From 0048da7ffa0de7a5ee8e70b411476916dc7251f5 Mon Sep 17 00:00:00 2001 From: Vegard Hagen Date: Sat, 17 Aug 2024 12:54:40 +0200 Subject: [PATCH] chore(oidc): collect all oidc-clients under keycloak --- .../homelab}/builtin-objects.yaml | 0 .../homelab/clients/cloudflare/client.yaml} | 0 .../clients/cloudflare/credentials.yaml} | 0 .../clients/cloudflare/kustomization.yaml | 6 ++++++ .../homelab/clients/kustomization.yaml | 7 +++++++ .../clients/netbird-backend/client.yaml} | 0 .../clients/netbird-backend/credentials.yaml} | 0 .../clients/netbird-backend/kustomization.yaml | 7 +++++++ .../netbird-backend/sa-role-view-users.yaml} | 0 .../homelab/clients/netbird/client.yaml} | 1 - .../homelab/clients/netbird/kustomization.yaml | 6 ++++++ .../homelab/clients/netbird/scopes.yaml} | 18 ++++++++++++++++++ .../homelab}/kustomization.yaml | 7 +++---- .../homelab/realm.yaml} | 0 .../homelab/users/kustomization.yaml | 5 +++++ .../homelab/users/veh.yaml} | 0 .../auth/keycloak-realms/kustomization.yaml | 5 +++++ k8s/infra/auth/keycloak/kustomization.yaml | 4 ++-- k8s/infra/auth/keycloak/values.yaml | 8 ++++++++ k8s/infra/auth/project.yaml | 2 ++ .../config/keycloak/functions.yaml | 6 +++--- .../vpn/netbird/backend/kustomization.yaml | 3 --- k8s/infra/vpn/netbird/backend/values.yaml | 4 ++-- .../vpn/netbird/dashboard/kustomization.yaml | 5 ----- .../netbird/dashboard/oidc-client-scopes.yaml | 17 ----------------- k8s/infra/vpn/netbird/dashboard/values.yaml | 2 +- tofu/kubernetes/bootstrap/volumes/README.md | 3 +++ 27 files changed, 78 insertions(+), 38 deletions(-) rename k8s/infra/auth/{keycloak/config => keycloak-realms/homelab}/builtin-objects.yaml (100%) rename k8s/infra/auth/{keycloak/config/client-cloudflare.yaml => keycloak-realms/homelab/clients/cloudflare/client.yaml} (100%) rename k8s/infra/auth/{keycloak/config/cloudflare-oidc-credentials.yaml => keycloak-realms/homelab/clients/cloudflare/credentials.yaml} (100%) create mode 100644 k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/kustomization.yaml create mode 100644 k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml rename k8s/infra/{vpn/netbird/backend/oidc-client.yaml => auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml} (100%) rename k8s/infra/{vpn/netbird/backend/secret-oidc-credentials.yaml => auth/keycloak-realms/homelab/clients/netbird-backend/credentials.yaml} (100%) create mode 100644 k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml rename k8s/infra/{vpn/netbird/backend/oidc-sa-role.yaml => auth/keycloak-realms/homelab/clients/netbird-backend/sa-role-view-users.yaml} (100%) rename k8s/infra/{vpn/netbird/dashboard/oidc-client.yaml => auth/keycloak-realms/homelab/clients/netbird/client.yaml} (94%) create mode 100644 k8s/infra/auth/keycloak-realms/homelab/clients/netbird/kustomization.yaml rename k8s/infra/{vpn/netbird/dashboard/oidc-scopes.yaml => auth/keycloak-realms/homelab/clients/netbird/scopes.yaml} (70%) rename k8s/infra/auth/{keycloak/config => keycloak-realms/homelab}/kustomization.yaml (51%) rename k8s/infra/auth/{keycloak/config/realms.yaml => keycloak-realms/homelab/realm.yaml} (100%) create mode 100644 k8s/infra/auth/keycloak-realms/homelab/users/kustomization.yaml rename k8s/infra/auth/{keycloak/config/users.yaml => keycloak-realms/homelab/users/veh.yaml} (100%) create mode 100644 k8s/infra/auth/keycloak-realms/kustomization.yaml delete mode 100644 k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml diff --git a/k8s/infra/auth/keycloak/config/builtin-objects.yaml b/k8s/infra/auth/keycloak-realms/homelab/builtin-objects.yaml similarity index 100% rename from k8s/infra/auth/keycloak/config/builtin-objects.yaml rename to k8s/infra/auth/keycloak-realms/homelab/builtin-objects.yaml diff --git a/k8s/infra/auth/keycloak/config/client-cloudflare.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/client.yaml similarity index 100% rename from k8s/infra/auth/keycloak/config/client-cloudflare.yaml rename to k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/client.yaml diff --git a/k8s/infra/auth/keycloak/config/cloudflare-oidc-credentials.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/credentials.yaml similarity index 100% rename from k8s/infra/auth/keycloak/config/cloudflare-oidc-credentials.yaml rename to k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/credentials.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/kustomization.yaml new file mode 100644 index 0000000..cf883b1 --- /dev/null +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/cloudflare/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - client.yaml + - credentials.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml new file mode 100644 index 0000000..c64c8c2 --- /dev/null +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - cloudflare + - netbird + - netbird-backend diff --git a/k8s/infra/vpn/netbird/backend/oidc-client.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml similarity index 100% rename from k8s/infra/vpn/netbird/backend/oidc-client.yaml rename to k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml diff --git a/k8s/infra/vpn/netbird/backend/secret-oidc-credentials.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/credentials.yaml similarity index 100% rename from k8s/infra/vpn/netbird/backend/secret-oidc-credentials.yaml rename to k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/credentials.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml new file mode 100644 index 0000000..9a68b72 --- /dev/null +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - client.yaml + - credentials.yaml + - sa-role-view-users.yaml diff --git a/k8s/infra/vpn/netbird/backend/oidc-sa-role.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/sa-role-view-users.yaml similarity index 100% rename from k8s/infra/vpn/netbird/backend/oidc-sa-role.yaml rename to k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/sa-role-view-users.yaml diff --git a/k8s/infra/vpn/netbird/dashboard/oidc-client.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/client.yaml similarity index 94% rename from k8s/infra/vpn/netbird/dashboard/oidc-client.yaml rename to k8s/infra/auth/keycloak-realms/homelab/clients/netbird/client.yaml index db5d99c..a484c87 100644 --- a/k8s/infra/vpn/netbird/dashboard/oidc-client.yaml +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/client.yaml @@ -14,7 +14,6 @@ spec: baseUrl: "https://netbird.stonegarden.dev" validRedirectUris: - "http://localhost:53000" - - "http://localhost:8080/*" - "https://netbird.stonegarden.dev/*" validPostLogoutRedirectUris: - "https://netbird.stonegarden.dev/*" diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/kustomization.yaml new file mode 100644 index 0000000..c4e5a05 --- /dev/null +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - client.yaml + - scopes.yaml diff --git a/k8s/infra/vpn/netbird/dashboard/oidc-scopes.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/scopes.yaml similarity index 70% rename from k8s/infra/vpn/netbird/dashboard/oidc-scopes.yaml rename to k8s/infra/auth/keycloak-realms/homelab/clients/netbird/scopes.yaml index 03af8d8..8ddbd13 100644 --- a/k8s/infra/vpn/netbird/dashboard/oidc-scopes.yaml +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/scopes.yaml @@ -1,4 +1,22 @@ apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: ClientDefaultScopes +metadata: + name: netbird-default-scopes +spec: + forProvider: + defaultScopes: + - acr + - email + - profile + - roles + - web-origins + - netbird-api + clientIdRef: + name: netbird + realmIdRef: + name: homelab +--- +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 kind: ClientScope metadata: name: netbird-api diff --git a/k8s/infra/auth/keycloak/config/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/kustomization.yaml similarity index 51% rename from k8s/infra/auth/keycloak/config/kustomization.yaml rename to k8s/infra/auth/keycloak-realms/homelab/kustomization.yaml index 0843f06..a6d03c8 100644 --- a/k8s/infra/auth/keycloak/config/kustomization.yaml +++ b/k8s/infra/auth/keycloak-realms/homelab/kustomization.yaml @@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - realms.yaml - - users.yaml - - client-cloudflare.yaml - - cloudflare-oidc-credentials.yaml + - realm.yaml - builtin-objects.yaml + - clients + - users diff --git a/k8s/infra/auth/keycloak/config/realms.yaml b/k8s/infra/auth/keycloak-realms/homelab/realm.yaml similarity index 100% rename from k8s/infra/auth/keycloak/config/realms.yaml rename to k8s/infra/auth/keycloak-realms/homelab/realm.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/users/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/users/kustomization.yaml new file mode 100644 index 0000000..efc255a --- /dev/null +++ b/k8s/infra/auth/keycloak-realms/homelab/users/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - veh.yaml diff --git a/k8s/infra/auth/keycloak/config/users.yaml b/k8s/infra/auth/keycloak-realms/homelab/users/veh.yaml similarity index 100% rename from k8s/infra/auth/keycloak/config/users.yaml rename to k8s/infra/auth/keycloak-realms/homelab/users/veh.yaml diff --git a/k8s/infra/auth/keycloak-realms/kustomization.yaml b/k8s/infra/auth/keycloak-realms/kustomization.yaml new file mode 100644 index 0000000..fd67ad6 --- /dev/null +++ b/k8s/infra/auth/keycloak-realms/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - homelab diff --git a/k8s/infra/auth/keycloak/kustomization.yaml b/k8s/infra/auth/keycloak/kustomization.yaml index a508f85..7aaa620 100644 --- a/k8s/infra/auth/keycloak/kustomization.yaml +++ b/k8s/infra/auth/keycloak/kustomization.yaml @@ -7,12 +7,12 @@ resources: - secret-keycloak-admin.yaml - secret-keycloak-db-credentials.yaml - http-route.yaml - - config helmCharts: - name: keycloak repo: oci://registry-1.docker.io/bitnamicharts releaseName: keycloak namespace: keycloak - version: 22.1.1 +# version: 22.1.1 + version: 21.5.0 valuesFile: values.yaml diff --git a/k8s/infra/auth/keycloak/values.yaml b/k8s/infra/auth/keycloak/values.yaml index 41bdd5c..c0a450c 100644 --- a/k8s/infra/auth/keycloak/values.yaml +++ b/k8s/infra/auth/keycloak/values.yaml @@ -14,6 +14,13 @@ proxy: edge ingress: enabled: false +resources: + requests: + cpu: 200m + memory: 640Mi + limits: + memory: 3Gi + postgresql: enabled: true auth: @@ -27,3 +34,4 @@ postgresql: persistence: enabled: true existingClaim: keycloak-db + diff --git a/k8s/infra/auth/project.yaml b/k8s/infra/auth/project.yaml index 2b26a1f..b84749a 100644 --- a/k8s/infra/auth/project.yaml +++ b/k8s/infra/auth/project.yaml @@ -11,6 +11,8 @@ spec: server: '*' - namespace: 'keycloak' server: '*' + - namespace: 'netbird' + server: '*' clusterResourceWhitelist: - group: '*' kind: '*' diff --git a/k8s/infra/crossplane-crds/config/keycloak/functions.yaml b/k8s/infra/crossplane-crds/config/keycloak/functions.yaml index 1889a9c..104df18 100644 --- a/k8s/infra/crossplane-crds/config/keycloak/functions.yaml +++ b/k8s/infra/crossplane-crds/config/keycloak/functions.yaml @@ -3,19 +3,19 @@ kind: Function metadata: name: function-extra-resources spec: - package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.0.3 + package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.0.3 # renovate: github-releases=crossplane-contrib/function-extra-resources --- apiVersion: pkg.crossplane.io/v1beta1 kind: Function metadata: name: function-auto-ready spec: - package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1 + package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1 # renovate: github-releases=crossplane-contrib/function-auto-ready --- apiVersion: pkg.crossplane.io/v1beta1 kind: Function metadata: name: function-keycloak-builtin-objects spec: - package: registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects:v1.0.0 + package: registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects:v1.0.0 # renovate: gitlab-releases=corewire/images/crossplane/function-keycloak-builtin-objects packagePullPolicy: Always diff --git a/k8s/infra/vpn/netbird/backend/kustomization.yaml b/k8s/infra/vpn/netbird/backend/kustomization.yaml index ced305d..40329f8 100644 --- a/k8s/infra/vpn/netbird/backend/kustomization.yaml +++ b/k8s/infra/vpn/netbird/backend/kustomization.yaml @@ -3,10 +3,7 @@ kind: Kustomization namespace: netbird resources: - - oidc-client.yaml - - oidc-sa-role.yaml - secret-coturn-credentials.yaml - - secret-oidc-credentials.yaml helmCharts: - name: netbird diff --git a/k8s/infra/vpn/netbird/backend/values.yaml b/k8s/infra/vpn/netbird/backend/values.yaml index ffb59ea..41feb3d 100644 --- a/k8s/infra/vpn/netbird/backend/values.yaml +++ b/k8s/infra/vpn/netbird/backend/values.yaml @@ -23,7 +23,7 @@ idp: management: image: - tag: 0.28.4 + tag: 0.28.7 # renovate: docker=netbirdio/management nodeSelector: topology.kubernetes.io/zone: abel ingress: @@ -31,7 +31,7 @@ management: signal: image: - tag: 0.28.4 + tag: 0.28.7 # renovate: docker=netbirdio/signal nodeSelector: topology.kubernetes.io/zone: abel uri: netbird.stonegarden.dev:443 diff --git a/k8s/infra/vpn/netbird/dashboard/kustomization.yaml b/k8s/infra/vpn/netbird/dashboard/kustomization.yaml index ed09298..76fbb0a 100644 --- a/k8s/infra/vpn/netbird/dashboard/kustomization.yaml +++ b/k8s/infra/vpn/netbird/dashboard/kustomization.yaml @@ -2,11 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: netbird -resources: - - oidc-scopes.yaml - - oidc-client.yaml - - oidc-client-scopes.yaml - helmCharts: - name: netbird-dashboard repo: https://charts.jaconi.io diff --git a/k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml b/k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml deleted file mode 100644 index f4b5708..0000000 --- a/k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 -kind: ClientDefaultScopes -metadata: - name: netbird-default-scopes -spec: - forProvider: - defaultScopes: - - acr - - email - - profile - - roles - - web-origins - - netbird-api - clientIdRef: - name: netbird - realmIdRef: - name: homelab diff --git a/k8s/infra/vpn/netbird/dashboard/values.yaml b/k8s/infra/vpn/netbird/dashboard/values.yaml index 873c147..c0f6ec5 100644 --- a/k8s/infra/vpn/netbird/dashboard/values.yaml +++ b/k8s/infra/vpn/netbird/dashboard/values.yaml @@ -1,5 +1,5 @@ image: - tag: v2.4.1 + tag: v2.5.0 # renovate: docker=netbirdio/dashboard auth: authority: https://keycloak.stonegarden.dev/realms/homelab diff --git a/tofu/kubernetes/bootstrap/volumes/README.md b/tofu/kubernetes/bootstrap/volumes/README.md index 2694acd..95f567f 100644 --- a/tofu/kubernetes/bootstrap/volumes/README.md +++ b/tofu/kubernetes/bootstrap/volumes/README.md @@ -26,6 +26,9 @@ tofu state rm "module.volumes.module.proxmox-volume[\"pv-sonarr-config\"].restap tofu state rm "module.volumes.module.proxmox-volume[\"pv-plex-config\"].restapi_object.proxmox-volume" tofu state rm "module.volumes.module.proxmox-volume[\"pv-jellyfin-config\"].restapi_object.proxmox-volume" tofu state rm "module.volumes.module.proxmox-volume[\"pv-qbittorrent-config\"].restapi_object.proxmox-volume" +tofu state rm 'module.volumes.module.proxmox-volume["pv-keycloak"].restapi_object.proxmox-volume' +tofu state rm 'module.volumes.module.proxmox-volume["pv-netbird-management"].restapi_object.proxmox-volume' +tofu state rm 'module.volumes.module.proxmox-volume["pv-netbird-signal"].restapi_object.proxmox-volume' ``` ## import proxmox volume