scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-11-02 19:08:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(netbird): remove idp-integration

Browse Source 
IDP integration is not needed. Removing it might allow Authelia-integration
This commit is contained in:
Vegard Hagen
2025-01-08 19:41:17 +01:00
parent 2ec6244fca
commit 037fc29129
5 changed files with 36 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
k8s/infra/vpn/netbird/management/config/management.tmpl.json → k8s/infra/vpn/netbird/management/config/management.json.tmpl
View File

@@ -20,6 +20,11 @@
"Secret": "secret", "Secret": "secret",
"TimeBasedCredentials": false "TimeBasedCredentials": false
}, },
"Relay": {
"Addresses": ["${NETBIRD_RELAY_URI}"],
"CredentialsTTL": "24h",
"Secret": "${NB_AUTH_SECRET}"
},
"Signal": { "Signal": {
"Proto": "${NETBIRD_SIGNAL_PROTOCOL}", "Proto": "${NETBIRD_SIGNAL_PROTOCOL}",
"URI": "${NETBIRD_SIGNAL_URI}", "URI": "${NETBIRD_SIGNAL_URI}",
@@ -36,32 +41,40 @@
"OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" "OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}"
}, },
"IdpManagerConfig": { "IdpManagerConfig": {
"ManagerType": "${NETBIRD_IDP_MANAGER_TYPE}", "ManagerType": "${NETBIRD_IDP_MANAGER_TYPE:-none}",
"${NETBIRD_IDP_MANAGER_TYPE^}ClientCredentials": { "ClientConfig": {
"ClientID": "${NETBIRD_IDP_CLIENT_ID}", "Issuer": "${NETBIRD_AUTH_AUTHORITY}",
"ClientSecret": "${NETBIRD_IDP_CLIENT_SECRET}", "TokenEndpoint": "${NETBIRD_AUTH_TOKEN_ENDPOINT}",
"GrantType": "${NETBIRD_IDP_GRANT_TYPE}", "ClientID": "${NETBIRD_IDP_MGMT_CLIENT_ID}",
"Audience": "${NETBIRD_IDP_AUTH0_AUDIENCE}", "ClientSecret": "${NETBIRD_IDP_MGMT_CLIENT_SECRET}",
"AuthIssuer": "${NETBIRD_IDP_AUTH0_AUTH_ISSUER}", "GrantType": "client_credentials"
"AdminEndpoint": "${NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT}", },
"TokenEndpoint": "${NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT}" "ExtraConfig": ${NETBIRD_IDP_MGMT_EXTRA_CONFIG:-null}
}
}, },
"DeviceAuthorizationFlow": { "DeviceAuthorizationFlow": {
"Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}", "Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}",
"ProviderConfig": { "ProviderConfig": {
"Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}", "Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}",
"AuthorizationEndpoint": "",
"Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}",
"ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}", "ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}",
"DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}", "DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}",
"Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}",
"TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}", "TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}",
"Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}", "Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}",
"UseIDToken": ${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false} "UseIDToken": ${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}
} }
}, },
"Relay": { "PKCEAuthorizationFlow": {
"Addresses": ["${NETBIRD_RELAY_URI}"], "ProviderConfig": {
"CredentialsTTL": "24h", "Audience": "${NETBIRD_AUTH_PKCE_AUDIENCE}",
"Secret": "${NB_AUTH_SECRET}" "ClientID": "${NETBIRD_AUTH_CLIENT_ID}",
"ClientSecret": "${NETBIRD_AUTH_CLIENT_SECRET}",
"Domain": "",
"AuthorizationEndpoint": "${NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT}",
"TokenEndpoint": "${NETBIRD_AUTH_TOKEN_ENDPOINT}",
"Scope": "${NETBIRD_AUTH_SUPPORTED_SCOPES}",
"RedirectURLs": ${NETBIRD_AUTH_PKCE_REDIRECT_URLS},
"UseIDToken": ${NETBIRD_AUTH_PKCE_USE_ID_TOKEN:-false}
}
} }
} }

6
k8s/infra/vpn/netbird/management/deployment.yaml
View File

@@ -33,7 +33,7 @@ spec:
args: args:
- > - >
go install github.com/drone/envsubst/cmd/envsubst@latest && go install github.com/drone/envsubst/cmd/envsubst@latest &&
envsubst < /tmp/netbird/management.tmpl.json > /etc/netbird/management.json envsubst < /tmp/netbird/management.json.tmpl > /etc/netbird/management.json
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
@@ -45,14 +45,10 @@ spec:
name: management-auth-config name: management-auth-config
- configMapRef: - configMapRef:
name: management-connection-config name: management-connection-config
- configMapRef:
name: management-idp-config
- secretRef: - secretRef:
name: relay-secret name: relay-secret
- secretRef: - secretRef:
name: coturn-credentials name: coturn-credentials
- secretRef:
name: management-oidc-credentials
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: /etc/netbird mountPath: /etc/netbird

17
k8s/infra/vpn/netbird/management/kustomization.yaml
View File

@@ -9,7 +9,8 @@ configMapGenerator:
- name: management-config-template - name: management-config-template
namespace: netbird namespace: netbird
files: files:
- config/management.tmpl.json # https://github.com/netbirdio/netbird/blob/main/infrastructure_files/management.json.tmpl
- config/management.json.tmpl
- name: management-auth-config - name: management-auth-config
namespace: netbird namespace: netbird
literals: literals:
@@ -22,6 +23,11 @@ configMapGenerator:
- NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token" - NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token"
- NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" - NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
- NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN="false" - NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN="false"
- NETBIRD_AUTH_AUDIENCE="netbird-dashboard"
- NETBIRD_AUTH_PKCE_AUDIENCE="netbird-dashboard"
- NETBIRD_AUTH_CLIENT_ID="netbird-dashboard"
- NETBIRD_AUTH_PKCE_REDIRECT_URLS='[ "http://localhost:53000" ]'
- NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access netbird-api"
- name: management-connection-config - name: management-connection-config
namespace: netbird namespace: netbird
literals: literals:
@@ -30,13 +36,6 @@ configMapGenerator:
- NETBIRD_SIGNAL_PROTOCOL="https" - NETBIRD_SIGNAL_PROTOCOL="https"
- NETBIRD_STUN_URI="stun:coturn.stonegarden.dev:5349" - NETBIRD_STUN_URI="stun:coturn.stonegarden.dev:5349"
- NETBIRD_TURN_URI="turn:coturn.stonegarden.dev:5349" - NETBIRD_TURN_URI="turn:coturn.stonegarden.dev:5349"
- name: management-idp-config
namespace: netbird
literals:
- NETBIRD_IDP_MANAGER_TYPE="keycloak"
- NETBIRD_IDP_GRANT_TYPE="client_credentials"
- NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT="https://keycloak.stonegarden.dev/admin/realms/homelab"
- NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token"
- name: management-runtime-config - name: management-runtime-config
namespace: netbird namespace: netbird
literals: literals:
@@ -52,5 +51,3 @@ resources:
- svc.yaml - svc.yaml
- pvc.yaml - pvc.yaml
- coturn-credentials.yaml - coturn-credentials.yaml
- oidc-credentials.yaml
- x-oidc-client.yaml

14
k8s/infra/vpn/netbird/management/oidc-credentials.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: management-oidc-credentials
namespace: netbird
spec:
encryptedData:
NETBIRD_IDP_CLIENT_ID: AgAkra1TkcaYxb/u9w5HSla/HqJWNeQCFVGPf5R358fl/MtSJQbmPOzJahWw3l+Ewm3ndJcXmK2e786+p8oCTogNdCg9ybo0gXNbcCkZ2DfKfowCKqHEkAvNDNY9ht9sTr8u+zJwmv3ntsifVpfpqx4uAb3lfGMm83Kinan6iMBA7k50TGjcTlTHdBew62TYn4+0D2QzMXhq+ZXA4vWv+Igc8riJcVjo+j3wEmGoAGFNnW/MgJA9OGBsfsr7BAfv6sFskyu8mloAB6FkhSvjv+hlNWNnsc24eNPRSHyO0mdoAcRG/2u/5yCHWbFklansPVT3txwgVE7sE5gjOcYbNMVIsoCL5qBz4LV06NlG2mAjRYL+FzGYptRczXfwZ1oUoyh+yVu6/gfy5Xm5ikuOaRzBDYuUWzjVyaW2CkqjyS8cSkRs+GXn1oXff4sH+l+G4lAAc619AY2AcE7Hx3ojkEywg9hLjs5egCITF6ZWYyqOslNfCkNtHE1240SXQvzgM+48rwX+vf7RB3Mx2rPJtdLzS6/nLGhOARulbnqRXwroP03Lc2ixJMsuB06gXYZSyzMrotz6fHUuVlkTAu0pog287OslP5p37F+NSmGr3hwg68hwFLUbsux343WnVsfvoE+5UUoPpZytivUpC+ftS77xC8luhvffCl/5sJfxv+nZkoz4SmAVsoL5vwr0Dzd4el4QC5eFW3h10OS1A+YmtNg=
NETBIRD_IDP_CLIENT_SECRET: AgC/4CORCns8DP1LECSTBvWrQn9M55ub+AWOutdQfn/8enikyc8Mhy2nvZa/anf56Gq3Xq899fxSnx7NgTyRRfkjkHf+uVWFtyusjzBD6RVIlYbFS+AG/7idQU05/+/wVI+fpZebmR/lTA3pm+vW/PeqGR41jMTVyRHjQw3/04ts1muk3ZCg2oXsrIRZtXTzq3PCsOuNug0jeZu0hohvFhp8sKTb6ltL4Y4bVQVFC7nwnSRtjvkVkG+PYUYYXGmkcwNEeZ5kOwQ1s5mRa3JtBwlZXyFOMe4QXcQQIaZmYL7aTTGUmxhlhnXs4qAnZA4bXzS4s30GeU2dNeGE2GSOLGtzaiXoJ/kCXzTsb0iqr1NMNQ8dfw2Y0GrYfDW6wP7+ymJjzUrYGvcidzslZlq1x9kBBXC5kvghCe5Q+TVCVrk3z7MNpGy98fYll3cnFnv2ljo+4gQO0N3oVa5SrjNn1VsN/yYdJsaGPz/goPQr6y4dT7nsG6c0uSl3VY0bOpkFJDPoSZaMWHVBvi/+3v8NPpo+ufJsBoWOayBCQ98cvxkyQwGe/feV55auooFPXtEW5mwmTtucWolng0+c+99GvYnpe5ffqmCJE0yCr2dxXbxCyV+lw9aP5ONt1S3R+5x/42kPW2CxR1Daymnz5+R9ypA8W0jHXcGcUOoAyTl675JG2B/O8FI6dIGU8dNFplvX2uI9rIrc6xSsfugJ3sZatHPrJz+/UhpFDQ6f6q30n+phv5CwjukhvqPK
template:
metadata:
name: management-oidc-credentials
namespace: netbird
type: Opaque

27
k8s/infra/vpn/netbird/management/x-oidc-client.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: oidc.homelab.olav.ninja/v1alpha1
kind: XOidcClient
metadata:
name: netbird-backend
spec:
realm: homelab
clientId: netbird-backend
displayName: Netbird Backend
description: Netbird Backend Client
clientSecretSecretRef:
name: management-oidc-credentials
namespace: netbird
key: NETBIRD_IDP_CLIENT_SECRET
type: CONFIDENTIAL
grantTypes:
- client_credentials
- code
- device_code
- password
redirectUris:
- "/*"
webOrigins:
- "+"
serviceAccountRoles:
- realm: homelab
client: builtin-homelab-realm-management
role: view-users