feat(netbird): structured OIDC/SSO configuration (#7)#8
Merged
mikkeldamsgaard merged 2 commits intomainfrom Feb 26, 2026
Merged
feat(netbird): structured OIDC/SSO configuration (#7)#8mikkeldamsgaard merged 2 commits intomainfrom
mikkeldamsgaard merged 2 commits intomainfrom
Conversation
Add a comprehensive oidc.* values section that renders full OIDC/SSO configuration into the server config.yaml, replacing the need for extraEnv hacks. Default oidc.enabled: false — no breaking changes. Configuration sections: - oidc.audience, userIdClaim, configEndpoint, authKeysLocation - oidc.deviceAuthFlow: RFC 8628 device authorization flow - oidc.pkceAuthFlow: RFC 7636 PKCE authorization flow - oidc.idpManager: IdP management (keycloak, auth0, azure, zitadel) Secret injection follows existing pattern: secretName/secretKey for Kubernetes secretKeyRef, with envsubst placeholders in config template. Dashboard AUTH_AUTHORITY now falls back to server.config.auth.issuer when dashboard.config.authAuthority is empty. Testing: - 22 new unit tests (190 total, all passing) - Keycloak OIDC e2e test: deploys Keycloak in-cluster, configures realm/clients/users via REST API, verifies OIDC middleware active Closes #7 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add end-to-end test for Zitadel IdP integration deployed in-cluster alongside PostgreSQL. The test bootstraps Zitadel with a machine user and PAT, then uses the Management API to create a project, OIDC apps (Dashboard + CLI), a service user with client_credentials, and a test human user. Dynamic client IDs are substituted into the values file at runtime. Key implementation details: - Three-phase Zitadel deployment: init container (schema), setup init container (migrations + instance), main container (server) - Alpine sidecar for PAT file reading (Zitadel image is distroless) - emptyDir volume at /tmp for PAT output (distroless lacks writable /tmp) - enableServiceLinks: false to prevent K8s ZITADEL_PORT env var conflict - Cluster DNS as EXTERNALDOMAIN for Host header validation Tests verify: OIDC middleware returns 401, OIDC discovery works, and client_credentials token acquisition succeeds. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
oidc.*values section for full OIDC/SSO configuration (device auth flow, PKCE flow, IdP manager with provider-specific support)secretKeyReffollows existing chart patterns — no plaintext secrets in rendered configAUTH_AUTHORITYauto-derives fromserver.config.auth.issuerwhen not explicitly setTest plan
helm lint charts/netbird— passeshelm unittest charts/netbird— 190 tests passmake e2e-oidc-keycloak— Keycloak OIDC e2e passes (server starts, middleware returns 401 for unauthenticated requests, Keycloak token acquisition works)make e2e-sqlite— existing tests pass (no regression)Closes #7
🤖 Generated with Claude Code