuesFile: values.yaml
--- a/k8s/infra/auth/keycloak/values.yaml
+++ b/k8s/infra/auth/keycloak/values.yaml
@@ -14,6 +14,13 @@ proxy: edge
 ingress:
  enabled: false

+resources:
+  requests:
+    cpu: 200m
+    memory: 640Mi
+  limits:
+    memory: 3Gi
+
 postgresql:
  enabled: true
  auth:
@@ -27,3 +34,4 @@ postgresql:
    persistence:
      enabled: true
      existingClaim: keycloak-db
+
--- a/k8s/infra/auth/project.yaml
+++ b/k8s/infra/auth/project.yaml
@@ -11,6 +11,8 @@ spec:
      server: '*'
    - namespace: 'keycloak'
      server: '*'
+    - namespace: 'netbird'
+      server: '*'
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
--- a/k8s/infra/crossplane-crds/config/keycloak/functions.yaml
+++ b/k8s/infra/crossplane-crds/config/keycloak/functions.yaml
@@ -3,19 +3,19 @@ kind: Function
 metadata:
  name: function-extra-resources
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.0.3
+  package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.0.3 # renovate: github-releases=crossplane-contrib/function-extra-resources
 ---
 apiVersion: pkg.crossplane.io/v1beta1
 kind: Function
 metadata:
  name: function-auto-ready
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
+  package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1 # renovate: github-releases=crossplane-contrib/function-auto-ready
 ---
 apiVersion: pkg.crossplane.io/v1beta1
 kind: Function
 metadata:
  name: function-keycloak-builtin-objects
 spec:
-  package: registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects:v1.0.0
+  package: registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects:v1.0.0 # renovate: gitlab-releases=corewire/images/crossplane/function-keycloak-builtin-objects
  packagePullPolicy: Always
--- a/k8s/infra/vpn/netbird/backend/kustomization.yaml
+++ b/k8s/infra/vpn/netbird/backend/kustomization.yaml
@@ -3,10 +3,7 @@ kind: Kustomization
 namespace: netbird

 resources:
-  - oidc-client.yaml
-  - oidc-sa-role.yaml
  - secret-coturn-credentials.yaml
-  - secret-oidc-credentials.yaml

 helmCharts:
  - name: netbird
--- a/k8s/infra/vpn/netbird/backend/values.yaml
+++ b/k8s/infra/vpn/netbird/backend/values.yaml
@@ -23,7 +23,7 @@ idp:

 management:
  image:
-    tag: 0.28.4
+    tag: 0.28.7 # renovate: docker=netbirdio/management
  nodeSelector:
    topology.kubernetes.io/zone: abel
  ingress:
@@ -31,7 +31,7 @@ management:

 signal:
  image:
-    tag: 0.28.4
+    tag: 0.28.7 # renovate: docker=netbirdio/signal
  nodeSelector:
    topology.kubernetes.io/zone: abel
  uri: netbird.stonegarden.dev:443
--- a/k8s/infra/vpn/netbird/dashboard/kustomization.yaml
+++ b/k8s/infra/vpn/netbird/dashboard/kustomization.yaml
@@ -2,11 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: netbird

-resources:
-  - oidc-scopes.yaml
-  - oidc-client.yaml
-  - oidc-client-scopes.yaml
-
 helmCharts:
  - name: netbird-dashboard
    repo: https://charts.jaconi.io
--- a/k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml
+++ b/k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml
@@ -1,17 +0,0 @@
-apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
-kind: ClientDefaultScopes
-metadata:
-  name: netbird-default-scopes
-spec:
-  forProvider:
-    defaultScopes:
-      - acr
-      - email
-      - profile
-      - roles
-      - web-origins
-      - netbird-api
-    clientIdRef:
-      name: netbird
-    realmIdRef:
-      name: homelab
--- a/k8s/infra/vpn/netbird/dashboard/values.yaml
+++ b/k8s/infra/vpn/netbird/dashboard/values.yaml
@@ -1,5 +1,5 @@
 image:
-  tag: v2.4.1
+  tag: v2.5.0 # renovate: docker=netbirdio/dashboard

 auth:
  authority: https://keycloak.stonegarden.dev/realms/homelab
--- a/tofu/kubernetes/bootstrap/volumes/README.md
+++ b/tofu/kubernetes/bootstrap/volumes/README.md
@@ -26,6 +26,9 @@ tofu state rm "module.volumes.module.proxmox-volume[\"pv-sonarr-config\"].restap
 tofu state rm "module.volumes.module.proxmox-volume[\"pv-plex-config\"].restapi_object.proxmox-volume" 
 tofu state rm "module.volumes.module.proxmox-volume[\"pv-jellyfin-config\"].restapi_object.proxmox-volume" 
 tofu state rm "module.volumes.module.proxmox-volume[\"pv-qbittorrent-config\"].restapi_object.proxmox-volume" 
+tofu state rm 'module.volumes.module.proxmox-volume["pv-keycloak"].restapi_object.proxmox-volume'
+tofu state rm 'module.volumes.module.proxmox-volume["pv-netbird-management"].restapi_object.proxmox-volume'
+tofu state rm 'module.volumes.module.proxmox-volume["pv-netbird-signal"].restapi_object.proxmox-volume'
 ```

 ## import proxmox volume