feat(netbird): use built-in mechanism for jwk sign key refresh

https://github.com/netbirdio/netbird/pull/808
2025-10-30 17:37:59 +00:00 · 2025-01-08 20:23:54 +01:00
parent 037fc29129
commit 0195f99252
3 changed files with 1 additions and 80 deletions
--- a/k8s/infra/vpn/netbird/management/config/check-oidc-keys.sh
+++ b/k8s/infra/vpn/netbird/management/config/check-oidc-keys.sh
@@ -1,40 +0,0 @@
 #!/bin/bash
 OIDC_ENDPOINT=$(jq -r '.HttpConfig.OIDCConfigEndpoint' /etc/netbird/management.json)
 KEY_CHECK_INTERVAL_SECONDS="${KEY_CHECK_INTERVAL_SECONDS:-3600}"
 KEYS_FILE="/data/oidc_keys.json"
 fetch_keys() {
  config=$(curl -s "$OIDC_ENDPOINT")
  jwks_uri=$(echo "$config" | jq -r '.jwks_uri')
  curl -s "$jwks_uri"
 }
 keys_changed() {
  local new_keys="$1"
  if [ ! -f "$KEYS_FILE" ]; then
    return 0
  fi
  local old_keys=$(cat "$KEYS_FILE")
  [ "$new_keys" != "$old_keys" ]
 }
 restart_pod() {
  echo "Restarting pod..."
  kill 1
 }
 while true; do
  echo "Fetching OIDC keys..."
  new_keys=$(fetch_keys)
  if keys_changed "$new_keys"; then
    echo "Keys have changed. Updating stored keys..."
    echo "$new_keys" > "$KEYS_FILE"
    restart_pod
  else
    echo "Keys have not changed. No action required."
  fi
  echo "Sleeping for $KEY_CHECK_INTERVAL_SECONDS seconds..."
  sleep "$KEY_CHECK_INTERVAL_SECONDS"
 done
--- a/k8s/infra/vpn/netbird/management/deployment.yaml
+++ b/k8s/infra/vpn/netbird/management/deployment.yaml
@@ -55,38 +55,9 @@ spec:
            - name: config-template
              mountPath: /tmp/netbird
      containers:
        - name: oidc-key-checker
          image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.1.0 # renovate: docker=registry.gitlab.com/gitlab-ci-utils/curl-jq
          command: [ /bin/bash, -c ]
          args: [ /opt/bin/check-oidc-keys.sh ]
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsNonRoot: false
            capabilities:
              drop: [ ALL ]
          envFrom:
            - configMapRef:
                name: management-oidc-key-check-config
                optional: true
          volumeMounts:
            - name: check-oidc-keys
              mountPath: /opt/bin/check-oidc-keys.sh
              subPath: check-oidc-keys.sh
            - name: config
              mountPath: /etc/netbird
            - name: data
              mountPath: /data
          resources:
            requests:
              memory: 16Mi
              cpu: 10m
            limits:
              memory: 64Mi
              cpu: 200m
        - name: management
          image: docker.io/netbirdio/management:0.35.2 # renovate: docker=docker.io/netbirdio/management
-          args: [ --dns-domain, $(DNS_DOMAIN), --log-level, $(LOG_LEVEL), --log-file, console ]
+          args: [ --dns-domain, $(DNS_DOMAIN), --log-level, $(LOG_LEVEL), --log-file, console, --idp-sign-key-refresh-enabled ]
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: false
@@ -113,8 +84,6 @@ spec:
              memory: 512Mi
              cpu: 4000m
      volumes:
        - name: data
          emptyDir: { }
        - name: config
          emptyDir:
            medium: Memory
@@ -122,10 +91,6 @@ spec:
          configMap:
            defaultMode: 0644
            name: management-config-template
        - name: check-oidc-keys
          configMap:
            defaultMode: 0744
            name: check-oidc-keys
        - name: management
          persistentVolumeClaim:
            claimName: management
--- a/k8s/infra/vpn/netbird/management/kustomization.yaml
+++ b/k8s/infra/vpn/netbird/management/kustomization.yaml
@@ -2,10 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 configMapGenerator:
  - name: check-oidc-keys
    namespace: netbird
    files:
      - config/check-oidc-keys.sh
  - name: management-config-template
    namespace: netbird
    files: