search

netbirdio / netbird

Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
9.82k stars 425 forks source link

Allow netbirdio/management to startup without SSO .wellknown or cache it #2224

Open ykorzikowski opened 3 days ago

ykorzikowski commented 3 days ago

Is your feature request related to a problem? Please describe. Whenever SSO like Authentik, Keycloak is not available, the management service won't start. 

2024-07-01T15:26:10Z INFO management/cmd/management.go:455: loading OIDC configuration from the provided IDP configuration endpoint https://sso.***.***/realms/master/.well-known/openid-configuration
Error: failed reading provided config file: /etc/netbird/management.json: failed fetching OIDC configuration from endpoint https://sso.***.***/realms/master/.well-known/openid-configuration Get "https://sso.***.***/realms/master/.well-known/openid-configuration": dial tcp 95.***.***.***:443: i/o timeout

This may not be an issue in big, HA environments, but if you use netbird also for inter-server-communication, you may create a circular dependency (netbird needs sso which needs reverse proxy which needs netbird to connect to keycloak).

Describe the solution you'd like Add an option the service start in a fail safe mode or provide an option to cache this file and use it instead until the server is online again.

Describe alternatives you've considered

Additional context

mlsmaycon commented 3 days ago

@ykorzikowski, did all clients lose all connections with other peers after you had this issue with management? Can you share your client logs, too? If this is happening, it looks like there is a problem with the client's retry.

Regarding the configuration endpoint, it is not a hard requirement. It was used when you first ran the configure.sh script, and it added most of the fields that get overwritten by the management service. You can remove it from management.json and restart the management service to validate.

ykorzikowski commented 2 days ago

Hi @mlsmaycon , this time, I only notice my macbook lost the connection. The other clients seems to keep the connection.

What exactly do you mean by "removing it"?

[...]
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "netbird-client",
        "AuthIssuer": "https://sso.***.com/realms/master",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://sso.***.com/realms/master/protocol/openid-connect/certs",
        "OIDCConfigEndpoint": "https://sso.***.com/realms/master/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false
    },
    "IdpManagerConfig": {
        "ManagerType": "keycloak",
        "ClientConfig": null,
        "ExtraConfig": null,
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": {
            "ClientID": "***",
            "ClientSecret": "***",
            "AdminEndpoint": "https://sso.***.com/admin/realms/master",
            "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token",
            "GrantType": "client_credentials"
        },
        "ZitadelClientCredentials": null
    },
[...]