diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml index c64c8c2..8fce45b 100644 --- a/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml @@ -3,5 +3,5 @@ kind: Kustomization resources: - cloudflare - - netbird + - netbird-dashboard - netbird-backend diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml index f5e6167..6a6e683 100644 --- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml @@ -1,25 +1,27 @@ -apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 -kind: Client +apiVersion: oidc.homelab.olav.ninja/v1alpha1 +kind: XOidcClient metadata: name: netbird-backend spec: - deletionPolicy: Delete - forProvider: - name: Netbird Backend - accessType: CONFIDENTIAL - clientId: netbird-backend - clientSecretSecretRef: - namespace: netbird - name: netbird-backend-oidc-credentials - key: clientSecret - description: Netbird Backend Client - standardFlowEnabled: true - directAccessGrantsEnabled: true - serviceAccountsEnabled: true - oauth2DeviceAuthorizationGrantEnabled: true - validRedirectUris: - - "/*" - webOrigins: - - "+" - realmIdRef: - name: homelab + clientId: netbird-backend + clientSecretSecretRef: + name: netbird-backend-oidc-credentials + namespace: netbird + key: clientSecret + description: Netbird Backend Client + displayName: Netbird Backend + type: CONFIDENTIAL + grantTypes: + - client_credentials + - code + - device_code + - password + redirectUris: + - "/*" + webOrigins: + - "+" + serviceAccountRoles: + - realm: homelab + client: builtin-homelab-realm-management + role: view-users + realm: homelab diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml index 9a68b72..cf883b1 100644 --- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml @@ -4,4 +4,3 @@ kind: Kustomization resources: - client.yaml - credentials.yaml - - sa-role-view-users.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/sa-role-view-users.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/sa-role-view-users.yaml deleted file mode 100644 index 193397c..0000000 --- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/sa-role-view-users.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 -kind: ClientServiceAccountRole -metadata: - name: netbird-backend-view-users -spec: - forProvider: - clientIdRef: - name: builtin-homelab-realm-management - realmIdRef: - name: homelab - role: view-users - serviceAccountUserClientIdRef: - name: netbird-backend diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/client.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/client.yaml new file mode 100644 index 0000000..f64e715 --- /dev/null +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/client.yaml @@ -0,0 +1,30 @@ +apiVersion: oidc.homelab.olav.ninja/v1alpha1 +kind: XOidcClient +metadata: + name: netbird +spec: + displayName: Netbird + type: PUBLIC + clientId: netbird + description: Netbird Client + defaultScopes: + - acr + - basic + - email + - profile + - roles + - web-origins + - netbird-api + grantTypes: + - code + - device_code + - password + baseUrl: "https://netbird.stonegarden.dev" + postLogoutRedirectUris: + - "https://netbird.stonegarden.dev/*" + redirectUris: + - "http://localhost:53000" + - "https://netbird.stonegarden.dev/*" + webOrigins: + - "+" + realm: homelab diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/kustomization.yaml similarity index 100% rename from k8s/infra/auth/keycloak-realms/homelab/clients/netbird/kustomization.yaml rename to k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/kustomization.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/scopes.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/scopes.yaml new file mode 100644 index 0000000..7ef1385 --- /dev/null +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/scopes.yaml @@ -0,0 +1,11 @@ +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: ClientScope +metadata: + name: netbird-api +spec: + forProvider: + name: netbird-api + consentScreenText: Netbird Management API + includeInTokenScope: true + realmIdRef: + name: homelab \ No newline at end of file diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/client.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/client.yaml deleted file mode 100644 index 33f15ff..0000000 --- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/client.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 -kind: Client -metadata: - name: netbird -spec: - forProvider: - name: Netbird - accessType: PUBLIC - clientId: netbird - description: Netbird Client - standardFlowEnabled: true - directAccessGrantsEnabled: true - oauth2DeviceAuthorizationGrantEnabled: true - baseUrl: "https://netbird.stonegarden.dev" - validRedirectUris: - - "http://localhost:53000" - - "https://netbird.stonegarden.dev/*" - validPostLogoutRedirectUris: - - "https://netbird.stonegarden.dev/*" - webOrigins: - - "+" - realmIdRef: - name: homelab ---- -apiVersion: client.keycloak.crossplane.io/v1alpha1 -kind: ProtocolMapper -metadata: - name: netbird-sub-mapper -spec: - forProvider: - name: Username as sub claim - protocol: openid-connect - protocolMapper: oidc-usermodel-property-mapper - config: - user.attribute: username - claim.name: sub - id.token.claim: "true" - access.token.claim: "true" - userinfo.token.claim: "true" - clientIdRef: - name: netbird - realmIdRef: - name: homelab diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/scopes.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/scopes.yaml deleted file mode 100644 index aea2e7b..0000000 --- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird/scopes.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 -kind: ClientDefaultScopes -metadata: - name: netbird-default-scopes -spec: - forProvider: - defaultScopes: - - acr - - basic - - email - - profile - - roles - - web-origins - - netbird-api - clientIdRef: - name: netbird - realmIdRef: - name: homelab ---- -apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 -kind: ClientScope -metadata: - name: netbird-api -spec: - forProvider: - name: netbird-api - consentScreenText: Netbird Management API - includeInTokenScope: true - realmIdRef: - name: homelab ---- -apiVersion: client.keycloak.crossplane.io/v1alpha1 -kind: ProtocolMapper -metadata: - name: netbird-api-audience-mapper -spec: - forProvider: - name: Audience for NetBird Management API - protocol: openid-connect - protocolMapper: oidc-audience-mapper - config: - included.client.audience: "netbird" - id.token.claim: "false" - access.token.claim: "true" - introspection.token.claim: "true" - userinfo.token.claim: "false" - clientScopeIdRef: - name: netbird-api - realmIdRef: - name: homelab