diff --git a/k8s/infra/vpn/netbird/backend/kustomization.yaml b/k8s/infra/vpn/netbird/backend/kustomization.yaml index 55f0d83e..79648f83 100644 --- a/k8s/infra/vpn/netbird/backend/kustomization.yaml +++ b/k8s/infra/vpn/netbird/backend/kustomization.yaml @@ -7,19 +7,19 @@ resources: - oidc-credentials.yaml - x-oidc-client.yaml -helmCharts: - - name: netbird - repo: https://charts.jaconi.io - releaseName: netbird-backend - namespace: netbird - version: 0.14.2 - valuesFile: values.yaml - -patches: - - path: patches/add-oidc-key-checker-sidecar.yaml - - path: patches/add-relay-config.yaml - - path: patches/dns-management.yaml # resolve auth admin-endpoint to internal gateway - - path: patches/deployment-strategy-management.yaml - - path: patches/deployment-strategy-signal.yaml - - path: patches/pvc-backend-management.yaml - - path: patches/pvc-backend-signal.yaml +#helmCharts: +# - name: netbird +# repo: https://charts.jaconi.io +# releaseName: netbird-backend +# namespace: netbird +# version: 0.14.2 +# valuesFile: values.yaml +# +#patches: +# - path: patches/add-oidc-key-checker-sidecar.yaml +# - path: patches/add-relay-config.yaml +# - path: patches/dns-management.yaml # resolve auth admin-endpoint to internal gateway +# - path: patches/deployment-strategy-management.yaml +# - path: patches/deployment-strategy-signal.yaml +# - path: patches/pvc-backend-management.yaml +# - path: patches/pvc-backend-signal.yaml diff --git a/k8s/infra/vpn/netbird/dashboard/deployment.yaml b/k8s/infra/vpn/netbird/dashboard/deployment.yaml index a80afc3d..1ba00d38 100644 --- a/k8s/infra/vpn/netbird/dashboard/deployment.yaml +++ b/k8s/infra/vpn/netbird/dashboard/deployment.yaml @@ -22,7 +22,6 @@ spec: - name: http containerPort: 80 readinessProbe: - failureThreshold: 3 httpGet: path: / port: http @@ -32,4 +31,4 @@ spec: cpu: 10m limits: memory: 128Mi - cpu: 2000m \ No newline at end of file + cpu: 2000m diff --git a/k8s/infra/vpn/netbird/kustomization.yaml b/k8s/infra/vpn/netbird/kustomization.yaml index fdbbdcbd..40599eac 100644 --- a/k8s/infra/vpn/netbird/kustomization.yaml +++ b/k8s/infra/vpn/netbird/kustomization.yaml @@ -6,7 +6,9 @@ kind: Kustomization resources: - ns.yaml - http-route.yaml - - backend - - dashboard - agent +# - backend + - dashboard + - management - relay +# - signal diff --git a/k8s/infra/vpn/netbird/management/cm-management-template.yaml b/k8s/infra/vpn/netbird/management/cm-management-template.yaml new file mode 100644 index 00000000..3a22e0a8 --- /dev/null +++ b/k8s/infra/vpn/netbird/management/cm-management-template.yaml @@ -0,0 +1,73 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: netbird-backend-management +data: + management.tmpl.json: |- + { + "Stuns": [ + { + "Proto": "udp", + "URI": "${NETBIRD_STUN_URI}", + "Username": "", + "Password": null + } + ], + "TURNConfig": { + "Turns": [ + { + "Proto": "udp", + "URI": "${NETBIRD_TURN_URI}", + "Username": "${NETBIRD_TURN_USER}", + "Password": "${NETBIRD_TURN_PASSWORD}" + } + ], + "CredentialsTTL": "12h", + "Secret": "secret", + "TimeBasedCredentials": false + }, + "Signal": { + "Proto": "${NETBIRD_SIGNAL_PROTOCOL}", + "URI": "${NETBIRD_SIGNAL_URI}", + "Username": "", + "Password": null + }, + "Datadir": "", + "HttpConfig": { + "Address": "0.0.0.0:80", + "AuthAudience": "${NETBIRD_AUTH_AUDIENCE}", + "AuthUserIDClaim": "${NETBIRD_AUTH_USER_ID_CLAIM:-sub}", + "CertFile": "${NETBIRD_MGMT_API_CERT_FILE}", + "CertKey": "${NETBIRD_MGMT_API_CERT_KEY_FILE}", + "OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" + }, + "IdpManagerConfig": { + "ManagerType": "${NETBIRD_IDP_MANAGER_TYPE}", + "${NETBIRD_IDP_MANAGER_TYPE^}ClientCredentials": { + "ClientID": "${NETBIRD_IDP_CLIENT_ID}", + "ClientSecret": "${NETBIRD_IDP_CLIENT_SECRET}", + "GrantType": "${NETBIRD_IDP_GRANT_TYPE}", + "Audience": "${NETBIRD_IDP_AUTH0_AUDIENCE}", + "AuthIssuer": "${NETBIRD_IDP_AUTH0_AUTH_ISSUER}", + "AdminEndpoint": "${NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT}", + "TokenEndpoint": "${NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT}" + } + }, + "DeviceAuthorizationFlow": { + "Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}", + "ProviderConfig": { + "Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}", + "ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}", + "DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}", + "Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}", + "TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}", + "Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}", + "UseIDToken": "${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}" + } + }, + "Relay": { + "Addresses": ["${NETBIRD_RELAY_URI}"], + "CredentialsTTL": "24h", + "Secret": "${NETBIRD_RELAY_SECRET}" + } + } diff --git a/k8s/infra/vpn/netbird/management/cm-oidc-key-check.yaml b/k8s/infra/vpn/netbird/management/cm-oidc-key-check.yaml new file mode 100644 index 00000000..bb5be30e --- /dev/null +++ b/k8s/infra/vpn/netbird/management/cm-oidc-key-check.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: check-oidc-keys +data: + check-oidc-keys.sh: |- + #!/bin/bash + OIDC_ENDPOINT=$(jq -r '.HttpConfig.OIDCConfigEndpoint' /etc/netbird/management.json) + CHECK_INTERVAL="${CHECK_INTERVAL:-3600}" + KEYS_FILE="/data/oidc_keys.json" + + fetch_keys() { + config=$(curl -s "$OIDC_ENDPOINT") + jwks_uri=$(echo "$config" | jq -r '.jwks_uri') + curl -s "$jwks_uri" + } + + keys_changed() { + local new_keys="$1" + if [ ! -f "$KEYS_FILE" ]; then + return 0 + fi + local old_keys=$(cat "$KEYS_FILE") + [ "$new_keys" != "$old_keys" ] + } + + restart_pod() { + echo "Restarting pod..." + kill 1 + } + + while true; do + echo "Fetching OIDC keys..." + new_keys=$(fetch_keys) + + if keys_changed "$new_keys"; then + echo "Keys have changed. Updating stored keys..." + echo "$new_keys" > "$KEYS_FILE" + restart_pod + else + echo "Keys have not changed. No action required." + fi + + echo "Sleeping for $CHECK_INTERVAL seconds..." + sleep "$CHECK_INTERVAL" + done diff --git a/k8s/infra/vpn/netbird/management/config/check-oidc-keys.sh b/k8s/infra/vpn/netbird/management/config/check-oidc-keys.sh new file mode 100644 index 00000000..043cb7cb --- /dev/null +++ b/k8s/infra/vpn/netbird/management/config/check-oidc-keys.sh @@ -0,0 +1,40 @@ +#!/bin/bash +OIDC_ENDPOINT=$(jq -r '.HttpConfig.OIDCConfigEndpoint' /etc/netbird/management.json) +CHECK_INTERVAL="${CHECK_INTERVAL:-3600}" +KEYS_FILE="/data/oidc_keys.json" + +fetch_keys() { + config=$(curl -s "$OIDC_ENDPOINT") + jwks_uri=$(echo "$config" | jq -r '.jwks_uri') + curl -s "$jwks_uri" +} + +keys_changed() { + local new_keys="$1" + if [ ! -f "$KEYS_FILE" ]; then + return 0 + fi + local old_keys=$(cat "$KEYS_FILE") + [ "$new_keys" != "$old_keys" ] +} + +restart_pod() { + echo "Restarting pod..." + kill 1 +} + +while true; do + echo "Fetching OIDC keys..." + new_keys=$(fetch_keys) + + if keys_changed "$new_keys"; then + echo "Keys have changed. Updating stored keys..." + echo "$new_keys" > "$KEYS_FILE" + restart_pod + else + echo "Keys have not changed. No action required." + fi + + echo "Sleeping for $CHECK_INTERVAL seconds..." + sleep "$CHECK_INTERVAL" +done diff --git a/k8s/infra/vpn/netbird/management/config/management.tmpl.json b/k8s/infra/vpn/netbird/management/config/management.tmpl.json new file mode 100644 index 00000000..552bfdb7 --- /dev/null +++ b/k8s/infra/vpn/netbird/management/config/management.tmpl.json @@ -0,0 +1,67 @@ +{ + "Stuns": [ + { + "Proto": "udp", + "URI": "${NETBIRD_STUN_URI}", + "Username": "", + "Password": null + } + ], + "TURNConfig": { + "Turns": [ + { + "Proto": "udp", + "URI": "${NETBIRD_TURN_URI}", + "Username": "${NETBIRD_TURN_USER}", + "Password": "${NETBIRD_TURN_PASSWORD}" + } + ], + "CredentialsTTL": "12h", + "Secret": "secret", + "TimeBasedCredentials": false + }, + "Signal": { + "Proto": "${NETBIRD_SIGNAL_PROTOCOL}", + "URI": "${NETBIRD_SIGNAL_URI}", + "Username": "", + "Password": null + }, + "Datadir": "", + "HttpConfig": { + "Address": "0.0.0.0:80", + "AuthAudience": "${NETBIRD_AUTH_AUDIENCE}", + "AuthUserIDClaim": "${NETBIRD_AUTH_USER_ID_CLAIM:-sub}", + "CertFile": "${NETBIRD_MGMT_API_CERT_FILE}", + "CertKey": "${NETBIRD_MGMT_API_CERT_KEY_FILE}", + "OIDCConfigEndpoint": "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" + }, + "IdpManagerConfig": { + "ManagerType": "${NETBIRD_IDP_MANAGER_TYPE}", + "${NETBIRD_IDP_MANAGER_TYPE^}ClientCredentials": { + "ClientID": "${NETBIRD_IDP_CLIENT_ID}", + "ClientSecret": "${NETBIRD_IDP_CLIENT_SECRET}", + "GrantType": "${NETBIRD_IDP_GRANT_TYPE}", + "Audience": "${NETBIRD_IDP_AUTH0_AUDIENCE}", + "AuthIssuer": "${NETBIRD_IDP_AUTH0_AUTH_ISSUER}", + "AdminEndpoint": "${NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT}", + "TokenEndpoint": "${NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT}" + } + }, + "DeviceAuthorizationFlow": { + "Provider": "${NETBIRD_AUTH_DEVICE_AUTH_PROVIDER}", + "ProviderConfig": { + "Audience": "${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE}", + "ClientID": "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}", + "DeviceAuthEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT}", + "Domain": "${NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY}", + "TokenEndpoint": "${NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT}", + "Scope": "${NETBIRD_AUTH_DEVICE_AUTH_SCOPE}", + "UseIDToken": "${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}" + } + }, + "Relay": { + "Addresses": ["${NETBIRD_RELAY_URI}"], + "CredentialsTTL": "24h", + "Secret": "${NETBIRD_RELAY_SECRET}" + } +} diff --git a/k8s/infra/vpn/netbird/management/deployment.yaml b/k8s/infra/vpn/netbird/management/deployment.yaml new file mode 100644 index 00000000..a332c985 --- /dev/null +++ b/k8s/infra/vpn/netbird/management/deployment.yaml @@ -0,0 +1,113 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: management + namespace: netbird +spec: + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: management + template: + metadata: + labels: + app.kubernetes.io/name: management + spec: + nodeSelector: + topology.kubernetes.io/zone: abel + dnsConfig: + nameservers: + - 192.168.1.253 + dnsPolicy: None + initContainers: + - name: configure + image: golang:latest + command: [ /bin/sh, -c ] + args: + - > + go install github.com/drone/envsubst/cmd/envsubst@latest && + envsubst < /tmp/netbird/management.tmpl.json > /etc/netbird/management.json && + cat /etc/netbird/management.json + envFrom: + - configMapRef: + name: management-config + env: + - name: NETBIRD_RELAY_SECRET + valueFrom: + secretKeyRef: + key: authSecret + name: netbird-relay-credentials + - name: NETBIRD_TURN_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: netbird-turn-credentials + - name: NETBIRD_IDP_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: clientSecret + name: netbird-backend-oidc-credentials + volumeMounts: + - name: config + mountPath: /etc/netbird + - name: config-template + mountPath: /tmp/netbird + containers: + - name: oidc-key-checker + image: registry.gitlab.com/gitlab-ci-utils/curl-jq:3.1.0 # renovate: docker=registry.gitlab.com/gitlab-ci-utils/curl-jq + command: [ "/bin/bash", "-c" ] + args: [ "/opt/bin/check-oidc-keys.sh" ] + env: + - name: CHECK_INTERVAL + value: "900" + volumeMounts: + - name: check-oidc-keys + mountPath: /opt/bin/check-oidc-keys.sh + subPath: check-oidc-keys.sh + - name: config + mountPath: /etc/netbird + - name: data + mountPath: /data + resources: + requests: + memory: 16Mi + cpu: 10m + limits: + memory: 64Mi + cpu: 200m + - name: management + image: docker.io/netbirdio/management:v0.35.2 # renovate: docker=docker.io/netbirdio/management + args: [ "--log-level", "${LOG_LEVEL}", "--log-file", "console", "--dns-domain", "netbird.selfhosted" ] + volumeMounts: + - name: config + mountPath: /etc/netbird + - name: management + mountPath: /var/lib/netbird + ports: + - name: http + containerPort: 80 + resources: + requests: + memory: 256Mi + cpu: 200m + limits: + memory: 512Mi + cpu: 4000m + volumes: + - name: data + emptyDir: { } + - name: config + emptyDir: + medium: Memory + - name: config-template + configMap: + defaultMode: 420 + name: management-config-template + - name: check-oidc-keys + configMap: + defaultMode: 420 + name: check-oidc-keys + - name: management + persistentVolumeClaim: + claimName: management \ No newline at end of file diff --git a/k8s/infra/vpn/netbird/management/kustomization.yaml b/k8s/infra/vpn/netbird/management/kustomization.yaml new file mode 100644 index 00000000..4ca55ca0 --- /dev/null +++ b/k8s/infra/vpn/netbird/management/kustomization.yaml @@ -0,0 +1,43 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +configMapGenerator: + - name: check-oidc-keys + namespace: netbird + files: + - config/check-oidc-keys.sh + - name: management-config-template + namespace: netbird + files: + - config/management.tmpl.json + - name: management-config + namespace: netbird + literals: + - NETBIRD_RELAY_URI="rels://netbird.stonegarden.dev:443" + - NETBIRD_SIGNAL_URI="netbird.stonegarden.dev:443" + - NETBIRD_SIGNAL_PROTOCOL="https" + - NETBIRD_STUN_URI="stun:coturn.stonegarden.dev:3478" + - NETBIRD_TURN_URI="turn:coturn.stonegarden.dev:3478" + - NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/.well-known/openid-configuration" + - NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted" + - NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="netbird-dashboard" + - NETBIRD_AUTH_DEVICE_AUTH_AUTHORITY="https://keycloak.stonegarden.dev/realms/homelab" + - NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="netbird-dashboard" + - NETBIRD_AUTH_DEVICE_AUTH_DEVICE_AUTHORIZATION_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/auth" + - NETBIRD_AUTH_DEVICE_AUTH_TOKEN_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token" + - NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" + - NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN="false" + - NETBIRD_IDP_MANAGER_TYPE="keycloak" + - NETBIRD_IDP_CLIENT_ID="netbird-backend" + - NETBIRD_IDP_GRANT_TYPE="client_credentials" + - NETBIRD_IDP_KEYCLOAK_ADMIN_ENDPOINT="https://keycloak.stonegarden.dev/admin/realms/homelab" + - NETBIRD_IDP_KEYCLOAK_TOKEN_ENDPOINT="https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token" + - LOG_LEVEL="warn" + +resources: + - deployment.yaml + - svc.yaml + - pvc.yaml + - secret-coturn-credentials.yaml + - oidc-credentials.yaml + - x-oidc-client.yaml diff --git a/k8s/infra/vpn/netbird/management/oidc-credentials.yaml b/k8s/infra/vpn/netbird/management/oidc-credentials.yaml new file mode 100644 index 00000000..04624c5e --- /dev/null +++ b/k8s/infra/vpn/netbird/management/oidc-credentials.yaml @@ -0,0 +1,14 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: netbird-backend-oidc-credentials + namespace: netbird +spec: + encryptedData: + clientId: AgBePW/yXzOJPpPfxOIKNGgoubM+2mpxZlmNoNBRoDCCJc3gn1udEIiQbEgKMJWh/0/6cguwUnherqGXE8SVMed1vNhyeoCM5IhjZlxB57Eu1u2G/KSLAQcLfLYr7vXNkuY0cWfvg2BVYE+QTGcNyKGHDLEBdoTsYOqm53hpAcZywuESaq/ace91427CVdpx4s6V7tqxd3JM+VUF6X+J/5M2/U+QpCIDD8spjSbVDEYaScbiu1jlP13jCJ7+YiBmEehRzw2PzYDJ+BmBpCBGd4tKLZf33ZsHlioJUNmQo13y4TezUb0kJqZaExFqoww8ANp8kGxXjk1aR/5iWeW/sEMaNLLyfsvvwnqnDXTLu5O/ThQQvpIvHS0Mn2qYs3ikheUqaRajSwanTStEgftAZb5qfYl9nCJWCc/OWVAPdPP/qdgQJZh30Oy6N8zzkX5ZfQplbtEwl6ju6UptMJzWpfe3RlKq1KoVLCMOV13nt3LS0mRO7p3XRkGDz6MIj+8ecc2dY2LWIEb7PxNqzyf1g0N65U0m6JJ8ywJVZmn8i70V2jPxZda0hpRhTTlzOPMJ5PUbpgbc3A6r7au0c0vABFmtsjKTuAGWaQJJLU5dHZluj1iAg3ltqxdRhagBuZsS9SAvOBOqaUmaqrEFZIQd16LSAKaPRIMfM79djTLMD8qg6/vF8B9Uch08aICaHmPCKZPpw0B0kNXQxoAHlBQ12v4= + clientSecret: AgAeRHLhUWMCc+xaoCHx5TXOo/LnVadRYcBtXRXZ1LBdHeVPidwKajMw5RIFbX12gYH6XLAY4AqevGZd4iQkzNDZmG3L7zGgzy67rFQ7iyMKSXbuuTWnoLS5tzkJhpDuExH7p2IUQOeQYbCibBZRI2vA2uvAav8UgVPNm63CPUyNb5ywSx+edgCt5d9UNNVz7DeuqIP+BcQ6q6T6cC5zF5wGDjv/VwuByHtwghiUmRtRSyXuafRS94s2x53zV3Eb49IVAlWHP9ecqriQgdZsyOLI8Z5qbSqqteaVDCicIqTAwOmXPZSedTbkm7c8xbvPE4vzP7/EPUfvF7uQf9WclVoVBvF5YVxbKh2Sj5HBqIESGvcrPV7kNPodymQdk/uyBaMOzvJgo5dHS13mjxVtpiAnsN+/4+JfgljHKQmdcb8wwbYS1qbKE4A5WQ9zzegtuRqzpWmfe4gXMGvm0/+G5TLUi/ReCO4aAwplAsIJt/7Z+FWofZFGx66ULvd8c0fliearyaGR6Jm/ZodkRJNRh46Y16s8Q79IKKMBChE3eWb68MnLA4XFC8rEdPjTJuItRR+sn/tVyJDfi1ZuuAiO96hZHkQivGopglRzYcxweWOAq/WcPH3fl392iPlQbuxZT37o81gL81Z9Q/SL1u6LinHi2245ETN85R3/Dyv4dWSawvpF+OIa5OLXuDmKcGtKp+GAu3OL4QqISronkvnNQ4ts+CgZinmzLTWXypl5aExiBtzlVfZ4Ti0B + template: + metadata: + name: netbird-backend-oidc-credentials + namespace: netbird + type: Opaque diff --git a/k8s/infra/vpn/netbird/management/pvc.yaml b/k8s/infra/vpn/netbird/management/pvc.yaml new file mode 100644 index 00000000..445b4d36 --- /dev/null +++ b/k8s/infra/vpn/netbird/management/pvc.yaml @@ -0,0 +1,12 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: management +spec: + storageClassName: proxmox-csi + volumeName: pv-netbird-management + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 512M diff --git a/k8s/infra/vpn/netbird/management/secret-coturn-credentials.yaml b/k8s/infra/vpn/netbird/management/secret-coturn-credentials.yaml new file mode 100644 index 00000000..ef187a65 --- /dev/null +++ b/k8s/infra/vpn/netbird/management/secret-coturn-credentials.yaml @@ -0,0 +1,14 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: netbird-turn-credentials + namespace: netbird +spec: + encryptedData: + password: AgDUdAAoOuDYCGZUlnXoPefrm9YwQuaBr7CNBTRr9CVLsHEYunkYnGRyxcxDCa5y5Kn45JBROqrklITTNq1q6OxYCvR1+VOLYvSltPAH3m5kPN/SR6jkxIrSikkD1YjZQpD49vVTXfNYI7RQCiN803gfEQlTq/mDkSEVXSjBUhlCTPz7Q+1puMXCOux31cbgqGVaFOEm1QxxbbsSbpjTLZl8JZW48/+uHv/0KkQvIHinwOUcx+ChHnijAS0AM8dPNl5k5kcV7SZCayKDVuRaEj7FkAxzoZGrsM7YoPeZXESP1o3ED+jqZhu7LFEGndH/fWDkO/JgyX2MvMqapV+jPFe7b4Cn7gn/ivw01ySnD3E2B/Mpo/7A43Cg5gDKGcVwr/0Fqc++cT0Dc4H04tCqvV4uX+fnuqiemL4xmZj8BYz4/UWuXq+iEK2K+jufrxQOGEZgN3tU7ld5x/SNi8cRf4pIiGCpJzLpnrmR95Y6ae18y67INcsEozc3AZ7KfB8OGS6ak/mZhAbTSj/KO+KZat3h7g/YNUiWlzlmPhETJYmxstXd2PnQG7OCQvjjrSTjpnSoGGvOYv7GpdDdfpW+7sSspDSHXh6AKz2CtqKWaxiaZWmE1vvJKJLfzVnK99mKjITEXPKLQFUrp5+e3KJktFh79bxW+VUKlUoEa+Jy0ZVs25xkLUb1/viAc3Z2vvQYVwv2bMMHYNUC5F8tJReLQ2cwqCZnTf1gwvNH26iK+FFkuOLVB3gQAaba + username: AgDCCj9vGwlR5W6924as08OuxDitR0oQl7+0LxRZYji8T0hBztIIvOv+CZ9aiyTqn+aKLFohWHN4xyDw1v2RiJqgnwP1HjO5BhJA4H/DRpviL5RHhO4Dnf7RB0BpZGrzB0PW3pkY9znRkbU0hwDK6gWUOl1+cJxAeqbeigdrf782NpT9DObs6I80TeVdvSSCOzn6uylguPBX/W7IKqKNilRuHO/SsH8aixEKM2zLpGnInLQlDzb6zEkpSl4kYjORa17YlVzWrZEVtnUOE/N/EP95ezJEjzghjCf41NOhQcoqweciigYwQEsCU84881e9yhGKnRyvP/f5y3xeKEqN+B4zQG2Z8MoMQcGmwavbP/5PpVbMd5dOvnpVF9UtzcAWdBjnKV/PlngO6iMNJX3d9IAYkq0iLxCxuKyx33Z4FRiJPANqP9TqEoOftC1pOhANPQdKFlr7HyXBaER8XRmWzxkjOqbi9BhG0tiw6vsmHsTn/u0u3EgXrNIwe0hiDSYY6Q2g5lk1NIEg4DsG9kJmEf7Cb6iedSiAjVcHbWx+gb1rLDic2eehHCV8H6ShFvmSyLT00ktzssXCXKmdJ4I+JKo4geg8Mws1IdZtZ9wcpqtvd+mjNlP8+LbyTPi2ApuH0giAkzQK3RgtBmJBNJ9E6Bc5B2d2XKIQyY9vM60zfxAtvxCDXQvPWyXvgCvvO4dW7/D+ZMs4S6Ps + template: + metadata: + name: netbird-turn-credentials + namespace: netbird + type: Opaque diff --git a/k8s/infra/vpn/netbird/management/svc.yaml b/k8s/infra/vpn/netbird/management/svc.yaml new file mode 100644 index 00000000..3f4dfce9 --- /dev/null +++ b/k8s/infra/vpn/netbird/management/svc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: signal + namespace: netbird +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: signal + ports: + - name: http + port: 80 + targetPort: http diff --git a/k8s/infra/vpn/netbird/management/x-oidc-client.yaml b/k8s/infra/vpn/netbird/management/x-oidc-client.yaml new file mode 100644 index 00000000..1f1c7b76 --- /dev/null +++ b/k8s/infra/vpn/netbird/management/x-oidc-client.yaml @@ -0,0 +1,27 @@ +apiVersion: oidc.homelab.olav.ninja/v1alpha1 +kind: XOidcClient +metadata: + name: netbird-backend +spec: + realm: homelab + clientId: netbird-backend + displayName: Netbird Backend + description: Netbird Backend Client + clientSecretSecretRef: + name: netbird-backend-oidc-credentials + namespace: netbird + key: clientSecret + type: CONFIDENTIAL + grantTypes: + - client_credentials + - code + - device_code + - password + redirectUris: + - "/*" + webOrigins: + - "+" + serviceAccountRoles: + - realm: homelab + client: builtin-homelab-realm-management + role: view-users diff --git a/k8s/infra/vpn/netbird/signal/deployment.yaml b/k8s/infra/vpn/netbird/signal/deployment.yaml new file mode 100644 index 00000000..ab7d4842 --- /dev/null +++ b/k8s/infra/vpn/netbird/signal/deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: signal + namespace: netbird +spec: + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: signal + template: + metadata: + labels: + app.kubernetes.io/name: signal + spec: + nodeSelector: + topology.kubernetes.io/zone: abel + containers: + - name: signal + image: docker.io/netbirdio/signal:v0.35.2 # renovate: docker=docker.io/netbirdio/signal + args: ["--port", "${PORT}", "--log-level", "${LOG_LEVEL}", "--log-file", "console"] + envFrom: + - configMapRef: + name: signal-config + volumeMounts: + - name: signal + mountPath: /var/lib/netbird + ports: + - name: http + containerPort: 80 + livenessProbe: + tcpSocket: + port: http + readinessProbe: + tcpSocket: + port: http + resources: + requests: + memory: 16Mi + cpu: 10m + limits: + memory: 64Mi + cpu: 2000m + volumes: + - name: signal + persistentVolumeClaim: + claimName: signal \ No newline at end of file diff --git a/k8s/infra/vpn/netbird/signal/kustomization.yaml b/k8s/infra/vpn/netbird/signal/kustomization.yaml new file mode 100644 index 00000000..39bc94c2 --- /dev/null +++ b/k8s/infra/vpn/netbird/signal/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +configMapGenerator: + - name: signal-config + namespace: netbird + literals: + - LOG_LEVEL="warn" + - PORT="80" + +resources: + - deployment.yaml + - svc.yaml + - pvc.yaml diff --git a/k8s/infra/vpn/netbird/signal/pvc.yaml b/k8s/infra/vpn/netbird/signal/pvc.yaml new file mode 100644 index 00000000..bacedd60 --- /dev/null +++ b/k8s/infra/vpn/netbird/signal/pvc.yaml @@ -0,0 +1,12 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: signal +spec: + storageClassName: proxmox-csi + volumeName: pv-netbird-signal + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 512M diff --git a/k8s/infra/vpn/netbird/signal/svc.yaml b/k8s/infra/vpn/netbird/signal/svc.yaml new file mode 100644 index 00000000..3f4dfce9 --- /dev/null +++ b/k8s/infra/vpn/netbird/signal/svc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: signal + namespace: netbird +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: signal + ports: + - name: http + port: 80 + targetPort: http