feat(netbird): add relay service

This is a required step for solving #81 Netbird 0.29.0 added its own relay service based on websockets
2025-10-29 09:02:28 +00:00 · 2025-01-03 17:37:12 +01:00
parent 132df0aeda
commit aa1a078294
18 changed files with 254 additions and 15 deletions
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml
@@ -3,5 +3,3 @@ kind: Kustomization

 resources:
  - cloudflare
-  - netbird-dashboard
-  - netbird-backend
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - client.yaml
-  - credentials.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/kustomization.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/kustomization.yaml
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - client.yaml
-  - scopes.yaml
--- a/k8s/infra/auth/keycloak/values.yaml
+++ b/k8s/infra/auth/keycloak/values.yaml
@@ -34,4 +34,3 @@ postgresql:
    persistence:
      enabled: true
      existingClaim: keycloak-postgres
-
--- a/k8s/infra/vpn/netbird/backend/kustomization.yaml
+++ b/k8s/infra/vpn/netbird/backend/kustomization.yaml
@@ -4,6 +4,8 @@ namespace: netbird

 resources:
  - secret-coturn-credentials.yaml
+  - oidc-client.yaml
+  - oidc-credentials.yaml

 helmCharts:
  - name: netbird
@@ -14,6 +16,8 @@ helmCharts:
    valuesFile: values.yaml

 patches:
+  - path: patches/add-oidc-key-checker-sidecar.yaml
+  - path: patches/add-relay-config.yaml
  - path: patches/dns-management.yaml # resolve auth admin-endpoint to internal gateway
  - path: patches/deployment-strategy-management.yaml
  - path: patches/deployment-strategy-signal.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/credentials.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/credentials.yaml
--- a/k8s/infra/vpn/netbird/backend/patches/add-oidc-key-checker-sidecar.yaml
+++ b/k8s/infra/vpn/netbird/backend/patches/add-oidc-key-checker-sidecar.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: netbird-backend-management
+spec:
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: netbird-management
+    spec:
+      containers:
+        - name: oidc-key-checker
+          image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.1.0 # renovate: docker=registry.gitlab.com/gitlab-ci-utils/curl-jq
+          command: ["/bin/bash"]
+          args:
+            - -c
+            - |
+              #!/bin/bash
+              OIDC_ENDPOINT=$(jq -r '.HttpConfig.OIDCConfigEndpoint' /etc/netbird/management.json)
+              CHECK_INTERVAL="${CHECK_INTERVAL:-3600}"
+              KEYS_FILE="/data/oidc_keys.json"
+
+              fetch_keys() {
+                config=$(curl -s "$OIDC_ENDPOINT")
+                jwks_uri=$(echo "$config" | jq -r '.jwks_uri')
+                curl -s "$jwks_uri"
+              }
+
+              keys_changed() {
+                local new_keys="$1"
+                if [ ! -f "$KEYS_FILE" ]; then
+                  return 0
+                fi
+                local old_keys=$(cat "$KEYS_FILE")
+                [ "$new_keys" != "$old_keys" ]
+              }
+
+              restart_pod() {
+                echo "Restarting pod..."
+                kill 1
+              }
+
+              while true; do
+                echo "Fetching OIDC keys..."
+                new_keys=$(fetch_keys)
+
+                if keys_changed "$new_keys"; then
+                  echo "Keys have changed. Updating stored keys..."
+                  echo "$new_keys" > "$KEYS_FILE"
+                  restart_pod
+                else
+                  echo "Keys have not changed. No action required."
+                fi
+
+                echo "Sleeping for $CHECK_INTERVAL seconds..."
+                sleep "$CHECK_INTERVAL"
+              done
+          env:
+            - name: CHECK_INTERVAL
+              value: "900"
+          volumeMounts:
+            - name: config
+              mountPath: /etc/netbird
+            - name: data
+              mountPath: /data
+      volumes:
+        - name: data
+          emptyDir: {}
--- a/k8s/infra/vpn/netbird/backend/patches/add-relay-config.yaml
+++ b/k8s/infra/vpn/netbird/backend/patches/add-relay-config.yaml
@@ -0,0 +1,92 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: netbird-backend-management
+data:
+  management.tmpl.json: |-
+    {
+        "Stuns": [
+            {
+                "Proto": "udp",
+                "URI": "${NETBIRD_STUN_URI}",
+                "Username": "",
+                "Password": null
+            }
+        ],
+        "TURNConfig": {
+            "Turns": [
+                {
+                    "Proto": "udp",
+                    "URI": "${NETBIRD_TURN_URI}",
+                    "Username": "${NETBIRD_TURN_USER}",
+                    "Password": "${NETBIRD_TURN_PASSWORD}"
+                }
+            ],
+            "CredentialsTTL": "12h",
+            "Secret": "secret",
+            "TimeBasedCredentials": false
+        },
+        "Signal": {
+            "Proto": "${NETBIRD_SIGNAL_PROTOCOL}",
+            "URI": "${NETBIRD_SIGNAL_URI}",
+            "Username": "",
+            "Password": null
+        },
+        "Datadir": "",
+        "HttpConfig": {
+            "Address": "0.0.0.0:80",
+            "AuthAudience": "${NETBIRD_AUTH_AUDIENCE}",
+            "AuthUserIDClaim": "${NETBIRD_AUTH_USER_ID_CLAIM:-sub}",
+            "CertFile": "${NETBIRD_MGMT_API_CERT_FILE}",
+            "CertKey": "${NETBIRD_MGMT_API_CERT_KEY_FILE}",
+            "OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}"
+        },
+        "IdpManagerConfig": {
+            "ManagerType": "${NETBIRD_IDP_MANAGER_TYPE}",
+            "${NETBIRD_IDP_MANAGER_TYPE^}ClientCredentials": {
+                "ClientID": "${NETBIRD_IDP_CLIENT_ID}",
+                "ClientSecret": "${NETBIRD_IDP_CLIENT_SECRET}",
+                "GrantType": "${NETBIRD_IDP_GRANT_TYPE}",
+                "Audience": "${NETBIRD_IDP_AUTH0_AUDIENCE}",
+                "AuthIssuer": "${NETBIRD_IDP_AUTH0_AUTH_ISSUER}",
+                "AdminEndpoint": "${NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT}",
+                "TokenEndpoint": "${NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT}"
+            }
+        },
+        "DeviceAuthorizationFlow": {
+            "Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}",
+            "ProviderConfig": {
+                "Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}",
+                "ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}",
+                "DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}",
+                "Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}",
+                "TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}",
+                "Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}",
+                "UseIDToken": ${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}
+            }
+        },
+        "Relay": {
+            "Addresses": ["${NETBIRD_RELAY_URI}"],
+            "CredentialsTTL": "24h",
+            "Secret": "${NETBIRD_RELAY_SECRET}"
+        }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: netbird-backend-management
+spec:
+  template:
+    spec:
+      initContainers:
+      - name: configure
+        env:
+        - name: NETBIRD_RELAY_URI
+          value: "rels://netbird.stonegarden.dev:443"
+        - name: NETBIRD_RELAY_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: authSecret
+              name: netbird-relay-credentials
--- a/k8s/infra/vpn/netbird/dashboard/kustomization.yaml
+++ b/k8s/infra/vpn/netbird/dashboard/kustomization.yaml
@@ -2,6 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: netbird

+resources:
+  - oidc-client.yaml
+  - oidc-scopes.yaml
+
 helmCharts:
  - name: netbird-dashboard
    repo: https://charts.jaconi.io
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/client.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/client.yaml
--- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/scopes.yaml
+++ b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/scopes.yaml
--- a/k8s/infra/vpn/netbird/http-route.yaml
+++ b/k8s/infra/vpn/netbird/http-route.yaml
@@ -19,6 +19,13 @@ spec:
        - path:
            type: PathPrefix
            value: /
+    - backendRefs:
+        - name: netbird-relay
+          port: 80
+      matches:
+          - path:
+              type: PathPrefix
+              value: /relay
    - backendRefs:
        - name: netbird-backend-management
          port: 80
--- a/k8s/infra/vpn/netbird/kustomization.yaml
+++ b/k8s/infra/vpn/netbird/kustomization.yaml
@@ -8,3 +8,4 @@ resources:
  - backend
  - dashboard
  - agent
+  - relay
--- a/k8s/infra/vpn/netbird/relay/deployment.yaml
+++ b/k8s/infra/vpn/netbird/relay/deployment.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: netbird-relay
+  name: netbird-relay
+  namespace: netbird
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: netbird-relay
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: netbird-relay
+        app.kubernetes.io/name: netbird-relay
+    spec:
+      containers:
+        - image: netbirdio/relay:0.35.2 # renovate: docker=netbirdio/relay
+          imagePullPolicy: IfNotPresent
+          name: netbird-relay
+          envFrom:
+            - configMapRef:
+                name: relay-config
+          env:
+            - name: NB_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: authSecret
+                  name: netbird-relay-credentials
+          ports:
+            - containerPort: 80
+              name: relay
+              protocol: TCP
--- a/k8s/infra/vpn/netbird/relay/kustomization.yaml
+++ b/k8s/infra/vpn/netbird/relay/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configMapGenerator:
+  - name: relay-config
+    namespace: netbird
+    literals:
+      - NB_LOG_LEVEL="info"
+      - NB_LISTEN_ADDRESS=":80"
+      - NB_EXPOSED_ADDRESS="rels://netbird.stonegarden.dev:443"
+
+resources:
+  - deployment.yaml
+  - relay-secret.yaml
+  - svc.yaml
--- a/k8s/infra/vpn/netbird/relay/relay-secret.yaml
+++ b/k8s/infra/vpn/netbird/relay/relay-secret.yaml
@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: netbird-relay-credentials
+  namespace: netbird
+spec:
+  encryptedData:
+    authSecret: AgDlKC3gbhSFPW3tiVh4ahfx0BH1g+K4yObYYaX0FHBcGH113Bbc4ZVawPS373mlTbnEgIEbWTo6iWBe/yZWVrdcbkBuDd4J6NvN9x6oCRIs+2KSLcyF8EReKxpFYsdBCufD6DpDKBej1gjrbLZeM0n068KphuKJ7BApC8sW2DJZyV/SK+K2P1AigzNr7xEWpf1e8l8hBBYLy2EJFYZ1Zc6mLSFfYEHjfNQC3G89ko+khiBfn8uhDP5mR+FkffRv/hBUgJypwFBZ+vBmS8G8RaisLA4rBGB8urE1oaLq6+AEkvBdw/4RoeVtE+WWWCX2Ejt+Cam25qxk35h4oMoayoftNEk+LP90PjDht9oMg7zop2wCLIXXv9b/5hB8s3zrsZ4v1RHUISJ7TIATquwPeaNFe1BnYqhf23MGj0By9rUYynJGHoKW/ram7Dk1uLZL0u5/mh/FtmS7SWzxxtUL/HStFPDEN4RgzDlcPtsEEmczzzcrF7lACMMBslZEB6GiOiqe0zpyN8ktSNZtR1cLJCc8KFYmbUYFlMLwzAJS7Ci+4KQTkADzUR50SPxxaz+LZjiNB1rKDp6HzE3DZR8mEGqv9OG4ntDcyynM7WN8Ub5WeMuJllpenBNsgvHtMxwk/O3HpBG0YA5oEIFJsJMxq8sKjSjbuqUv6Sm2vvWQPvEidsLnjB6TGyjkIIHsRWI8AlAAXD/bYkpvbXrSoOpTjKwwG4JFryuJYnimqEBUmk6hH8znyeQ=
+  template:
+    metadata:
+      name: netbird-relay-credentials
+      namespace: netbird
+    type: Opaque
--- a/k8s/infra/vpn/netbird/relay/svc.yaml
+++ b/k8s/infra/vpn/netbird/relay/svc.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: netbird-relay
+  namespace: netbird
+  labels:
+    app.kubernetes.io/name: netbird-relay
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: netbird-relay
+  ports:
+  - name: relay
+    port: 80
+    protocol: TCP
+    targetPort: 80