feat(netbird): replace backend helm chart with plain manifests

no need for all the patching anymore

k8s/infra/vpn/netbird/backend/kustomization.yaml

@@ -7,19 +7,19 @@ resources:
   - oidc-credentials.yaml
   - x-oidc-client.yaml
 
-helmCharts:
-  - name: netbird
-    repo: https://charts.jaconi.io
-    releaseName: netbird-backend
-    namespace: netbird
-    version: 0.14.2
-    valuesFile: values.yaml
-
-patches:
-  - path: patches/add-oidc-key-checker-sidecar.yaml
-  - path: patches/add-relay-config.yaml
-  - path: patches/dns-management.yaml # resolve auth admin-endpoint to internal gateway
-  - path: patches/deployment-strategy-management.yaml
-  - path: patches/deployment-strategy-signal.yaml
-  - path: patches/pvc-backend-management.yaml
-  - path: patches/pvc-backend-signal.yaml
+#helmCharts:
+#  - name: netbird
+#    repo: https://charts.jaconi.io
+#    releaseName: netbird-backend
+#    namespace: netbird
+#    version: 0.14.2
+#    valuesFile: values.yaml
+#
+#patches:
+#  - path: patches/add-oidc-key-checker-sidecar.yaml
+#  - path: patches/add-relay-config.yaml
+#  - path: patches/dns-management.yaml # resolve auth admin-endpoint to internal gateway
+#  - path: patches/deployment-strategy-management.yaml
+#  - path: patches/deployment-strategy-signal.yaml
+#  - path: patches/pvc-backend-management.yaml
+#  - path: patches/pvc-backend-signal.yaml

k8s/infra/vpn/netbird/dashboard/deployment.yaml

@@ -22,7 +22,6 @@ spec:
         - name: http
           containerPort: 80
         readinessProbe:
-          failureThreshold: 3
           httpGet:
             path: /
             port: http
@@ -32,4 +31,4 @@ spec:
             cpu: 10m
           limits:
             memory: 128Mi
-            cpu: 2000m
+            cpu: 2000m

k8s/infra/vpn/netbird/kustomization.yaml

@@ -6,7 +6,9 @@ kind: Kustomization
 resources:
   - ns.yaml
   - http-route.yaml
-  - backend
-  - dashboard
   - agent
+#  - backend
+  - dashboard
+  - management
   - relay
+  - signal

k8s/infra/vpn/netbird/management/cm-management-template.yaml

@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: netbird-backend-management
+data:
+  management.tmpl.json: |-
+    {
+      "Stuns": [
+        {
+          "Proto": "udp",
+          "URI": "${NETBIRD_STUN_URI}",
+          "Username": "",
+          "Password": null
+        }
+      ],
+      "TURNConfig": {
+        "Turns": [
+          {
+            "Proto": "udp",
+            "URI": "${NETBIRD_TURN_URI}",
+            "Username": "${NETBIRD_TURN_USER}",
+            "Password": "${NETBIRD_TURN_PASSWORD}"
+          }
+        ],
+        "CredentialsTTL": "12h",
+        "Secret": "secret",
+        "TimeBasedCredentials": false
+      },
+      "Signal": {
+        "Proto": "${NETBIRD_SIGNAL_PROTOCOL}",
+        "URI": "${NETBIRD_SIGNAL_URI}",
+        "Username": "",
+        "Password": null
+      },
+      "Datadir": "",
+      "HttpConfig": {
+        "Address": "0.0.0.0:80",
+        "AuthAudience": "${NETBIRD_AUTH_AUDIENCE}",
+        "AuthUserIDClaim": "${NETBIRD_AUTH_USER_ID_CLAIM:-sub}",
+        "CertFile": "${NETBIRD_MGMT_API_CERT_FILE}",
+        "CertKey": "${NETBIRD_MGMT_API_CERT_KEY_FILE}",
+        "OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}"
+      },
+      "IdpManagerConfig": {
+        "ManagerType": "${NETBIRD_IDP_MANAGER_TYPE}",
+        "${NETBIRD_IDP_MANAGER_TYPE^}ClientCredentials": {
+          "ClientID": "${NETBIRD_IDP_CLIENT_ID}",
+          "ClientSecret": "${NETBIRD_IDP_CLIENT_SECRET}",
+          "GrantType": "${NETBIRD_IDP_GRANT_TYPE}",
+          "Audience": "${NETBIRD_IDP_AUTH0_AUDIENCE}",
+          "AuthIssuer": "${NETBIRD_IDP_AUTH0_AUTH_ISSUER}",
+          "AdminEndpoint": "${NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT}",
+          "TokenEndpoint": "${NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT}"
+        }
+      },
+      "DeviceAuthorizationFlow": {
+        "Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}",
+        "ProviderConfig": {
+          "Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}",
+          "ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}",
+          "DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}",
+          "Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}",
+          "TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}",
+          "Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}",
+          "UseIDToken": "${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}"
+        }
+      },
+      "Relay": {
+        "Addresses": ["${NETBIRD_RELAY_URI}"],
+        "CredentialsTTL": "24h",
+        "Secret": "${NETBIRD_RELAY_SECRET}"
+      }
+    }

k8s/infra/vpn/netbird/management/cm-oidc-key-check.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: check-oidc-keys
+data:
+  check-oidc-keys.sh: |-
+    #!/bin/bash
+    OIDC_ENDPOINT=$(jq -r '.HttpConfig.OIDCConfigEndpoint' /etc/netbird/management.json)
+    CHECK_INTERVAL="${CHECK_INTERVAL:-3600}"
+    KEYS_FILE="/data/oidc_keys.json"
+    
+    fetch_keys() {
+      config=$(curl -s "$OIDC_ENDPOINT")
+      jwks_uri=$(echo "$config" | jq -r '.jwks_uri')
+      curl -s "$jwks_uri"
+    }
+    
+    keys_changed() {
+      local new_keys="$1"
+      if [ ! -f "$KEYS_FILE" ]; then
+        return 0
+      fi
+      local old_keys=$(cat "$KEYS_FILE")
+      [ "$new_keys" != "$old_keys" ]
+    }
+    
+    restart_pod() {
+      echo "Restarting pod..."
+      kill 1
+    }
+    
+    while true; do
+      echo "Fetching OIDC keys..."
+      new_keys=$(fetch_keys)
+    
+      if keys_changed "$new_keys"; then
+        echo "Keys have changed. Updating stored keys..."
+        echo "$new_keys" > "$KEYS_FILE"
+        restart_pod
+      else
+        echo "Keys have not changed. No action required."
+      fi
+    
+      echo "Sleeping for $CHECK_INTERVAL seconds..."
+      sleep "$CHECK_INTERVAL"
+    done

k8s/infra/vpn/netbird/management/config/check-oidc-keys.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+OIDC_ENDPOINT=$(jq -r '.HttpConfig.OIDCConfigEndpoint' /etc/netbird/management.json)
+CHECK_INTERVAL="${CHECK_INTERVAL:-3600}"
+KEYS_FILE="/data/oidc_keys.json"
+
+fetch_keys() {
+  config=$(curl -s "$OIDC_ENDPOINT")
+  jwks_uri=$(echo "$config" | jq -r '.jwks_uri')
+  curl -s "$jwks_uri"
+}
+
+keys_changed() {
+  local new_keys="$1"
+  if [ ! -f "$KEYS_FILE" ]; then
+    return 0
+  fi
+  local old_keys=$(cat "$KEYS_FILE")
+  [ "$new_keys" != "$old_keys" ]
+}
+
+restart_pod() {
+  echo "Restarting pod..."
+  kill 1
+}
+
+while true; do
+  echo "Fetching OIDC keys..."
+  new_keys=$(fetch_keys)
+
+  if keys_changed "$new_keys"; then
+    echo "Keys have changed. Updating stored keys..."
+    echo "$new_keys" > "$KEYS_FILE"
+    restart_pod
+  else
+    echo "Keys have not changed. No action required."
+  fi
+
+  echo "Sleeping for $CHECK_INTERVAL seconds..."
+  sleep "$CHECK_INTERVAL"
+done

k8s/infra/vpn/netbird/management/config/management.tmpl.json

@@ -0,0 +1,67 @@
+{
+  "Stuns": [
+    {
+      "Proto": "udp",
+      "URI": "${NETBIRD_STUN_URI}",
+      "Username": "",
+      "Password": null
+    }
+  ],
+  "TURNConfig": {
+    "Turns": [
+      {
+        "Proto": "udp",
+        "URI": "${NETBIRD_TURN_URI}",
+        "Username": "${NETBIRD_TURN_USER}",
+        "Password": "${NETBIRD_TURN_PASSWORD}"
+      }
+    ],
+    "CredentialsTTL": "12h",
+    "Secret": "secret",
+    "TimeBasedCredentials": false
+  },
+  "Signal": {
+    "Proto": "${NETBIRD_SIGNAL_PROTOCOL}",
+    "URI": "${NETBIRD_SIGNAL_URI}",
+    "Username": "",
+    "Password": null
+  },
+  "Datadir": "",
+  "HttpConfig": {
+    "Address": "0.0.0.0:80",
+    "AuthAudience": "${NETBIRD_AUTH_AUDIENCE}",
+    "AuthUserIDClaim": "${NETBIRD_AUTH_USER_ID_CLAIM:-sub}",
+    "CertFile": "${NETBIRD_MGMT_API_CERT_FILE}",
+    "CertKey": "${NETBIRD_MGMT_API_CERT_KEY_FILE}",
+    "OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}"
+  },
+  "IdpManagerConfig": {
+    "ManagerType": "${NETBIRD_IDP_MANAGER_TYPE}",
+    "${NETBIRD_IDP_MANAGER_TYPE^}ClientCredentials": {
+      "ClientID": "${NETBIRD_IDP_CLIENT_ID}",
+      "ClientSecret": "${NETBIRD_IDP_CLIENT_SECRET}",
+      "GrantType": "${NETBIRD_IDP_GRANT_TYPE}",
+      "Audience": "${NETBIRD_IDP_AUTH0_AUDIENCE}",
+      "AuthIssuer": "${NETBIRD_IDP_AUTH0_AUTH_ISSUER}",
+      "AdminEndpoint": "${NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT}",
+      "TokenEndpoint": "${NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT}"
+    }
+  },
+  "DeviceAuthorizationFlow": {
+    "Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}",
+    "ProviderConfig": {
+      "Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}",
+      "ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}",
+      "DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}",
+      "Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}",
+      "TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}",
+      "Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}",
+      "UseIDToken": "${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}"
+    }
+  },
+  "Relay": {
+    "Addresses": ["${NETBIRD_RELAY_URI}"],
+    "CredentialsTTL": "24h",
+    "Secret": "${NETBIRD_RELAY_SECRET}"
+  }
+}