scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-11-04 03:47:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(netbird): remove idp-integration

Browse Source 
IDP integration is not needed. Removing it might allow Authelia-integration
This commit is contained in:
Vegard Hagen
2025-01-08 19:41:17 +01:00
parent 2ec6244fca
commit 037fc29129
5 changed files with 36 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
k8s/infra/vpn/netbird/management/config/management.tmpl.json → k8s/infra/vpn/netbird/management/config/management.json.tmpl
View File

@@ -20,6 +20,11 @@
"Secret": "secret",
"TimeBasedCredentials": false
},
"Relay": {
"Addresses": ["${NETBIRD_RELAY_URI}"],
"CredentialsTTL": "24h",
"Secret": "${NB_AUTH_SECRET}"
},
"Signal": {
"Proto": "${NETBIRD_SIGNAL_PROTOCOL}",
"URI": "${NETBIRD_SIGNAL_URI}",
@@ -36,32 +41,40 @@
"OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}"
},
"IdpManagerConfig": {
"ManagerType": "${NETBIRD_IDP_MANAGER_TYPE}",
"${NETBIRD_IDP_MANAGER_TYPE^}ClientCredentials": {
"ClientID": "${NETBIRD_IDP_CLIENT_ID}",
"ClientSecret": "${NETBIRD_IDP_CLIENT_SECRET}",
"GrantType": "${NETBIRD_IDP_GRANT_TYPE}",
"Audience": "${NETBIRD_IDP_AUTH0_AUDIENCE}",
"AuthIssuer": "${NETBIRD_IDP_AUTH0_AUTH_ISSUER}",
"AdminEndpoint": "${NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT}",
"TokenEndpoint": "${NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT}"
}
"ManagerType": "${NETBIRD_IDP_MANAGER_TYPE:-none}",
"ClientConfig": {
"Issuer": "${NETBIRD_AUTH_AUTHORITY}",
"TokenEndpoint": "${NETBIRD_AUTH_TOKEN_ENDPOINT}",
"ClientID": "${NETBIRD_IDP_MGMT_CLIENT_ID}",
"ClientSecret": "${NETBIRD_IDP_MGMT_CLIENT_SECRET}",
"GrantType": "client_credentials"
},
"ExtraConfig": ${NETBIRD_IDP_MGMT_EXTRA_CONFIG:-null}
},
"DeviceAuthorizationFlow": {
"Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}",
"ProviderConfig": {
"Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}",
"AuthorizationEndpoint": "",
"Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}",
"ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}",
"DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}",
"Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}",
"TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}",
"Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}",
"UseIDToken": ${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}
}
},
"Relay": {
"Addresses": ["${NETBIRD_RELAY_URI}"],
"CredentialsTTL": "24h",
"Secret": "${NB_AUTH_SECRET}"
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"Audience": "${NETBIRD_AUTH_PKCE_AUDIENCE}",
"ClientID": "${NETBIRD_AUTH_CLIENT_ID}",
"ClientSecret": "${NETBIRD_AUTH_CLIENT_SECRET}",
"Domain": "",
"AuthorizationEndpoint": "${NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT}",
"TokenEndpoint": "${NETBIRD_AUTH_TOKEN_ENDPOINT}",
"Scope": "${NETBIRD_AUTH_SUPPORTED_SCOPES}",
"RedirectURLs": ${NETBIRD_AUTH_PKCE_REDIRECT_URLS},
"UseIDToken": ${NETBIRD_AUTH_PKCE_USE_ID_TOKEN:-false}
}
}
}

6
k8s/infra/vpn/netbird/management/deployment.yaml
View File

@@ -33,7 +33,7 @@ spec:
args:
- >
go install github.com/drone/envsubst/cmd/envsubst@latest &&
envsubst < /tmp/netbird/management.tmpl.json > /etc/netbird/management.json
envsubst < /tmp/netbird/management.json.tmpl > /etc/netbird/management.json
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
@@ -45,14 +45,10 @@ spec:
name: management-auth-config
- configMapRef:
name: management-connection-config
- configMapRef:
name: management-idp-config
- secretRef:
name: relay-secret
- secretRef:
name: coturn-credentials
- secretRef:
name: management-oidc-credentials
volumeMounts:
- name: config
mountPath: /etc/netbird

17
k8s/infra/vpn/netbird/management/kustomization.yaml
View File

@@ -9,7 +9,8 @@ configMapGenerator:
- name: management-config-template
namespace: netbird
files:
- config/management.tmpl.json
# https://github.com/netbirdio/netbird/blob/main/infrastructure_files/management.json.tmpl
- config/management.json.tmpl
- name: management-auth-config
namespace: netbird
literals:
@@ -22,6 +23,11 @@ configMapGenerator:
- NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token"
- NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
- NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN="false"
- NETBIRD_AUTH_AUDIENCE="netbird-dashboard"
- NETBIRD_AUTH_PKCE_AUDIENCE="netbird-dashboard"
- NETBIRD_AUTH_CLIENT_ID="netbird-dashboard"
- NETBIRD_AUTH_PKCE_REDIRECT_URLS='[ "http://localhost:53000" ]'
- NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access netbird-api"
- name: management-connection-config
namespace: netbird
literals:
@@ -30,13 +36,6 @@ configMapGenerator:
- NETBIRD_SIGNAL_PROTOCOL="https"
- NETBIRD_STUN_URI="stun:coturn.stonegarden.dev:5349"
- NETBIRD_TURN_URI="turn:coturn.stonegarden.dev:5349"
- name: management-idp-config
namespace: netbird
literals:
- NETBIRD_IDP_MANAGER_TYPE="keycloak"
- NETBIRD_IDP_GRANT_TYPE="client_credentials"
- NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT="https://keycloak.stonegarden.dev/admin/realms/homelab"
- NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token"
- name: management-runtime-config
namespace: netbird
literals:
@@ -52,5 +51,3 @@ resources:
- svc.yaml
- pvc.yaml
- coturn-credentials.yaml
- oidc-credentials.yaml
- x-oidc-client.yaml

14
k8s/infra/vpn/netbird/management/oidc-credentials.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: management-oidc-credentials
namespace: netbird
spec:
encryptedData:
NETBIRD_IDP_CLIENT_ID: AgAkra1TkcaYxb/u9w5HSla/HqJWNeQCFVGPf5R358fl/MtSJQbmPOzJahWw3l+Ewm3ndJcXmK2e786+p8oCTogNdCg9ybo0gXNbcCkZ2DfKfowCKqHEkAvNDNY9ht9sTr8u+zJwmv3ntsifVpfpqx4uAb3lfGMm83Kinan6iMBA7k50TGjcTlTHdBew62TYn4+0D2QzMXhq+ZXA4vWv+Igc8riJcVjo+j3wEmGoAGFNnW/MgJA9OGBsfsr7BAfv6sFskyu8mloAB6FkhSvjv+hlNWNnsc24eNPRSHyO0mdoAcRG/2u/5yCHWbFklansPVT3txwgVE7sE5gjOcYbNMVIsoCL5qBz4LV06NlG2mAjRYL+FzGYptRczXfwZ1oUoyh+yVu6/gfy5Xm5ikuOaRzBDYuUWzjVyaW2CkqjyS8cSkRs+GXn1oXff4sH+l+G4lAAc619AY2AcE7Hx3ojkEywg9hLjs5egCITF6ZWYyqOslNfCkNtHE1240SXQvzgM+48rwX+vf7RB3Mx2rPJtdLzS6/nLGhOARulbnqRXwroP03Lc2ixJMsuB06gXYZSyzMrotz6fHUuVlkTAu0pog287OslP5p37F+NSmGr3hwg68hwFLUbsux343WnVsfvoE+5UUoPpZytivUpC+ftS77xC8luhvffCl/5sJfxv+nZkoz4SmAVsoL5vwr0Dzd4el4QC5eFW3h10OS1A+YmtNg=
NETBIRD_IDP_CLIENT_SECRET: AgC/4CORCns8DP1LECSTBvWrQn9M55ub+AWOutdQfn/8enikyc8Mhy2nvZa/anf56Gq3Xq899fxSnx7NgTyRRfkjkHf+uVWFtyusjzBD6RVIlYbFS+AG/7idQU05/+/wVI+fpZebmR/lTA3pm+vW/PeqGR41jMTVyRHjQw3/04ts1muk3ZCg2oXsrIRZtXTzq3PCsOuNug0jeZu0hohvFhp8sKTb6ltL4Y4bVQVFC7nwnSRtjvkVkG+PYUYYXGmkcwNEeZ5kOwQ1s5mRa3JtBwlZXyFOMe4QXcQQIaZmYL7aTTGUmxhlhnXs4qAnZA4bXzS4s30GeU2dNeGE2GSOLGtzaiXoJ/kCXzTsb0iqr1NMNQ8dfw2Y0GrYfDW6wP7+ymJjzUrYGvcidzslZlq1x9kBBXC5kvghCe5Q+TVCVrk3z7MNpGy98fYll3cnFnv2ljo+4gQO0N3oVa5SrjNn1VsN/yYdJsaGPz/goPQr6y4dT7nsG6c0uSl3VY0bOpkFJDPoSZaMWHVBvi/+3v8NPpo+ufJsBoWOayBCQ98cvxkyQwGe/feV55auooFPXtEW5mwmTtucWolng0+c+99GvYnpe5ffqmCJE0yCr2dxXbxCyV+lw9aP5ONt1S3R+5x/42kPW2CxR1Daymnz5+R9ypA8W0jHXcGcUOoAyTl675JG2B/O8FI6dIGU8dNFplvX2uI9rIrc6xSsfugJ3sZatHPrJz+/UhpFDQ6f6q30n+phv5CwjukhvqPK
template:
metadata:
name: management-oidc-credentials
namespace: netbird
type: Opaque

27
k8s/infra/vpn/netbird/management/x-oidc-client.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: oidc.homelab.olav.ninja/v1alpha1
kind: XOidcClient
metadata:
name: netbird-backend
spec:
realm: homelab
clientId: netbird-backend
displayName: Netbird Backend
description: Netbird Backend Client
clientSecretSecretRef:
name: management-oidc-credentials
namespace: netbird
key: NETBIRD_IDP_CLIENT_SECRET
type: CONFIDENTIAL
grantTypes:
- client_credentials
- code
- device_code
- password
redirectUris:
- "/*"
webOrigins:
- "+"
serviceAccountRoles:
- realm: homelab
client: builtin-homelab-realm-management
role: view-users