fix(keycloak): move crossplane-keycloak-credentials to keycloak from …

…crossplane namespace

k8s/infra/auth/keycloak-realms/homelab/builtin-objects.yaml

@@ -4,7 +4,7 @@ metadata:
   name: builtin-objects-homelab
 spec:
   providerConfigName: default
-  providerSecretName: keycloak-credentials
+  providerSecretName: crossplane-keycloak-credentials
   realm: homelab
   builtinAuthenticationFlows:
     - browser

k8s/infra/crossplane-crds/config/keycloak/provider-config.yaml → k8s/infra/auth/keycloak/crossplane-provider-config.yaml

@@ -6,6 +6,6 @@ spec:
   credentials:
     source: Secret
     secretRef:
-      name: keycloak-credentials
-      namespace: crossplane
+      name: crossplane-keycloak-credentials
+      namespace: keycloak
       key: credentials

k8s/infra/auth/keycloak/kustomization.yaml

@@ -6,7 +6,9 @@ resources:
   - pvc.yaml
   - secret-keycloak-admin.yaml
   - secret-keycloak-db-credentials.yaml
+  - secret-crossplane-keycloak-credentials.yaml
   - http-route.yaml
+  - crossplane-provider-config.yaml
 
 helmCharts:
   - name: keycloak

k8s/infra/auth/keycloak/secret-crossplane-keycloak-credentials.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: crossplane-keycloak-credentials
+  namespace: keycloak
+spec:
+  encryptedData:
+    credentials: AgBtGpqs2a48qY0VVkAKvSGsbPXf5lnwBMyu55raqU1OkpBN9LdpkGxiDe49WRn7MAT6An9myVoFDZOxwYk/U2wmNao7EFgz+L27zCR3xHjKeO/XepOgpAY3ZHI+ae0Xe855MpzFYRO1y1R3p/pvZJaFh9AwY+RWwiXSXU/kQfsQw0S2HSJB+el+TgbNHBQsgODbC0TMYPn17plt/xMX/RVmCcssQTaDmMCnedr05IpZJ3+qIdTUJ+pvGBYsDovms3pO3b1UFf+YBiU67RoElQTWEczLbg142+oxJOJAZlzhmX9YtaY6K7qTCTZUvHSbDGXA8S3jKU5TCn4K/qfHxmnoh7apjSI9ISB2mw24fzbwZO/skgvWicqt/KepceAPLL799Vy8CA/c0YgpErNSOVgt8sZsGiIIubf6J/HgKHn4Ubwu8u7YATLJAqFpdku7YrRX7ic6kwvJru+xGvOmriu5WzGcak931yyKLiTR8526+cMwyrEk6f72OIezM1U+t4uMSSUbRqRtOZ1Y1vggmGOtiuFzdRBpIXb4baTpSYaZNBoC4O2W8STCbZw+iOcEu4A/z1D0umVvEHb3WNRBrhsx8yg+D/isUtiluvLecNdoUwesOa84w+gWfKA1LQhAMlnN4SSDDuP3ZUXp3lftkHrX0y6I3qUw50yIGJZlImKWjLw4f2fW1crvw9pGY7wWF4bKd4XxwB4/kZSU4luysdfTqj+jLvza45eUycmGSEjMPo371XGPehqSS0GsBDwQPj7K//JDU1VArVIvWqzfpS2K6f+zuqmmF+9yF7MKqSmW+yMPJHi9qDLajCbYghfrSS2p7ZTthyW1Kv2Ee28cx+qVLyCc/E4JywbP0R1x0xxl+GYjTDNk4ApWGt9vLlTR5Jt2dP61b+1YdiNzyAEuNEY=
+  template:
+    metadata:
+      labels:
+        type: provider-credentials
+      name: crossplane-keycloak-credentials
+      namespace: keycloak
+    type: Opaque

k8s/infra/vpn/kustomization.yaml

@@ -1,8 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-commonLabels:
-  dev.stonegarden: vpn
-  app.kubernetes.io/managed-by: argocd
+metadata:
+  labels:
+    dev.stonegarden: vpn
+    app.kubernetes.io/managed-by: argocd
 
 resources:
   - project.yaml

k8s/infra/vpn/netbird/backend/kustomization.yaml

@@ -4,8 +4,8 @@ namespace: netbird
 
 resources:
   - secret-coturn-credentials.yaml
-  - oidc-client.yaml
   - oidc-credentials.yaml
+  - x-oidc-client.yaml
 
 helmCharts:
   - name: netbird

k8s/infra/vpn/netbird/backend/values.yaml

@@ -1,11 +1,11 @@
 auth:
   authority: https://keycloak.stonegarden.dev/realms/homelab
-  audience: netbird
+  audience: netbird-dashboard
   device:
     provider: hosted
-    audience: netbird
+    audience: netbird-dashboard
     authority: https://keycloak.stonegarden.dev/realms/homelab
-    clientID: netbird
+    clientID: netbird-dashboard
     deviceAuthorizationEndpoint: https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/auth
     tokenEndpoint: https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token
     scope: openid

k8s/infra/vpn/netbird/backend/oidc-client.yaml → k8s/infra/vpn/netbird/backend/x-oidc-client.yaml

@@ -3,13 +3,14 @@ kind: XOidcClient
 metadata:
   name: netbird-backend
 spec:
+  realm: homelab
   clientId: netbird-backend
+  displayName: Netbird Backend
+  description: Netbird Backend Client
   clientSecretSecretRef:
     name: netbird-backend-oidc-credentials
     namespace: netbird
     key: clientSecret
-  description: Netbird Backend Client
-  displayName: Netbird Backend
   type: CONFIDENTIAL
   grantTypes:
     - client_credentials
@@ -24,4 +25,3 @@ spec:
     - realm: homelab
       client: builtin-homelab-realm-management
       role: view-users
-  realm: homelab

k8s/infra/vpn/netbird/dashboard/kustomization.yaml

@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: netbird
 
 resources:
-  - oidc-client.yaml
+  - x-oidc-client.yaml
   - oidc-scopes.yaml
 
 helmCharts:

k8s/infra/vpn/netbird/dashboard/values.yaml

@@ -3,9 +3,10 @@ image:
 
 auth:
   authority: https://keycloak.stonegarden.dev/realms/homelab
-  audience: netbird
-  clientID: netbird
+  audience: netbird-dashboard
+  clientID: netbird-dashboard
   supportedScopes: openid profile email offline_access netbird-api
+  userIDClaim: sub
 
 netbird:
   managementApiEndpoint: https://netbird.stonegarden.dev

k8s/infra/vpn/netbird/dashboard/oidc-client.yaml → k8s/infra/vpn/netbird/dashboard/x-oidc-client.yaml

@@ -1,12 +1,13 @@
 apiVersion: oidc.homelab.olav.ninja/v1alpha1
 kind: XOidcClient
 metadata:
-  name: netbird
+  name: netbird-dashboard
 spec:
-  displayName: Netbird
+  realm: homelab
+  clientId: netbird-dashboard
+  displayName: Netbird Dashboard
+  description: Netbird Dashboard Client
   type: PUBLIC
-  clientId: netbird
-  description: Netbird Client
   defaultScopes:
     - acr
     - basic
@@ -27,4 +28,3 @@ spec:
     - "https://netbird.stonegarden.dev/*"
   webOrigins:
     - "+"
-  realm: homelab

tofu/kubernetes/main.tf

@@ -138,11 +138,11 @@ module "volumes" {
     }
     pv-netbird-signal = {
       node = "abel"
-      size = "1G"
+      size = "512M"
     }
     pv-netbird-management = {
       node = "abel"
-      size = "1G"
+      size = "512M"
     }
     pv-plex = {
       node = "abel"