mirror of
https://github.com/optim-enterprises-bv/homelab.git
synced 2025-10-29 17:12:34 +00:00
fix(netbird): clean up configuration
This commit is contained in:
Vegard Hagen
12
k8s/infra/auth/authelia/clients/argocd.yaml
Normal file
12
k8s/infra/auth/authelia/clients/argocd.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: client-argocd
|
||||
namespace: authelia
|
||||
spec:
|
||||
encryptedData:
|
||||
clientSecret: AgAn6O88yj/d04TfgnrynK9QZElubTyTtq5Dt/slVDgt2tQhqvJdZ+Ea96b9EhEc6vo+w5JwKzrLtHPPHB8ZW7ni9THerpOT0jZV1N8+CiQ2sx6qbK04PKdBOa4yIpdmnzXnHWETvm1zyJGbvZkOnCsrN+3uL4qZaQPcv7zV4w7onmlfNCZY6KWDbDiWiBNYggft19u2CYisZWhgBcGydDS3mch18sW9gZFUVWVlZYgRcxHCBcrttmq+o3yEFESi+bB7ZLLuBxgV9uq5Hdp5OUpmBr73CwNKdTaFWz4WMxH6jSwSmmG19miRhDce39iQauSR2I7PZ00JOwfFIvuI+Pnhhn0DwVOVZDkN8dtyrRjVY1qVqWfCsvBbCKfrjFAW7VyNUuarI3RqjnQjCU9K8vtvdN9UA/6vsvGdpkQNxrCgI/RPIVF/3HR4Onffu/QaSUUPgdhcN8Wz3yV+3chMR6B6VeBIybDiH7YPSKHLZt6z3CXY0o5Gox/KCoCDgBhLuZShGe5wWZ9bOJJFBlBS8ut/wXHwfkWsgGP6HmBXBf4u7hZxnmHWa3PkPAKmvSg+6jf3DaT8/syGYZJ/Za/ieTTFE/suPb5HMQFLOqqISrV6T9PUSD943QlDWUJizM+Vs8aiOOuUFmkDvhwbJ0m26Qsz34LbhUB1GGKINzDnGdIQ3CvHbpoxAcCSMRqn1Z/LD2I/fyX25wsvsMi2uvwQmVVXL+JDtDvN6L4PlyNjngCjfWLYruc7LfH2seMe7f6xT+2yD81kock4wiaUjWO3xK6wqT1pUsi0V5PRVy+m0cfPinNqr9+UhkHIvwHPwIORN5jtkkO9sY6cWixdrvjjE/ZBvpiKliO0el+yvdM4wKb/W7Za/Q==
|
||||
template:
|
||||
metadata:
|
||||
name: client-argocd
|
||||
namespace: authelia
|
||||
12
k8s/infra/auth/authelia/clients/netbird.yaml
Normal file
12
k8s/infra/auth/authelia/clients/netbird.yaml
Normal file
@@ -0,0 +1,12 @@
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: client-netbird
|
||||
namespace: authelia
|
||||
spec:
|
||||
encryptedData:
|
||||
clientSecret: AgBA7WyqQn2uv01XhcLQk4eyPhco1qUTRsgsFpgQPzU5CD+zZhgzBhB9YXAVl4YnQqgeQfcstrLBYrPHNZfQZxa2JTdVFOvsJMBBYtAW/DvB5QOORRvd9/GsMfv0uP9G6h+whv3HlEDGIjStwIU+1gnhOP6LFuuPYMugEXRmNouQcCRlg6mllo96ZhY5h253nctaGSHQ6aWJq6AglaV/4NyHHFjI4oicTOW8+YyiIUs7ZGfSkC1393+LibHkk/lVjQwx6mjk/nbRXpc2DIYiT5cLILe474svxkaPMjLLoVjZh87RDH1JoLjj2Qu0IC98C6FW6oL+yfwPwaMXynRoVoenrF9W0/ivHfv0LTuOyUELFdH61hY86sGUubR/v8dYBWu74q3eDMuhgrLGV8cSTFD8xTkgRBFyfpR/Rt8vo2EOsBQrcHtLrDDd07TE8g7550WaDRg8R7I5mcDKmNSh7a5aOpTb7ZscrTd8WeaztPzID59Lp6UAEXwKN17j+HZDHYU1ZrEdPV1sKAYRdecXwDfDAujaP9uwwoI6J9AkyRZmOlrYXNPreV/eK207hsbWDUnUIm+1YY9DIPZzLpXmoYxCccF4rzJbqzqMGnFFJv7ZKiUDqDy5nRehEyYWV4YN+trRBk5vv9uAKV12X1lNkbkgGJR/ZIDA8wn6qiO9m00Bx6HV/6QJR/8PKmTrR3S1pemuCIvwfpKoAqR9X01+XaVvMUWJZQONVBzbQzZa5J0MsdX6RzOhSTL0cg2R7enrNZQMtlIf18dduPLk9cc37VwpQbVLhkuGZ2ytRTRrhAwZ9tgxBA3e4lDDxWcUrnO2qVcesX5tZq8CawD5HNR0L/N05/hFzxWRD4I/TiZMkwjU9cuAdQ==
|
||||
template:
|
||||
metadata:
|
||||
name: client-netbird
|
||||
namespace: authelia
|
||||
@@ -8,9 +8,10 @@ resources:
|
||||
- lldap-credentials.yaml
|
||||
- cert-rsa-jwk.yaml
|
||||
- cert-ecdsa-jwk.yaml
|
||||
- oidc-argocd.yaml
|
||||
- http-route.yaml
|
||||
- cnpg-db.yaml
|
||||
- clients/argocd.yaml
|
||||
- clients/netbird.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: authelia
|
||||
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: oidc-argocd
|
||||
namespace: authelia
|
||||
spec:
|
||||
encryptedData:
|
||||
clientSecret: AgAyU25VXv6Y6HgrSAkRMrTakB5/GmNNJj8ii16UPriiua3aiJYSTeWVPSMdvCFVVp3qN9Dr8W6Z1t7tnhbgVSWzibgE4WmbGI8ZUisrzs+pCdazBW2Bz6v90jQhdvptMZlD/gp60DhJ6jGNJAgG6VftZe1oedJCgiA7agKaTilT9mM5TAaL7YFUiot3mgaJGba3PAh5b39Jw2PQoHksLf1r0xBRm0g4QhwL0f1XQMqr4zhqQ0UvrV5YK0CEpU+mg986/CcxK4Llw/FIgY47bbsfknB49Jhlj3QgSvUK9zmPG88qcdJ6oMCt0CmYbNtSnswhtwE9hlL75bDfbLTvXDXOGPPHpKx4Xfn02IWWkvdfV737Ha0b+iqGebQWGaBeIwVm+KeRHyTmLsOmHwa/aXaYbRyRdEnpqa1J9x7NRCmbgkUFa33PoSM/50hvoemf3GTZXz/X5BIYtQ/pcmNKhqVHX+TYHfkdoJBUr1opluBhdEsgPyLX8y4RVDLTDnB95J8mvLfJKQn+F2k8sUIUCErOfcVlmXidMXPRvRrd6o14wauKGQngHcRK5IJSu37LbbTVpN4xHRhaLdPB5M2ybsHMoW3K3bzIqm16yfR9w9wUIay8mt6AqakRPK+D9Bk2o0VMFGk3nstBZISJ0OuNIXh6hNL0Lua86klM4nlyg8PCUct2LALSyBCbkfyU9xJOL1uTtKtF+W2dsYcINVOagcOZMwx+RMM3N5v6BhZ2AL0bF4P9Vh0LNYHjr2jymOQ4ZHEwve8D8oB1YIcEOkSmNDjuUrmotfJutNSGfXa3MFhsAVcbrHrcqI81tr/J1ziLNk5cRVur2MCAPMIZvYDp7KEODxPvKZi9Q2cuZtOIqJ/tzsctLw==
|
||||
template:
|
||||
metadata:
|
||||
name: oidc-argocd
|
||||
namespace: authelia
|
||||
@@ -17,7 +17,7 @@ configMap:
|
||||
secret: { secret_name: crypto }
|
||||
|
||||
access_control:
|
||||
default_policy: two_factor
|
||||
default_policy: deny
|
||||
rules:
|
||||
- domain_regex: ^.*\.stonegarden.dev$
|
||||
policy: two_factor
|
||||
@@ -76,8 +76,7 @@ configMap:
|
||||
endpoints: [ userinfo, authorization, token, revocation, introspection ]
|
||||
clients:
|
||||
- client_id: argocd
|
||||
client_secret:
|
||||
path: /secrets/oidc-argocd/clientSecret
|
||||
client_secret: { path: /secrets/client-argocd/client_secret.txt }
|
||||
client_name: Argo CD
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
@@ -102,15 +101,17 @@ configMap:
|
||||
scopes: [ openid, groups, email, profile, offline_access ]
|
||||
userinfo_signed_response_alg: none
|
||||
- client_id: netbird
|
||||
client_secret: { path: /secrets/client-netbird/client_secret.txt }
|
||||
client_name: NetBird
|
||||
public: true
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
audience: [ netbird ]
|
||||
redirect_uris:
|
||||
redirect_uris:
|
||||
- http://localhost:53000
|
||||
- https://netbird.stonegarden.dev/callback
|
||||
- https://netbird.stonegarden.dev/silent-callback
|
||||
scopes: [ openid, profile, email, offline_access, netbird-api ]
|
||||
scopes: [ openid, profile, email ]
|
||||
token_endpoint_auth_method: client_secret_post
|
||||
|
||||
secret:
|
||||
additionalSecrets:
|
||||
@@ -144,7 +145,11 @@ secret:
|
||||
path: tls.key
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
oidc-argocd:
|
||||
client-argocd:
|
||||
items:
|
||||
- key: clientSecret
|
||||
path: clientSecret
|
||||
path: client_secret.txt
|
||||
client-netbird:
|
||||
items:
|
||||
- key: clientSecret
|
||||
path: client_secret.txt
|
||||
|
||||
14
k8s/infra/vpn/netbird/authelia-oidc-credentials.yaml
Normal file
14
k8s/infra/vpn/netbird/authelia-oidc-credentials.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: authelia-oidc-credentials
|
||||
namespace: netbird
|
||||
spec:
|
||||
encryptedData:
|
||||
AUTH_CLIENT_ID: AgDWAMflM8a5j5O5E58U8Y9ebVJ1sTGlSFAyQBwbA5bgmTW5IpGZij+lYGl3b0vFgc9OIJZBpbqjBtw+4q+sqMDY+4PO/0M9S89mpHhDpX1wc12/AKHbMPNT8ZDzZ3oFIRInfBxKSjVdgMeF1yQTRV5LLe1+iRN6AzTmpFIH4HGGR0Ihcs71DvDLgvAWxpfxP5LHAzl8GU16D0Zcg3ghhI0jTx/o/qQBqVMmLHQg3FMvIgYk5YI2+E4yv/JErO6wDY3Ai4yW4gWWTO+VyGa1ZZE07+XiSMW0qg6NF+ytrTdGi28QP7r7DIeXsIkkfNY2w2kcgFg3rltX8xkpN2i//6ExA0a5Pvj5bkQ6NV/kFqEmv7jtJqj4izLQ3EAGmpimErJTluhea5xWTYbGreOi5PMMIosU63iFsohigx18lSG6/RoC9uMz5vqdZ84LHvX+dehXksbkBio5+UWOfd1xyFWgVYXh0fXddUXTcUX8XDQOj1CedxfaE9P1fsz5L2hmmd/0xwDX1F1Lek6x+yS6R7t+hqzincgIRqbj1vnxWNfKuTDU78sQjhLpCOZiOEB3geAPdWPnHl6MH5s8F2WkvChkv/MT5VMgX6auFNkHTBoDnWYoZzsdzU2bGJiqFLCzk/jChKZc5hpJoZ/osG3cIxroHzZT/scBjKQ3QNuqdFqyxYWnDk+43mF93snmiJSo1gOIaj0wc27B
|
||||
AUTH_CLIENT_SECRET: AgCBw1xW3YKZHlEDEs1Cjby0/wDpZmiP9BgWVOY22Zd+FEB/CGF7lkwmGAK/sA0Cin6KFmpkqidyP7xOTl03O6J3GDVH0lQKkjgC7ReG0j5qyTT6ju69CnNn8KMf4s+PiIfXb9ES0aP1/nwH1rxtHDYhw62U1UQw5ZVfw8JmSdJFKQVXbC9894pQYDMZ0ypEm4QjO/snIeRuauzsnCX1HlpLUCvk/2fDmnhHr+0w9kebFgzTjphc7CAzweiFEcfqGc79hP5jwLeGxVu+2zCeOxewUQeR6Lf/RJp+zzkY31BLxk1r2lFknmTQqu1xETnlfjVHdd4Jxco5KyvCTA4EtiwPRdQzS+5RqtE5xr6w5ScIHnLvhZ8PxCXDSRO0jeavUYXev+1m14ri1frNcZ5SMo9zkWxmLB2NByrQ9k+FjN47HZyzJfyhVM05tJ7ojB+yv1C7y/5a2fmxONKlwwiQ24Ii7MtKhVBODv6QH2Bv+RpQ0iQWYws9082tu9JDIUi5wpVHNULkPcZIMd6fZb71Hj3+yCQENsB5/vPiju1dLsmbdLvL5RoYyibtcU6JysSOY6VbM5xrX4LMh4bd6CCF0qkmIquzCaZkgDvMQCWR9zDCewSKsws5P0qVC0x/jgXSGh0nJfqoMcAtA0MAGhsaXTagK76awL7yb6+XSa0AqUDsUXL7bgjKtV4+HUCMRbQHUIiv2Hfew93s71GxwJtn3vhJ9HHwL4TBO4QwctvH1p3PHHfIRYs9DIHT8LiiWhbG2zenBxU3kbI2TMpbGGDNLPOZ9UGEpnE5CQ0=
|
||||
template:
|
||||
metadata:
|
||||
name: authelia-oidc-credentials
|
||||
namespace: netbird
|
||||
type: Opaque
|
||||
@@ -27,6 +27,8 @@ spec:
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: dashboard-config
|
||||
- secretRef:
|
||||
name: authelia-oidc-credentials
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 80
|
||||
|
||||
@@ -8,10 +8,9 @@ configMapGenerator:
|
||||
# variables: https://github.com/netbirdio/dashboard/blob/main/config.json
|
||||
- AUTH_AUDIENCE="netbird"
|
||||
- AUTH_AUTHORITY="https://authelia.stonegarden.dev"
|
||||
- AUTH_CLIENT_ID="netbird"
|
||||
- AUTH_REDIRECT_URI="/callback"
|
||||
- AUTH_SILENT_REDIRECT_URI="/silent-callback"
|
||||
- AUTH_SUPPORTED_SCOPES="openid profile email offline_access netbird-api"
|
||||
- AUTH_SUPPORTED_SCOPES="openid profile email"
|
||||
- USE_AUTH0="false"
|
||||
- NETBIRD_MGMT_API_ENDPOINT="https://netbird.stonegarden.dev"
|
||||
- NETBIRD_MGMT_GRPC_API_ENDPOINT="https://netbird.stonegarden.dev"
|
||||
@@ -20,5 +19,3 @@ configMapGenerator:
|
||||
resources:
|
||||
- deployment.yaml
|
||||
- svc.yaml
|
||||
- x-oidc-client.yaml
|
||||
- oidc-scopes.yaml
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
|
||||
kind: ClientScope
|
||||
metadata:
|
||||
name: netbird-api
|
||||
spec:
|
||||
forProvider:
|
||||
name: netbird-api
|
||||
consentScreenText: Netbird Management API
|
||||
includeInTokenScope: true
|
||||
realmIdRef:
|
||||
name: homelab
|
||||
@@ -1,30 +0,0 @@
|
||||
apiVersion: oidc.homelab.olav.ninja/v1alpha1
|
||||
kind: XOidcClient
|
||||
metadata:
|
||||
name: netbird
|
||||
spec:
|
||||
realm: homelab
|
||||
clientId: netbird
|
||||
displayName: Netbird
|
||||
description: Netbird OIDC client
|
||||
type: PUBLIC
|
||||
defaultScopes:
|
||||
- acr
|
||||
- basic
|
||||
- email
|
||||
- profile
|
||||
- roles
|
||||
- web-origins
|
||||
- netbird-api
|
||||
grantTypes:
|
||||
- code
|
||||
- device_code
|
||||
- password
|
||||
baseUrl: "https://netbird.stonegarden.dev"
|
||||
postLogoutRedirectUris:
|
||||
- "https://netbird.stonegarden.dev/*"
|
||||
redirectUris:
|
||||
- "http://localhost:53000"
|
||||
- "https://netbird.stonegarden.dev/*"
|
||||
webOrigins:
|
||||
- "+"
|
||||
@@ -4,6 +4,9 @@ kind: Kustomization
|
||||
resources:
|
||||
- ns.yaml
|
||||
- http-route.yaml
|
||||
- relay-secret.yaml
|
||||
- coturn-credentials.yaml
|
||||
- authelia-oidc-credentials.yaml
|
||||
- agent
|
||||
- dashboard
|
||||
- management
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
"TimeBasedCredentials": false
|
||||
},
|
||||
"Relay": {
|
||||
"Addresses": ["${RELAY_URI}"],
|
||||
"Addresses": [ "${RELAY_URI}" ],
|
||||
"CredentialsTTL": "24h",
|
||||
"Secret": "${NB_AUTH_SECRET}"
|
||||
},
|
||||
@@ -34,44 +34,22 @@
|
||||
"Datadir": "",
|
||||
"HttpConfig": {
|
||||
"Address": "0.0.0.0:80",
|
||||
"AuthAudience": "${AUTH_AUDIENCE}",
|
||||
"AuthAudience": "${AUTH_AUDIENCE:-${AUTH_CLIENT_ID}}",
|
||||
"AuthUserIDClaim": "${AUTH_USER_ID_CLAIM:-sub}",
|
||||
"CertFile": "${MGMT_API_CERT_FILE}",
|
||||
"CertKey": "${MGMT_API_CERT_KEY_FILE}",
|
||||
"OIDCConfigEndpoint": "${AUTH_OIDC_CONFIGURATION_ENDPOINT:-${AUTH_AUTHORITY}/.well-known/openid-configuration}"
|
||||
},
|
||||
"IdpManagerConfig": {
|
||||
"ManagerType": "${IDP_MANAGER_TYPE:-none}",
|
||||
"ClientConfig": {
|
||||
"Issuer": "${AUTH_AUTHORITY}",
|
||||
"TokenEndpoint": "${AUTH_TOKEN_ENDPOINT}",
|
||||
"ClientID": "${IDP_MGMT_CLIENT_ID}",
|
||||
"ClientSecret": "${IDP_MGMT_CLIENT_SECRET}",
|
||||
"GrantType": "client_credentials"
|
||||
},
|
||||
"ExtraConfig": ${IDP_MGMT_EXTRA_CONFIG:-null}
|
||||
},
|
||||
"DeviceAuthorizationFlow": {
|
||||
"Provider": "${AUTH_DEVICE_AUTH_PROVIDER}",
|
||||
"ProviderConfig": {
|
||||
"Audience": "${AUTH_DEVICE_AUTH_AUDIENCE:-${AUTH_AUDIENCE}}",
|
||||
"AuthorizationEndpoint": "",
|
||||
"Domain": "${AUTH_DEVICE_AUTH_AUTHORITY:-${AUTH_AUTHORITY}}",
|
||||
"ClientID": "${AUTH_DEVICE_AUTH_CLIENT_ID:-${AUTH_CLIENT_ID}}",
|
||||
"DeviceAuthEndpoint": "${AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT:-${AUTH_DEVICE_AUTH_AUTHORITY:-${AUTH_AUTHORITY}}/protocol/openid-connect/auth}",
|
||||
"TokenEndpoint": "${AUTH_DEVICE_AUTH_TOKEN_ENDPOINT:-${AUTH_DEVICE_AUTH_AUTHORITY:-${AUTH_AUTHORITY}}/protocol/openid-connect/token}",
|
||||
"Scope": "${AUTH_DEVICE_AUTH_SCOPE}",
|
||||
"UseIDToken": ${AUTH_DEVICE_AUTH_USE_ID_TOKEN:-true}
|
||||
}
|
||||
},
|
||||
"IdpManagerConfig": { },
|
||||
"DeviceAuthorizationFlow": { },
|
||||
"PKCEAuthorizationFlow": {
|
||||
"ProviderConfig": {
|
||||
"Audience": "${AUTH_AUDIENCE}",
|
||||
"Audience": "${AUTH_AUDIENCE:-${AUTH_CLIENT_ID}}",
|
||||
"ClientID": "${AUTH_CLIENT_ID}",
|
||||
"ClientSecret": "${AUTH_CLIENT_SECRET}",
|
||||
"Domain": "",
|
||||
"AuthorizationEndpoint": "${AUTH_PKCE_AUTHORIZATION_ENDPOINT:-${AUTH_AUTHORITY}/api/oidc/authorization}",
|
||||
"TokenEndpoint": "${AUTH_TOKEN_ENDPOINT:-${AUTH_AUTHORITY}/api/oidc/token}",
|
||||
"TokenEndpoint": "${AUTH_PKCE_TOKEN_ENDPOINT:-${AUTH_AUTHORITY}/api/oidc/token}",
|
||||
"Scope": "${AUTH_SUPPORTED_SCOPES}",
|
||||
"RedirectURLs": ${AUTH_PKCE_REDIRECT_URLS:-[ "http://localhost:53000" ]},
|
||||
"UseIDToken": ${AUTH_PKCE_USE_ID_TOKEN:-true}
|
||||
|
||||
@@ -45,6 +45,8 @@ spec:
|
||||
name: management-auth-config
|
||||
- configMapRef:
|
||||
name: management-connection-config
|
||||
- secretRef:
|
||||
name: authelia-oidc-credentials
|
||||
- secretRef:
|
||||
name: relay-secret
|
||||
- secretRef:
|
||||
|
||||
@@ -11,10 +11,8 @@ configMapGenerator:
|
||||
namespace: netbird
|
||||
literals:
|
||||
- AUTH_AUTHORITY="https://authelia.stonegarden.dev"
|
||||
- AUTH_CLIENT_ID="netbird"
|
||||
- AUTH_AUDIENCE="netbird"
|
||||
- AUTH_USER_ID_CLAIM="preferred_username"
|
||||
- AUTH_SUPPORTED_SCOPES="openid profile email offline_access netbird-api"
|
||||
- AUTH_SUPPORTED_SCOPES="openid profile email"
|
||||
- name: management-connection-config
|
||||
namespace: netbird
|
||||
literals:
|
||||
@@ -33,4 +31,3 @@ resources:
|
||||
- deployment.yaml
|
||||
- svc.yaml
|
||||
- pvc.yaml
|
||||
- coturn-credentials.yaml
|
||||
|
||||
@@ -11,5 +11,4 @@ configMapGenerator:
|
||||
|
||||
resources:
|
||||
- deployment.yaml
|
||||
- relay-secret.yaml
|
||||
- svc.yaml
|
||||
|
||||
Reference in New Issue
Block a user