From c39cd2f7b03cc9efc85dea0d9339159ec710703e Mon Sep 17 00:00:00 2001 From: Misha Bragin Date: Wed, 17 Aug 2022 21:44:20 +0200 Subject: [PATCH] Support new properties for OIDC auth (#426) This PR updates infrastructure_scripts to support self-hosted setup with a generic OIDC provider. --- .../workflows/test-docker-compose-linux.yml | 26 ++++++++++++------- infrastructure_files/base.setup.env | 9 ++++--- infrastructure_files/configure.sh | 15 +++++++++++ infrastructure_files/docker-compose.yml.tmpl | 8 +++--- infrastructure_files/management.json.tmpl | 6 ++--- infrastructure_files/setup.env.example | 21 ++++++++------- infrastructure_files/tests/setup.env | 21 ++++++++------- 7 files changed, 68 insertions(+), 38 deletions(-) diff --git a/.github/workflows/test-docker-compose-linux.yml b/.github/workflows/test-docker-compose-linux.yml index 88a01e2ef..aa7132249 100644 --- a/.github/workflows/test-docker-compose-linux.yml +++ b/.github/workflows/test-docker-compose-linux.yml @@ -28,20 +28,28 @@ jobs: working-directory: infrastructure_files run: bash -x configure.sh env: - CI_NETBIRD_AUTH0_DOMAIN: ${{ secrets.CI_NETBIRD_AUTH0_DOMAIN }} - CI_NETBIRD_AUTH0_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH0_CLIENT_ID }} - CI_NETBIRD_AUTH0_AUDIENCE: testing.ci + CI_NETBIRD_AUTH_AUTHORITY: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }} + CI_NETBIRD_AUTH_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH_CLIENT_ID }} + CI_NETBIRD_AUTH_AUDIENCE: testing.ci + CI_NETBIRD_AUTH_JWT_CERTS: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}.well-known/jwks.json + CI_NETBIRD_AUTH_SUPPORTED_SCOPES: openid + CI_NETBIRD_USE_AUTH0: true - name: check values working-directory: infrastructure_files env: - CI_NETBIRD_AUTH0_DOMAIN: ${{ secrets.CI_NETBIRD_AUTH0_DOMAIN }} - CI_NETBIRD_AUTH0_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH0_CLIENT_ID }} - CI_NETBIRD_AUTH0_AUDIENCE: testing.ci + CI_NETBIRD_AUTH_AUTHORITY: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }} + CI_NETBIRD_AUTH_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH_CLIENT_ID }} + CI_NETBIRD_AUTH_AUDIENCE: testing.ci + CI_NETBIRD_AUTH_JWT_CERTS: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}.well-known/jwks.json + CI_NETBIRD_AUTH_SUPPORTED_SCOPES: openid + CI_NETBIRD_USE_AUTH0: true run: | - grep AUTH0_DOMAIN docker-compose.yml | grep $CI_NETBIRD_AUTH0_DOMAIN - grep AUTH0_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH0_CLIENT_ID - grep AUTH0_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH0_AUDIENCE + grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID + grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY + grep AUTH_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH_AUDIENCE + grep AUTH_SUPPORTED_SCOPES docker-compose.yml | grep $CI_NETBIRD_AUTH_SUPPORTED_SCOPES + grep USE_AUTH0 docker-compose.yml | grep $CI_NETBIRD_USE_AUTH0 grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "http://localhost:33073" - name: run docker compose up diff --git a/infrastructure_files/base.setup.env b/infrastructure_files/base.setup.env index b8c48939c..e8642f61d 100644 --- a/infrastructure_files/base.setup.env +++ b/infrastructure_files/base.setup.env @@ -29,9 +29,12 @@ LETSENCRYPT_VOLUMESUFFIX="letsencrypt" # exports export NETBIRD_DOMAIN -export NETBIRD_AUTH0_DOMAIN -export NETBIRD_AUTH0_CLIENT_ID -export NETBIRD_AUTH0_AUDIENCE +export NETBIRD_AUTH_CLIENT_ID +export NETBIRD_AUTH_AUDIENCE +export NETBIRD_AUTH_AUTHORITY +export NETBIRD_USE_AUTH0 +export NETBIRD_AUTH_SUPPORTED_SCOPES +export NETBIRD_AUTH_JWT_CERTS export NETBIRD_LETSENCRYPT_EMAIL export NETBIRD_MGMT_API_PORT export NETBIRD_MGMT_API_ENDPOINT diff --git a/infrastructure_files/configure.sh b/infrastructure_files/configure.sh index 7735daf5d..15c7b2dbe 100755 --- a/infrastructure_files/configure.sh +++ b/infrastructure_files/configure.sh @@ -63,6 +63,21 @@ export MGMT_VOLUMENAME export SIGNAL_VOLUMENAME export LETSENCRYPT_VOLUMENAME +#backwards compatibility after migrating to generic OIDC +if [[ -z "${NETBIRD_AUTH_AUTHORITY}" ]]; then + echo "It seems like you provided an old setup.env file." + echo "Since the release of v0.8.8, we introduced a new set of properties." + echo "The script is backward compatible and will continue automatically." + echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting" + + export NETBIRD_AUTH_AUTHORITY="https://${NETBIRD_AUTH0_DOMAIN}/" + export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID} + export NETBIRD_USE_AUTH0="true" + export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified" + export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE} + export NETBIRD_AUTH_JWT_CERTS="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/jwks.json" +fi + envsubst < docker-compose.yml.tmpl > docker-compose.yml envsubst < management.json.tmpl > management.json envsubst < turnserver.conf.tmpl > turnserver.conf diff --git a/infrastructure_files/docker-compose.yml.tmpl b/infrastructure_files/docker-compose.yml.tmpl index a2ab53c53..395024ad3 100644 --- a/infrastructure_files/docker-compose.yml.tmpl +++ b/infrastructure_files/docker-compose.yml.tmpl @@ -8,9 +8,11 @@ services: - 80:80 - 443:443 environment: - - AUTH0_DOMAIN=$NETBIRD_AUTH0_DOMAIN - - AUTH0_CLIENT_ID=$NETBIRD_AUTH0_CLIENT_ID - - AUTH0_AUDIENCE=$NETBIRD_AUTH0_AUDIENCE + - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE + - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID + - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY + - USE_AUTH0=$NETBIRD_USE_AUTH0 + - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT - NGINX_SSL_PORT=443 diff --git a/infrastructure_files/management.json.tmpl b/infrastructure_files/management.json.tmpl index b01dba94d..594954005 100644 --- a/infrastructure_files/management.json.tmpl +++ b/infrastructure_files/management.json.tmpl @@ -29,9 +29,9 @@ "Datadir": "", "HttpConfig": { "Address": "0.0.0.0:$NETBIRD_MGMT_API_PORT", - "AuthIssuer": "https://$NETBIRD_AUTH0_DOMAIN/", - "AuthAudience": "$NETBIRD_AUTH0_AUDIENCE", - "AuthKeysLocation": "https://$NETBIRD_AUTH0_DOMAIN/.well-known/jwks.json", + "AuthIssuer": "$NETBIRD_AUTH_AUTHORITY", + "AuthAudience": "$NETBIRD_AUTH_AUDIENCE", + "AuthKeysLocation": "$NETBIRD_AUTH_JWT_CERTS", "CertFile":"$NETBIRD_MGMT_API_CERT_FILE", "CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE" }, diff --git a/infrastructure_files/setup.env.example b/infrastructure_files/setup.env.example index 8afdfe0ac..8d4316c6e 100644 --- a/infrastructure_files/setup.env.example +++ b/infrastructure_files/setup.env.example @@ -1,16 +1,17 @@ ## example file, you can copy this file to setup.env and update its values ## -# Dashboard domain and auth0 configuration - # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="" -# e.g. dev-24vkclam.us.auth0.com -NETBIRD_AUTH0_DOMAIN="" -# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0 -NETBIRD_AUTH0_CLIENT_ID="" -# e.g. https://app.mydomain.com/ or https://app.mydomain.com, -# Make sure you used the exact same value for Identifier -# you used when creating your Auth0 API -NETBIRD_AUTH0_AUDIENCE="" +# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird +NETBIRD_AUTH_AUTHORITY="" +# e.g. netbird-client +NETBIRD_AUTH_CLIENT_ID="" +# indicates whether to use Auth0 or not: true or false +NETBIRD_USE_AUTH0="false" +# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0 +NETBIRD_AUTH_SUPPORTED_SCOPES="" +NETBIRD_AUTH_AUDIENCE="" +# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json +NETBIRD_AUTH_JWT_CERTS="" # e.g. hello@mydomain.com NETBIRD_LETSENCRYPT_EMAIL="" \ No newline at end of file diff --git a/infrastructure_files/tests/setup.env b/infrastructure_files/tests/setup.env index 080fb3fbe..e7b3589e3 100644 --- a/infrastructure_files/tests/setup.env +++ b/infrastructure_files/tests/setup.env @@ -1,16 +1,17 @@ ## example file, you can copy this file to setup.env and update its values ## -# Dashboard domain and auth0 configuration - # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="localhost" -# e.g. dev-24vkclam.us.auth0.com -NETBIRD_AUTH0_DOMAIN=$CI_NETBIRD_AUTH0_DOMAIN -# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0 -NETBIRD_AUTH0_CLIENT_ID=$CI_NETBIRD_AUTH0_CLIENT_ID -# e.g. https://app.mydomain.com/ or https://app.mydomain.com, -# Make sure you used the exact same value for Identifier -# you used when creating your Auth0 API -NETBIRD_AUTH0_AUDIENCE=$CI_NETBIRD_AUTH0_AUDIENCE +# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird +NETBIRD_AUTH_AUTHORITY=$CI_NETBIRD_AUTH_AUTHORITY +# e.g. netbird-client +NETBIRD_AUTH_CLIENT_ID=$CI_NETBIRD_AUTH_CLIENT_ID +# indicates whether to use Auth0 or not: true or false +NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0 +# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0 +NETBIRD_AUTH_SUPPORTED_SCOPES=$CI_NETBIRD_AUTH_SUPPORTED_SCOPES +NETBIRD_AUTH_AUDIENCE=$CI_NETBIRD_AUTH_AUDIENCE +# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json +NETBIRD_AUTH_JWT_CERTS=$CI_NETBIRD_AUTH_JWT_CERTS # e.g. hello@mydomain.com NETBIRD_LETSENCRYPT_EMAIL="" \ No newline at end of file