feat(netbird): configuring oidc-clients using new XOidcClient composition

k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml

@@ -3,5 +3,5 @@ kind: Kustomization
 
 resources:
   - cloudflare
-  - netbird
+  - netbird-dashboard
   - netbird-backend

k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml

@@ -1,25 +1,27 @@
-apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
-kind: Client
+apiVersion: oidc.homelab.olav.ninja/v1alpha1
+kind: XOidcClient
 metadata:
   name: netbird-backend
 spec:
-  deletionPolicy: Delete
-  forProvider:
-    name: Netbird Backend
-    accessType: CONFIDENTIAL
   clientId: netbird-backend
   clientSecretSecretRef:
-      namespace: netbird
     name: netbird-backend-oidc-credentials
+    namespace: netbird
     key: clientSecret
   description: Netbird Backend Client
-    standardFlowEnabled: true
-    directAccessGrantsEnabled: true
-    serviceAccountsEnabled: true
-    oauth2DeviceAuthorizationGrantEnabled: true
-    validRedirectUris:
+  displayName: Netbird Backend
+  type: CONFIDENTIAL
+  grantTypes:
+    - client_credentials
+    - code
+    - device_code
+    - password
+  redirectUris:
     - "/*"
   webOrigins:
     - "+"
-    realmIdRef:
-      name: homelab
+  serviceAccountRoles:
+    - realm: homelab
+      client: builtin-homelab-realm-management
+      role: view-users
+  realm: homelab

k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml

@@ -4,4 +4,3 @@ kind: Kustomization
 resources:
   - client.yaml
   - credentials.yaml
-  - sa-role-view-users.yaml

k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/sa-role-view-users.yaml

@@ -1,13 +0,0 @@
-apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
-kind: ClientServiceAccountRole
-metadata:
-  name: netbird-backend-view-users
-spec:
-  forProvider:
-    clientIdRef:
-      name: builtin-homelab-realm-management
-    realmIdRef:
-      name: homelab
-    role: view-users
-    serviceAccountUserClientIdRef:
-      name: netbird-backend

k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/client.yaml

@@ -0,0 +1,30 @@
+apiVersion: oidc.homelab.olav.ninja/v1alpha1
+kind: XOidcClient
+metadata:
+  name: netbird
+spec:
+  displayName: Netbird
+  type: PUBLIC
+  clientId: netbird
+  description: Netbird Client
+  defaultScopes:
+    - acr
+    - basic
+    - email
+    - profile
+    - roles
+    - web-origins
+    - netbird-api
+  grantTypes:
+    - code
+    - device_code
+    - password
+  baseUrl: "https://netbird.stonegarden.dev"
+  postLogoutRedirectUris:
+    - "https://netbird.stonegarden.dev/*"
+  redirectUris:
+    - "http://localhost:53000"
+    - "https://netbird.stonegarden.dev/*"
+  webOrigins:
+    - "+"
+  realm: homelab

k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/scopes.yaml

@@ -0,0 +1,11 @@
+apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
+kind: ClientScope
+metadata:
+  name: netbird-api
+spec:
+  forProvider:
+    name: netbird-api
+    consentScreenText: Netbird Management API
+    includeInTokenScope: true
+    realmIdRef:
+      name: homelab

k8s/infra/auth/keycloak-realms/homelab/clients/netbird/client.yaml

@@ -1,43 +0,0 @@
-apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
-kind: Client
-metadata:
-  name: netbird
-spec:
-  forProvider:
-    name: Netbird
-    accessType: PUBLIC
-    clientId: netbird
-    description: Netbird Client
-    standardFlowEnabled: true
-    directAccessGrantsEnabled: true
-    oauth2DeviceAuthorizationGrantEnabled: true
-    baseUrl: "https://netbird.stonegarden.dev"
-    validRedirectUris:
-      - "http://localhost:53000"
-      - "https://netbird.stonegarden.dev/*"
-    validPostLogoutRedirectUris:
-      - "https://netbird.stonegarden.dev/*"
-    webOrigins:
-      - "+"
-    realmIdRef:
-      name: homelab
----
-apiVersion: client.keycloak.crossplane.io/v1alpha1
-kind: ProtocolMapper
-metadata:
-  name: netbird-sub-mapper
-spec:
-  forProvider:
-    name: Username as sub claim
-    protocol: openid-connect
-    protocolMapper: oidc-usermodel-property-mapper
-    config:
-      user.attribute: username
-      claim.name: sub
-      id.token.claim: "true"
-      access.token.claim: "true"
-      userinfo.token.claim: "true"
-    clientIdRef:
-      name: netbird
-    realmIdRef:
-      name: homelab

k8s/infra/auth/keycloak-realms/homelab/clients/netbird/scopes.yaml

@@ -1,50 +0,0 @@
-apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
-kind: ClientDefaultScopes
-metadata:
-  name: netbird-default-scopes
-spec:
-  forProvider:
-    defaultScopes:
-      - acr
-      - basic
-      - email
-      - profile
-      - roles
-      - web-origins
-      - netbird-api
-    clientIdRef:
-      name: netbird
-    realmIdRef:
-      name: homelab
----
-apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
-kind: ClientScope
-metadata:
-  name: netbird-api
-spec:
-  forProvider:
-    name: netbird-api
-    consentScreenText: Netbird Management API
-    includeInTokenScope: true
-    realmIdRef:
-      name: homelab
----
-apiVersion: client.keycloak.crossplane.io/v1alpha1
-kind: ProtocolMapper
-metadata:
-  name: netbird-api-audience-mapper
-spec:
-  forProvider:
-    name: Audience for NetBird Management API
-    protocol: openid-connect
-    protocolMapper: oidc-audience-mapper
-    config:
-      included.client.audience: "netbird"
-      id.token.claim: "false"
-      access.token.claim: "true"
-      introspection.token.claim: "true"
-      userinfo.token.claim: "false"
-    clientScopeIdRef:
-      name: netbird-api
-    realmIdRef:
-      name: homelab