diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml index 8fce45b..b30b0cb 100644 --- a/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml +++ b/k8s/infra/auth/keycloak-realms/homelab/clients/kustomization.yaml @@ -3,5 +3,3 @@ kind: Kustomization resources: - cloudflare - - netbird-dashboard - - netbird-backend diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml deleted file mode 100644 index cf883b1..0000000 --- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - client.yaml - - credentials.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/kustomization.yaml b/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/kustomization.yaml deleted file mode 100644 index c4e5a05..0000000 --- a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - client.yaml - - scopes.yaml diff --git a/k8s/infra/auth/keycloak/values.yaml b/k8s/infra/auth/keycloak/values.yaml index eb6c035..a66d476 100644 --- a/k8s/infra/auth/keycloak/values.yaml +++ b/k8s/infra/auth/keycloak/values.yaml @@ -34,4 +34,3 @@ postgresql: persistence: enabled: true existingClaim: keycloak-postgres - diff --git a/k8s/infra/vpn/netbird/backend/kustomization.yaml b/k8s/infra/vpn/netbird/backend/kustomization.yaml index 1c95899..2ed0e19 100644 --- a/k8s/infra/vpn/netbird/backend/kustomization.yaml +++ b/k8s/infra/vpn/netbird/backend/kustomization.yaml @@ -4,6 +4,8 @@ namespace: netbird resources: - secret-coturn-credentials.yaml + - oidc-client.yaml + - oidc-credentials.yaml helmCharts: - name: netbird @@ -14,6 +16,8 @@ helmCharts: valuesFile: values.yaml patches: + - path: patches/add-oidc-key-checker-sidecar.yaml + - path: patches/add-relay-config.yaml - path: patches/dns-management.yaml # resolve auth admin-endpoint to internal gateway - path: patches/deployment-strategy-management.yaml - path: patches/deployment-strategy-signal.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml b/k8s/infra/vpn/netbird/backend/oidc-client.yaml similarity index 100% rename from k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/client.yaml rename to k8s/infra/vpn/netbird/backend/oidc-client.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/credentials.yaml b/k8s/infra/vpn/netbird/backend/oidc-credentials.yaml similarity index 100% rename from k8s/infra/auth/keycloak-realms/homelab/clients/netbird-backend/credentials.yaml rename to k8s/infra/vpn/netbird/backend/oidc-credentials.yaml diff --git a/k8s/infra/vpn/netbird/backend/patches/add-oidc-key-checker-sidecar.yaml b/k8s/infra/vpn/netbird/backend/patches/add-oidc-key-checker-sidecar.yaml new file mode 100644 index 0000000..35466f8 --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/patches/add-oidc-key-checker-sidecar.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbird-backend-management +spec: + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: netbird-management + spec: + containers: + - name: oidc-key-checker + image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.1.0 # renovate: docker=registry.gitlab.com/gitlab-ci-utils/curl-jq + command: ["/bin/bash"] + args: + - -c + - | + #!/bin/bash + OIDC_ENDPOINT=$(jq -r '.HttpConfig.OIDCConfigEndpoint' /etc/netbird/management.json) + CHECK_INTERVAL="${CHECK_INTERVAL:-3600}" + KEYS_FILE="/data/oidc_keys.json" + + fetch_keys() { + config=$(curl -s "$OIDC_ENDPOINT") + jwks_uri=$(echo "$config" | jq -r '.jwks_uri') + curl -s "$jwks_uri" + } + + keys_changed() { + local new_keys="$1" + if [ ! -f "$KEYS_FILE" ]; then + return 0 + fi + local old_keys=$(cat "$KEYS_FILE") + [ "$new_keys" != "$old_keys" ] + } + + restart_pod() { + echo "Restarting pod..." + kill 1 + } + + while true; do + echo "Fetching OIDC keys..." + new_keys=$(fetch_keys) + + if keys_changed "$new_keys"; then + echo "Keys have changed. Updating stored keys..." + echo "$new_keys" > "$KEYS_FILE" + restart_pod + else + echo "Keys have not changed. No action required." + fi + + echo "Sleeping for $CHECK_INTERVAL seconds..." + sleep "$CHECK_INTERVAL" + done + env: + - name: CHECK_INTERVAL + value: "900" + volumeMounts: + - name: config + mountPath: /etc/netbird + - name: data + mountPath: /data + volumes: + - name: data + emptyDir: {} diff --git a/k8s/infra/vpn/netbird/backend/patches/add-relay-config.yaml b/k8s/infra/vpn/netbird/backend/patches/add-relay-config.yaml new file mode 100644 index 0000000..68f6a34 --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/patches/add-relay-config.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: netbird-backend-management +data: + management.tmpl.json: |- + { + "Stuns": [ + { + "Proto": "udp", + "URI": "${NETBIRD_STUN_URI}", + "Username": "", + "Password": null + } + ], + "TURNConfig": { + "Turns": [ + { + "Proto": "udp", + "URI": "${NETBIRD_TURN_URI}", + "Username": "${NETBIRD_TURN_USER}", + "Password": "${NETBIRD_TURN_PASSWORD}" + } + ], + "CredentialsTTL": "12h", + "Secret": "secret", + "TimeBasedCredentials": false + }, + "Signal": { + "Proto": "${NETBIRD_SIGNAL_PROTOCOL}", + "URI": "${NETBIRD_SIGNAL_URI}", + "Username": "", + "Password": null + }, + "Datadir": "", + "HttpConfig": { + "Address": "0.0.0.0:80", + "AuthAudience": "${NETBIRD_AUTH_AUDIENCE}", + "AuthUserIDClaim": "${NETBIRD_AUTH_USER_ID_CLAIM:-sub}", + "CertFile": "${NETBIRD_MGMT_API_CERT_FILE}", + "CertKey": "${NETBIRD_MGMT_API_CERT_KEY_FILE}", + "OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" + }, + "IdpManagerConfig": { + "ManagerType": "${NETBIRD_IDP_MANAGER_TYPE}", + "${NETBIRD_IDP_MANAGER_TYPE^}ClientCredentials": { + "ClientID": "${NETBIRD_IDP_CLIENT_ID}", + "ClientSecret": "${NETBIRD_IDP_CLIENT_SECRET}", + "GrantType": "${NETBIRD_IDP_GRANT_TYPE}", + "Audience": "${NETBIRD_IDP_AUTH0_AUDIENCE}", + "AuthIssuer": "${NETBIRD_IDP_AUTH0_AUTH_ISSUER}", + "AdminEndpoint": "${NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT}", + "TokenEndpoint": "${NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT}" + } + }, + "DeviceAuthorizationFlow": { + "Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}", + "ProviderConfig": { + "Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}", + "ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}", + "DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}", + "Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}", + "TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}", + "Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}", + "UseIDToken": ${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false} + } + }, + "Relay": { + "Addresses": ["${NETBIRD_RELAY_URI}"], + "CredentialsTTL": "24h", + "Secret": "${NETBIRD_RELAY_SECRET}" + } + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbird-backend-management +spec: + template: + spec: + initContainers: + - name: configure + env: + - name: NETBIRD_RELAY_URI + value: "rels://netbird.stonegarden.dev:443" + - name: NETBIRD_RELAY_SECRET + valueFrom: + secretKeyRef: + key: authSecret + name: netbird-relay-credentials diff --git a/k8s/infra/vpn/netbird/dashboard/kustomization.yaml b/k8s/infra/vpn/netbird/dashboard/kustomization.yaml index 76fbb0a..ac34e96 100644 --- a/k8s/infra/vpn/netbird/dashboard/kustomization.yaml +++ b/k8s/infra/vpn/netbird/dashboard/kustomization.yaml @@ -2,6 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: netbird +resources: + - oidc-client.yaml + - oidc-scopes.yaml + helmCharts: - name: netbird-dashboard repo: https://charts.jaconi.io diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/client.yaml b/k8s/infra/vpn/netbird/dashboard/oidc-client.yaml similarity index 100% rename from k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/client.yaml rename to k8s/infra/vpn/netbird/dashboard/oidc-client.yaml diff --git a/k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/scopes.yaml b/k8s/infra/vpn/netbird/dashboard/oidc-scopes.yaml similarity index 100% rename from k8s/infra/auth/keycloak-realms/homelab/clients/netbird-dashboard/scopes.yaml rename to k8s/infra/vpn/netbird/dashboard/oidc-scopes.yaml diff --git a/k8s/infra/vpn/netbird/http-route.yaml b/k8s/infra/vpn/netbird/http-route.yaml index 4ae1499..fe9bd25 100644 --- a/k8s/infra/vpn/netbird/http-route.yaml +++ b/k8s/infra/vpn/netbird/http-route.yaml @@ -19,6 +19,13 @@ spec: - path: type: PathPrefix value: / + - backendRefs: + - name: netbird-relay + port: 80 + matches: + - path: + type: PathPrefix + value: /relay - backendRefs: - name: netbird-backend-management port: 80 diff --git a/k8s/infra/vpn/netbird/kustomization.yaml b/k8s/infra/vpn/netbird/kustomization.yaml index 2496003..6ce285b 100644 --- a/k8s/infra/vpn/netbird/kustomization.yaml +++ b/k8s/infra/vpn/netbird/kustomization.yaml @@ -8,3 +8,4 @@ resources: - backend - dashboard - agent + - relay diff --git a/k8s/infra/vpn/netbird/relay/deployment.yaml b/k8s/infra/vpn/netbird/relay/deployment.yaml new file mode 100644 index 0000000..e7a2b00 --- /dev/null +++ b/k8s/infra/vpn/netbird/relay/deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: netbird-relay + name: netbird-relay + namespace: netbird +spec: + selector: + matchLabels: + app.kubernetes.io/name: netbird-relay + template: + metadata: + labels: + app.kubernetes.io/instance: netbird-relay + app.kubernetes.io/name: netbird-relay + spec: + containers: + - image: netbirdio/relay:0.35.2 # renovate: docker=netbirdio/relay + imagePullPolicy: IfNotPresent + name: netbird-relay + envFrom: + - configMapRef: + name: relay-config + env: + - name: NB_AUTH_SECRET + valueFrom: + secretKeyRef: + key: authSecret + name: netbird-relay-credentials + ports: + - containerPort: 80 + name: relay + protocol: TCP diff --git a/k8s/infra/vpn/netbird/relay/kustomization.yaml b/k8s/infra/vpn/netbird/relay/kustomization.yaml new file mode 100644 index 0000000..9f9967f --- /dev/null +++ b/k8s/infra/vpn/netbird/relay/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +configMapGenerator: + - name: relay-config + namespace: netbird + literals: + - NB_LOG_LEVEL="info" + - NB_LISTEN_ADDRESS=":80" + - NB_EXPOSED_ADDRESS="rels://netbird.stonegarden.dev:443" + +resources: + - deployment.yaml + - relay-secret.yaml + - svc.yaml diff --git a/k8s/infra/vpn/netbird/relay/relay-secret.yaml b/k8s/infra/vpn/netbird/relay/relay-secret.yaml new file mode 100644 index 0000000..2c05688 --- /dev/null +++ b/k8s/infra/vpn/netbird/relay/relay-secret.yaml @@ -0,0 +1,13 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: netbird-relay-credentials + namespace: netbird +spec: + encryptedData: + authSecret: AgDlKC3gbhSFPW3tiVh4ahfx0BH1g+K4yObYYaX0FHBcGH113Bbc4ZVawPS373mlTbnEgIEbWTo6iWBe/yZWVrdcbkBuDd4J6NvN9x6oCRIs+2KSLcyF8EReKxpFYsdBCufD6DpDKBej1gjrbLZeM0n068KphuKJ7BApC8sW2DJZyV/SK+K2P1AigzNr7xEWpf1e8l8hBBYLy2EJFYZ1Zc6mLSFfYEHjfNQC3G89ko+khiBfn8uhDP5mR+FkffRv/hBUgJypwFBZ+vBmS8G8RaisLA4rBGB8urE1oaLq6+AEkvBdw/4RoeVtE+WWWCX2Ejt+Cam25qxk35h4oMoayoftNEk+LP90PjDht9oMg7zop2wCLIXXv9b/5hB8s3zrsZ4v1RHUISJ7TIATquwPeaNFe1BnYqhf23MGj0By9rUYynJGHoKW/ram7Dk1uLZL0u5/mh/FtmS7SWzxxtUL/HStFPDEN4RgzDlcPtsEEmczzzcrF7lACMMBslZEB6GiOiqe0zpyN8ktSNZtR1cLJCc8KFYmbUYFlMLwzAJS7Ci+4KQTkADzUR50SPxxaz+LZjiNB1rKDp6HzE3DZR8mEGqv9OG4ntDcyynM7WN8Ub5WeMuJllpenBNsgvHtMxwk/O3HpBG0YA5oEIFJsJMxq8sKjSjbuqUv6Sm2vvWQPvEidsLnjB6TGyjkIIHsRWI8AlAAXD/bYkpvbXrSoOpTjKwwG4JFryuJYnimqEBUmk6hH8znyeQ= + template: + metadata: + name: netbird-relay-credentials + namespace: netbird + type: Opaque diff --git a/k8s/infra/vpn/netbird/relay/svc.yaml b/k8s/infra/vpn/netbird/relay/svc.yaml new file mode 100644 index 0000000..72bece6 --- /dev/null +++ b/k8s/infra/vpn/netbird/relay/svc.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: netbird-relay + namespace: netbird + labels: + app.kubernetes.io/name: netbird-relay +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: netbird-relay + ports: + - name: relay + port: 80 + protocol: TCP + targetPort: 80