feat(netbird): use built-in mechanism for jwk sign key refresh

https://github.com/netbirdio/netbird/pull/808
2025-10-29 09:02:28 +00:00 · 2025-01-08 20:23:54 +01:00
parent 037fc29129
commit 0195f99252
3 changed files with 1 additions and 80 deletions
--- a/k8s/infra/vpn/netbird/management/config/check-oidc-keys.sh
+++ b/k8s/infra/vpn/netbird/management/config/check-oidc-keys.sh
@@ -1,40 +0,0 @@
-#!/bin/bash
-OIDC_ENDPOINT=$(jq -r '.HttpConfig.OIDCConfigEndpoint' /etc/netbird/management.json)
-KEY_CHECK_INTERVAL_SECONDS="${KEY_CHECK_INTERVAL_SECONDS:-3600}"
-KEYS_FILE="/data/oidc_keys.json"
-
-fetch_keys() {
-  config=$(curl -s "$OIDC_ENDPOINT")
-  jwks_uri=$(echo "$config" | jq -r '.jwks_uri')
-  curl -s "$jwks_uri"
-}
-
-keys_changed() {
-  local new_keys="$1"
-  if [ ! -f "$KEYS_FILE" ]; then
-    return 0
-  fi
-  local old_keys=$(cat "$KEYS_FILE")
-  [ "$new_keys" != "$old_keys" ]
-}
-
-restart_pod() {
-  echo "Restarting pod..."
-  kill 1
-}
-
-while true; do
-  echo "Fetching OIDC keys..."
-  new_keys=$(fetch_keys)
-
-  if keys_changed "$new_keys"; then
-    echo "Keys have changed. Updating stored keys..."
-    echo "$new_keys" > "$KEYS_FILE"
-    restart_pod
-  else
-    echo "Keys have not changed. No action required."
-  fi
-
-  echo "Sleeping for $KEY_CHECK_INTERVAL_SECONDS seconds..."
-  sleep "$KEY_CHECK_INTERVAL_SECONDS"
-done
--- a/k8s/infra/vpn/netbird/management/deployment.yaml
+++ b/k8s/infra/vpn/netbird/management/deployment.yaml
@@ -55,38 +55,9 @@ spec:
            - name: config-template
              mountPath: /tmp/netbird
      containers:
-        - name: oidc-key-checker
-          image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.1.0 # renovate: docker=registry.gitlab.com/gitlab-ci-utils/curl-jq
-          command: [ /bin/bash, -c ]
-          args: [ /opt/bin/check-oidc-keys.sh ]
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            runAsNonRoot: false
-            capabilities:
-              drop: [ ALL ]
-          envFrom:
-            - configMapRef:
-                name: management-oidc-key-check-config
-                optional: true
-          volumeMounts:
-            - name: check-oidc-keys
-              mountPath: /opt/bin/check-oidc-keys.sh
-              subPath: check-oidc-keys.sh
-            - name: config
-              mountPath: /etc/netbird
-            - name: data
-              mountPath: /data
-          resources:
-            requests:
-              memory: 16Mi
-              cpu: 10m
-            limits:
-              memory: 64Mi
-              cpu: 200m
        - name: management
          image: docker.io/netbirdio/management:0.35.2 # renovate: docker=docker.io/netbirdio/management
-          args: [ --dns-domain, $(DNS_DOMAIN), --log-level, $(LOG_LEVEL), --log-file, console ]
+          args: [ --dns-domain, $(DNS_DOMAIN), --log-level, $(LOG_LEVEL), --log-file, console, --idp-sign-key-refresh-enabled ]
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: false
@@ -113,8 +84,6 @@ spec:
              memory: 512Mi
              cpu: 4000m
      volumes:
-        - name: data
-          emptyDir: { }
        - name: config
          emptyDir:
            medium: Memory
@@ -122,10 +91,6 @@ spec:
          configMap:
            defaultMode: 0644
            name: management-config-template
-        - name: check-oidc-keys
-          configMap:
-            defaultMode: 0744
-            name: check-oidc-keys
        - name: management
          persistentVolumeClaim:
            claimName: management
--- a/k8s/infra/vpn/netbird/management/kustomization.yaml
+++ b/k8s/infra/vpn/netbird/management/kustomization.yaml
@@ -2,10 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 configMapGenerator:
-  - name: check-oidc-keys
-    namespace: netbird
-    files:
-      - config/check-oidc-keys.sh
  - name: management-config-template
    namespace: netbird
    files: