mirror of
https://github.com/netbirdio/netbird.git
synced 2024-11-28 19:13:31 +01:00
Support new properties for OIDC auth (#426)
This PR updates infrastructure_scripts to support self-hosted setup with a generic OIDC provider.
This commit is contained in:
Misha Bragin
GitHub
parent
6dc3e8ca90
commit
c39cd2f7b0
26
.github/workflows/test-docker-compose-linux.yml
vendored
26
.github/workflows/test-docker-compose-linux.yml
vendored
@ -28,20 +28,28 @@ jobs:
|
|||||||
working-directory: infrastructure_files
|
working-directory: infrastructure_files
|
||||||
run: bash -x configure.sh
|
run: bash -x configure.sh
|
||||||
env:
|
env:
|
||||||
CI_NETBIRD_AUTH0_DOMAIN: ${{ secrets.CI_NETBIRD_AUTH0_DOMAIN }}
|
CI_NETBIRD_AUTH_AUTHORITY: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}
|
||||||
CI_NETBIRD_AUTH0_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH0_CLIENT_ID }}
|
CI_NETBIRD_AUTH_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH_CLIENT_ID }}
|
||||||
CI_NETBIRD_AUTH0_AUDIENCE: testing.ci
|
CI_NETBIRD_AUTH_AUDIENCE: testing.ci
|
||||||
|
CI_NETBIRD_AUTH_JWT_CERTS: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}.well-known/jwks.json
|
||||||
|
CI_NETBIRD_AUTH_SUPPORTED_SCOPES: openid
|
||||||
|
CI_NETBIRD_USE_AUTH0: true
|
||||||
|
|
||||||
- name: check values
|
- name: check values
|
||||||
working-directory: infrastructure_files
|
working-directory: infrastructure_files
|
||||||
env:
|
env:
|
||||||
CI_NETBIRD_AUTH0_DOMAIN: ${{ secrets.CI_NETBIRD_AUTH0_DOMAIN }}
|
CI_NETBIRD_AUTH_AUTHORITY: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}
|
||||||
CI_NETBIRD_AUTH0_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH0_CLIENT_ID }}
|
CI_NETBIRD_AUTH_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH_CLIENT_ID }}
|
||||||
CI_NETBIRD_AUTH0_AUDIENCE: testing.ci
|
CI_NETBIRD_AUTH_AUDIENCE: testing.ci
|
||||||
|
CI_NETBIRD_AUTH_JWT_CERTS: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}.well-known/jwks.json
|
||||||
|
CI_NETBIRD_AUTH_SUPPORTED_SCOPES: openid
|
||||||
|
CI_NETBIRD_USE_AUTH0: true
|
||||||
run: |
|
run: |
|
||||||
grep AUTH0_DOMAIN docker-compose.yml | grep $CI_NETBIRD_AUTH0_DOMAIN
|
grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
|
||||||
grep AUTH0_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH0_CLIENT_ID
|
grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
|
||||||
grep AUTH0_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH0_AUDIENCE
|
grep AUTH_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH_AUDIENCE
|
||||||
|
grep AUTH_SUPPORTED_SCOPES docker-compose.yml | grep $CI_NETBIRD_AUTH_SUPPORTED_SCOPES
|
||||||
|
grep USE_AUTH0 docker-compose.yml | grep $CI_NETBIRD_USE_AUTH0
|
||||||
grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "http://localhost:33073"
|
grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "http://localhost:33073"
|
||||||
|
|
||||||
- name: run docker compose up
|
- name: run docker compose up
|
||||||
|
|||||||
@ -29,9 +29,12 @@ LETSENCRYPT_VOLUMESUFFIX="letsencrypt"
|
|||||||
|
|
||||||
# exports
|
# exports
|
||||||
export NETBIRD_DOMAIN
|
export NETBIRD_DOMAIN
|
||||||
export NETBIRD_AUTH0_DOMAIN
|
export NETBIRD_AUTH_CLIENT_ID
|
||||||
export NETBIRD_AUTH0_CLIENT_ID
|
export NETBIRD_AUTH_AUDIENCE
|
||||||
export NETBIRD_AUTH0_AUDIENCE
|
export NETBIRD_AUTH_AUTHORITY
|
||||||
|
export NETBIRD_USE_AUTH0
|
||||||
|
export NETBIRD_AUTH_SUPPORTED_SCOPES
|
||||||
|
export NETBIRD_AUTH_JWT_CERTS
|
||||||
export NETBIRD_LETSENCRYPT_EMAIL
|
export NETBIRD_LETSENCRYPT_EMAIL
|
||||||
export NETBIRD_MGMT_API_PORT
|
export NETBIRD_MGMT_API_PORT
|
||||||
export NETBIRD_MGMT_API_ENDPOINT
|
export NETBIRD_MGMT_API_ENDPOINT
|
||||||
|
|||||||
@ -63,6 +63,21 @@ export MGMT_VOLUMENAME
|
|||||||
export SIGNAL_VOLUMENAME
|
export SIGNAL_VOLUMENAME
|
||||||
export LETSENCRYPT_VOLUMENAME
|
export LETSENCRYPT_VOLUMENAME
|
||||||
|
|
||||||
|
#backwards compatibility after migrating to generic OIDC
|
||||||
|
if [[ -z "${NETBIRD_AUTH_AUTHORITY}" ]]; then
|
||||||
|
echo "It seems like you provided an old setup.env file."
|
||||||
|
echo "Since the release of v0.8.8, we introduced a new set of properties."
|
||||||
|
echo "The script is backward compatible and will continue automatically."
|
||||||
|
echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"
|
||||||
|
|
||||||
|
export NETBIRD_AUTH_AUTHORITY="https://${NETBIRD_AUTH0_DOMAIN}/"
|
||||||
|
export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
|
||||||
|
export NETBIRD_USE_AUTH0="true"
|
||||||
|
export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified"
|
||||||
|
export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
|
||||||
|
export NETBIRD_AUTH_JWT_CERTS="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/jwks.json"
|
||||||
|
fi
|
||||||
|
|
||||||
envsubst < docker-compose.yml.tmpl > docker-compose.yml
|
envsubst < docker-compose.yml.tmpl > docker-compose.yml
|
||||||
envsubst < management.json.tmpl > management.json
|
envsubst < management.json.tmpl > management.json
|
||||||
envsubst < turnserver.conf.tmpl > turnserver.conf
|
envsubst < turnserver.conf.tmpl > turnserver.conf
|
||||||
|
|||||||
@ -8,9 +8,11 @@ services:
|
|||||||
- 80:80
|
- 80:80
|
||||||
- 443:443
|
- 443:443
|
||||||
environment:
|
environment:
|
||||||
- AUTH0_DOMAIN=$NETBIRD_AUTH0_DOMAIN
|
- AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
|
||||||
- AUTH0_CLIENT_ID=$NETBIRD_AUTH0_CLIENT_ID
|
- AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
|
||||||
- AUTH0_AUDIENCE=$NETBIRD_AUTH0_AUDIENCE
|
- AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
|
||||||
|
- USE_AUTH0=$NETBIRD_USE_AUTH0
|
||||||
|
- AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
|
||||||
- NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
|
- NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
|
||||||
- NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
|
- NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
|
||||||
- NGINX_SSL_PORT=443
|
- NGINX_SSL_PORT=443
|
||||||
|
|||||||
@ -29,9 +29,9 @@
|
|||||||
"Datadir": "",
|
"Datadir": "",
|
||||||
"HttpConfig": {
|
"HttpConfig": {
|
||||||
"Address": "0.0.0.0:$NETBIRD_MGMT_API_PORT",
|
"Address": "0.0.0.0:$NETBIRD_MGMT_API_PORT",
|
||||||
"AuthIssuer": "https://$NETBIRD_AUTH0_DOMAIN/",
|
"AuthIssuer": "$NETBIRD_AUTH_AUTHORITY",
|
||||||
"AuthAudience": "$NETBIRD_AUTH0_AUDIENCE",
|
"AuthAudience": "$NETBIRD_AUTH_AUDIENCE",
|
||||||
"AuthKeysLocation": "https://$NETBIRD_AUTH0_DOMAIN/.well-known/jwks.json",
|
"AuthKeysLocation": "$NETBIRD_AUTH_JWT_CERTS",
|
||||||
"CertFile":"$NETBIRD_MGMT_API_CERT_FILE",
|
"CertFile":"$NETBIRD_MGMT_API_CERT_FILE",
|
||||||
"CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE"
|
"CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE"
|
||||||
},
|
},
|
||||||
|
|||||||
@ -1,16 +1,17 @@
|
|||||||
## example file, you can copy this file to setup.env and update its values
|
## example file, you can copy this file to setup.env and update its values
|
||||||
##
|
##
|
||||||
# Dashboard domain and auth0 configuration
|
|
||||||
|
|
||||||
# Dashboard domain. e.g. app.mydomain.com
|
# Dashboard domain. e.g. app.mydomain.com
|
||||||
NETBIRD_DOMAIN=""
|
NETBIRD_DOMAIN=""
|
||||||
# e.g. dev-24vkclam.us.auth0.com
|
# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird
|
||||||
NETBIRD_AUTH0_DOMAIN=""
|
NETBIRD_AUTH_AUTHORITY=""
|
||||||
# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
|
# e.g. netbird-client
|
||||||
NETBIRD_AUTH0_CLIENT_ID=""
|
NETBIRD_AUTH_CLIENT_ID=""
|
||||||
# e.g. https://app.mydomain.com/ or https://app.mydomain.com,
|
# indicates whether to use Auth0 or not: true or false
|
||||||
# Make sure you used the exact same value for Identifier
|
NETBIRD_USE_AUTH0="false"
|
||||||
# you used when creating your Auth0 API
|
# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0
|
||||||
NETBIRD_AUTH0_AUDIENCE=""
|
NETBIRD_AUTH_SUPPORTED_SCOPES=""
|
||||||
|
NETBIRD_AUTH_AUDIENCE=""
|
||||||
|
# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json
|
||||||
|
NETBIRD_AUTH_JWT_CERTS=""
|
||||||
# e.g. hello@mydomain.com
|
# e.g. hello@mydomain.com
|
||||||
NETBIRD_LETSENCRYPT_EMAIL=""
|
NETBIRD_LETSENCRYPT_EMAIL=""
|
||||||
@ -1,16 +1,17 @@
|
|||||||
## example file, you can copy this file to setup.env and update its values
|
## example file, you can copy this file to setup.env and update its values
|
||||||
##
|
##
|
||||||
# Dashboard domain and auth0 configuration
|
|
||||||
|
|
||||||
# Dashboard domain. e.g. app.mydomain.com
|
# Dashboard domain. e.g. app.mydomain.com
|
||||||
NETBIRD_DOMAIN="localhost"
|
NETBIRD_DOMAIN="localhost"
|
||||||
# e.g. dev-24vkclam.us.auth0.com
|
# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird
|
||||||
NETBIRD_AUTH0_DOMAIN=$CI_NETBIRD_AUTH0_DOMAIN
|
NETBIRD_AUTH_AUTHORITY=$CI_NETBIRD_AUTH_AUTHORITY
|
||||||
# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
|
# e.g. netbird-client
|
||||||
NETBIRD_AUTH0_CLIENT_ID=$CI_NETBIRD_AUTH0_CLIENT_ID
|
NETBIRD_AUTH_CLIENT_ID=$CI_NETBIRD_AUTH_CLIENT_ID
|
||||||
# e.g. https://app.mydomain.com/ or https://app.mydomain.com,
|
# indicates whether to use Auth0 or not: true or false
|
||||||
# Make sure you used the exact same value for Identifier
|
NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0
|
||||||
# you used when creating your Auth0 API
|
# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0
|
||||||
NETBIRD_AUTH0_AUDIENCE=$CI_NETBIRD_AUTH0_AUDIENCE
|
NETBIRD_AUTH_SUPPORTED_SCOPES=$CI_NETBIRD_AUTH_SUPPORTED_SCOPES
|
||||||
|
NETBIRD_AUTH_AUDIENCE=$CI_NETBIRD_AUTH_AUDIENCE
|
||||||
|
# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json
|
||||||
|
NETBIRD_AUTH_JWT_CERTS=$CI_NETBIRD_AUTH_JWT_CERTS
|
||||||
# e.g. hello@mydomain.com
|
# e.g. hello@mydomain.com
|
||||||
NETBIRD_LETSENCRYPT_EMAIL=""
|
NETBIRD_LETSENCRYPT_EMAIL=""
|
||||||
Loading…
Reference in New Issue
Block a user