test postgres

create empty files
use check_jq
2026-04-02 07:33:52 -04:00 · 2023-08-02 18:56:06 +02:00 · 2023-08-02 18:32:31 +02:00 · 2023-08-02 12:32:43 +02:00 · 2023-08-02 12:19:35 +02:00 · 2023-08-01 23:31:14 +02:00
16 changed files with 120 additions and 158 deletions
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -135,7 +135,7 @@ jobs:
        uses: actions/checkout@v3

      - name: run script
-        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
+        run: bash -x infrastructure_files/getting-started-with-zitadel.sh

      - name: test Caddy file gen
        run: test -f Caddyfile
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -378,11 +378,6 @@ uploads:
    username: dev@wiretrustee.com
    method: PUT

-checksum:
-  extra_files:
-    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
-    - glob: ./release_files/install.sh
-
 release:
  extra_files:
    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
--- a/README.md
+++ b/README.md
@@ -57,9 +57,10 @@ NetBird uses [NAT traversal techniques](https://en.wikipedia.org/wiki/Interactiv
 - \[x] Network Routes.  
 - \[x] Private DNS.
 - \[x] Network Activity Monitoring.
-
+- \[x] Mobile clients (Android).
+- 
 **Coming soon:**
- \[ ] Mobile clients.
+-  \[ ] Mobile clients (iOS).

 ### Secure peer-to-peer VPN with SSO and MFA in minutes

--- a/client/internal/auth/pkce_flow.go
+++ b/client/internal/auth/pkce_flow.go
@@ -25,8 +25,6 @@ var _ OAuthFlow = &PKCEAuthorizationFlow{}
 const (
 	queryState                = "state"
 	queryCode                 = "code"
-	queryError                = "error"
-	queryErrorDesc            = "error_description"
 	defaultPKCETimeoutSeconds = 300
 )

@@ -143,13 +141,9 @@ func (p *PKCEAuthorizationFlow) startServer(tokenChan chan<- *oauth2.Token, errC
 		tokenValidatorFunc := func() (*oauth2.Token, error) {
 			query := req.URL.Query()

-			if authError := query.Get(queryError); authError != "" {
-				authErrorDesc := query.Get(queryErrorDesc)
-				return nil, fmt.Errorf("%s.%s", authError, authErrorDesc)
-			}
-
+			state := query.Get(queryState)
 			// Prevent timing attacks on state
-			if state := query.Get(queryState); subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
+			if subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
 				return nil, fmt.Errorf("invalid state")
 			}

@@ -167,13 +161,12 @@ func (p *PKCEAuthorizationFlow) startServer(tokenChan chan<- *oauth2.Token, errC

 		token, err := tokenValidatorFunc()
 		if err != nil {
-			renderPKCEFlowTmpl(w, err)
 			errChan <- fmt.Errorf("PKCE authorization flow failed: %v", err)
-			return
+			renderPKCEFlowTmpl(w, err)
 		}

-		renderPKCEFlowTmpl(w, nil)
 		tokenChan <- token
+		renderPKCEFlowTmpl(w, nil)
 	})

 	if err := server.ListenAndServe(); err != nil {
--- a/client/internal/dns/file_linux.go
+++ b/client/internal/dns/file_linux.go
@@ -15,8 +15,7 @@ const (
 	fileGeneratedResolvConfSearchBeginContent = "search "
 	fileGeneratedResolvConfContentFormat      = fileGeneratedResolvConfContentHeader +
 		"\n# If needed you can restore the original file by copying back %s\n\nnameserver %s\n" +
-		fileGeneratedResolvConfSearchBeginContent + "%s\n\n" +
-		"%s\n"
+		fileGeneratedResolvConfSearchBeginContent + "%s\n"
 )

 const (
@@ -92,12 +91,7 @@ func (f *fileConfigurator) applyDNSConfig(config hostDNSConfig) error {
 		searchDomains += " " + dConf.domain
 		appendedDomains++
 	}
-
-	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
-	if err != nil {
-		log.Errorf("Could not read existing resolv.conf")
-	}
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
 	err = writeDNSConfig(content, defaultResolvConfPath, f.originalPerms)
 	if err != nil {
 		err = f.restore()
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -182,11 +182,12 @@ func (s *systemConfigurator) addDNSState(state, domains, dnsServer string, port
 }

 func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error {
-	primaryServiceKey, existingNameserver := s.getPrimaryService()
+	primaryServiceKey := s.getPrimaryService()
 	if primaryServiceKey == "" {
 		return fmt.Errorf("couldn't find the primary service key")
 	}
-	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port, existingNameserver)
+
+	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port)
 	if err != nil {
 		return err
 	}
@@ -195,32 +196,27 @@ func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error
 	return nil
 }

-func (s *systemConfigurator) getPrimaryService() (string, string) {
+func (s *systemConfigurator) getPrimaryService() string {
 	line := buildCommandLine("show", globalIPv4State, "")
 	stdinCommands := wrapCommand(line)
 	b, err := runSystemConfigCommand(stdinCommands)
 	if err != nil {
 		log.Error("got error while sending the command: ", err)
-		return "", ""
+		return ""
 	}
 	scanner := bufio.NewScanner(bytes.NewReader(b))
-	primaryService := ""
-	router := ""
 	for scanner.Scan() {
 		text := scanner.Text()
 		if strings.Contains(text, "PrimaryService") {
-			primaryService = strings.TrimSpace(strings.Split(text, ":")[1])
-		}
-		if strings.Contains(text, "Router") {
-			router = strings.TrimSpace(strings.Split(text, ":")[1])
+			return strings.TrimSpace(strings.Split(text, ":")[1])
 		}
 	}
-	return primaryService, router
+	return ""
 }

-func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int, existingDNSServer string) error {
+func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int) error {
 	lines := buildAddCommandLine(keySupplementalMatchDomainsNoSearch, digitSymbol+strconv.Itoa(0))
-	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer+" "+existingDNSServer)
+	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer)
 	lines += buildAddCommandLine(keyServerPort, digitSymbol+strconv.Itoa(port))
 	addDomainCommand := buildCreateStateWithOperation(setupKey, lines)
 	stdinCommands := wrapCommand(addDomainCommand)
--- a/client/internal/dns/resolvconf_linux.go
+++ b/client/internal/dns/resolvconf_linux.go
@@ -4,7 +4,6 @@ package dns

 import (
 	"fmt"
-	"os"
 	"os/exec"
 	"strings"

@@ -60,11 +59,7 @@ func (r *resolvconf) applyDNSConfig(config hostDNSConfig) error {
 		appendedDomains++
 	}

-	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
-	if err != nil {
-		log.Errorf("Could not read existing resolv.conf")
-	}
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)

 	err = r.applyConfig(content)
 	if err != nil {
--- a/client/internal/routemanager/iptables_linux.go
+++ b/client/internal/routemanager/iptables_linux.go
@@ -51,17 +51,13 @@ type iptablesManager struct {

 func newIptablesManager(parentCtx context.Context) *iptablesManager {
 	ctx, cancel := context.WithCancel(parentCtx)
-	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	if err != nil {
-		log.Debugf("failed to initialize iptables for ipv4: %s", err)
-	} else if !isIptablesClientAvailable(ipv4Client) {
+	ipv4Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if !isIptablesClientAvailable(ipv4Client) {
 		log.Infof("iptables is missing for ipv4")
 		ipv4Client = nil
 	}
-	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
-	if err != nil {
-		log.Debugf("failed to initialize iptables for ipv6: %s", err)
-	} else if !isIptablesClientAvailable(ipv6Client) {
+	ipv6Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	if !isIptablesClientAvailable(ipv6Client) {
 		log.Infof("iptables is missing for ipv6")
 		ipv6Client = nil
 	}
--- a/client/internal/wgproxy/factory.go
+++ b/client/internal/wgproxy/factory.go
@@ -14,7 +14,7 @@ func (w *Factory) GetProxy() Proxy {

 func (w *Factory) Free() error {
 	if w.ebpfProxy != nil {
-		return w.ebpfProxy.Free()
+		return w.ebpfProxy.CloseConn()
 	}
 	return nil
 }
--- a/client/internal/wgproxy/factory_linux.go
+++ b/client/internal/wgproxy/factory_linux.go
@@ -12,7 +12,7 @@ func NewFactory(wgPort int) *Factory {
 	ebpfProxy := NewWGEBPFProxy(wgPort)
 	err := ebpfProxy.Listen()
 	if err != nil {
-		log.Warnf("failed to initialize ebpf proxy, fallback to user space proxy: %s", err)
+		log.Errorf("failed to initialize ebpf proxy: %s", err)
 		return f
 	}

--- a/client/internal/wgproxy/proxy_ebpf.go
+++ b/client/internal/wgproxy/proxy_ebpf.go
@@ -69,7 +69,7 @@ func (p *WGEBPFProxy) Listen() error {
 	p.conn, err = net.ListenUDP("udp", &addr)
 	if err != nil {
 		cErr := p.Free()
-		if cErr != nil {
+		if err != nil {
 			log.Errorf("failed to close the wgproxy: %s", cErr)
 		}
 		return err
@@ -104,7 +104,6 @@ func (p *WGEBPFProxy) CloseConn() error {

 // Free resources
 func (p *WGEBPFProxy) Free() error {
-	log.Debugf("free up ebpf wg proxy")
 	var err1, err2, err3 error
 	if p.conn != nil {
 		err1 = p.conn.Close()
@@ -154,13 +153,9 @@ func (p *WGEBPFProxy) proxyToRemote() {
 			return
 		}

-		p.turnConnMutex.Lock()
 		conn, ok := p.turnConnStore[uint16(addr.Port)]
-		size := len(p.turnConnStore)
-		p.turnConnMutex.Unlock()
 		if !ok {
 			log.Errorf("turn conn not found by port: %d", addr.Port)
-			log.Debugf("conn store size: %d", size)
 			continue
 		}

--- a/client/internal/wgproxy/proxy_userspace.go
+++ b/client/internal/wgproxy/proxy_userspace.go
@@ -20,7 +20,6 @@ type WGUserSpaceProxy struct {

 // NewWGUserSpaceProxy instantiate a user space WireGuard proxy
 func NewWGUserSpaceProxy(wgPort int) *WGUserSpaceProxy {
-	log.Debugf("instantiate new userspace proxy")
 	p := &WGUserSpaceProxy{
 		localWGListenPort: wgPort,
 	}
@@ -38,7 +37,6 @@ func (p *WGUserSpaceProxy) AddTurnConn(remoteConn net.Conn) (net.Addr, error) {
 		log.Errorf("failed dialing to local Wireguard port %s", err)
 		return nil, err
 	}
-	log.Debugf("add turn conn: %s", remoteConn.RemoteAddr())

 	go p.proxyToRemote()
 	go p.proxyToLocal()
--- a/infrastructure_files/getting-started-with-zitadel.sh
+++ b/infrastructure_files/getting-started-with-zitadel.sh
@@ -47,10 +47,10 @@ check_jq() {
  fi
 }

-wait_crdb() {
+wait_pgdb() {
  set +e
  while true; do
-    if $DOCKER_COMPOSE_COMMAND exec -T crdb curl -sf -o /dev/null 'http://localhost:8080/health?ready=1'; then
+    if $DOCKER_COMPOSE_COMMAND exec -T pgdb pg_isready -U postgres; then
      break
    fi
    echo -n " ."
@@ -60,15 +60,15 @@ wait_crdb() {
  set -e
 }

-init_crdb() {
+init_pgdb() {
  echo -e "\nInitializing Zitadel's CockroachDB\n\n"
-  $DOCKER_COMPOSE_COMMAND up -d crdb
+  $DOCKER_COMPOSE_COMMAND up -d pgdb
  echo ""
  # shellcheck disable=SC2028
  echo -n "Waiting cockroachDB  to become ready "
-  wait_crdb
-  $DOCKER_COMPOSE_COMMAND exec -T crdb /bin/bash -c "cp /cockroach/certs/* /zitadel-certs/ && cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown -R 1000:1000 /zitadel-certs/"
-  handle_request_command_status $? "init_crdb failed" ""
+  wait_pgdb
+  #$DOCKER_COMPOSE_COMMAND exec -T pgdb /bin/bash -c "cp /cockroach/certs/* /zitadel-certs/ && cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown -R 1000:1000 /zitadel-certs/"
+  handle_request_command_status $? "init_pgdb failed" ""
 }

 get_main_ip_address() {
@@ -135,8 +135,7 @@ create_new_application() {
  APPLICATION_NAME=$3
  BASE_REDIRECT_URL1=$4
  BASE_REDIRECT_URL2=$5
-  LOGOUT_URL=$6
-  ZITADEL_DEV_MODE=$7
+  ZITADEL_DEV_MODE=$6

  RESPONSE=$(
    curl -sS -X POST "$INSTANCE_URL/management/v1/projects/$PROJECT_ID/apps/oidc" \
@@ -149,7 +148,7 @@ create_new_application() {
      "'"$BASE_REDIRECT_URL2"'"
    ],
    "postLogoutRedirectUris": [
-       "'"$LOGOUT_URL"'"
+       "'"$BASE_REDIRECT_URL1"'"
    ],
    "RESPONSETypes": [
      "OIDC_RESPONSE_TYPE_CODE"
@@ -340,10 +339,10 @@ init_zitadel() {

  # create zitadel spa applications
  echo "Creating new Zitadel SPA Dashboard application"
-  DASHBOARD_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Dashboard" "$BASE_REDIRECT_URL/nb-auth" "$BASE_REDIRECT_URL/nb-silent-auth" "$BASE_REDIRECT_URL/" "$ZITADEL_DEV_MODE")
+  DASHBOARD_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Dashboard" "$BASE_REDIRECT_URL/nb-auth" "$BASE_REDIRECT_URL/nb-silent-auth" "$ZITADEL_DEV_MODE")

  echo "Creating new Zitadel SPA Cli application"
-  CLI_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Cli" "http://localhost:53000/" "http://localhost:54000/" "http://localhost:53000/" "true")
+  CLI_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Cli" "http://localhost:53000/" "http://localhost:54000/" "true")

  MACHINE_USER_ID=$(create_service_user "$INSTANCE_URL" "$PAT")

@@ -378,35 +377,12 @@ init_zitadel() {
  export ZITADEL_ADMIN_PASSWORD
 }

-check_nb_domain() {
-  DOMAIN=$1
-  if [ "$DOMAIN-x" == "-x" ]; then
-    echo "The NETBIRD_DOMAIN variable cannot be empty." > /dev/stderr
-    return 1
-  fi
-
-  if [ "$DOMAIN" == "netbird.example.com" ]; then
-    echo "The NETBIRD_DOMAIN cannot be netbird.example.com" > /dev/stderr
-    retrun 1
-  fi
-  return 0
-}
-
-read_nb_domain() {
-  READ_NETBIRD_DOMAIN=""
-  echo -n "Enter the domain you want to use for NetBird (e.g. netbird.my-domain.com): " > /dev/stderr
-  read -r READ_NETBIRD_DOMAIN
-  if ! check_nb_domain "$READ_NETBIRD_DOMAIN"; then
-    read_nb_domain
-  fi
-  echo "$READ_NETBIRD_DOMAIN"
-}
-
 initEnvironment() {
  CADDY_SECURE_DOMAIN=""
  ZITADEL_EXTERNALSECURE="false"
  ZITADEL_TLS_MODE="disabled"
  ZITADEL_MASTERKEY="$(openssl rand -base64 32 | head -c 32)"
+  USING_DOMAIN="true"
  NETBIRD_PORT=80
  NETBIRD_HTTP_PROTOCOL="http"
  TURN_USER="self"
@@ -414,13 +390,18 @@ initEnvironment() {
  TURN_MIN_PORT=49152
  TURN_MAX_PORT=65535

-  if ! check_nb_domain "$NETBIRD_DOMAIN"; then
-    NETBIRD_DOMAIN=$(read_nb_domain)
+  NETBIRD_DOMAIN=$NETBIRD_DOMAIN
+  if [ "$NETBIRD_DOMAIN-x" == "-x" ] ; then
+    echo "NETBIRD_DOMAIN is not set, using the main IP address"
+    NETBIRD_DOMAIN=$(get_main_ip_address)
+    USING_DOMAIN="false"
  fi

-  if [ "$NETBIRD_DOMAIN" == "use-ip" ]; then
-    NETBIRD_DOMAIN=$(get_main_ip_address)
-  else
+  if [ "$NETBIRD_DOMAIN" == "localhost" ]; then
+    USING_DOMAIN="false"
+  fi
+
+  if [ $USING_DOMAIN == "true" ]; then
    ZITADEL_EXTERNALSECURE="true"
    ZITADEL_TLS_MODE="external"
    NETBIRD_PORT=443
@@ -458,7 +439,7 @@ initEnvironment() {
  mkdir -p machinekey
  chmod 777 machinekey

-  init_crdb
+  init_pgdb

  echo -e "\nStarting Zidatel IDP for user management\n\n"
  $DOCKER_COMPOSE_COMMAND up -d caddy zitadel
@@ -613,16 +594,25 @@ renderZitadelEnv() {
  cat <<EOF
 ZITADEL_LOG_LEVEL=debug
 ZITADEL_MASTERKEY=$ZITADEL_MASTERKEY
-ZITADEL_DATABASE_COCKROACH_HOST=crdb
-ZITADEL_DATABASE_COCKROACH_USER_USERNAME=zitadel_user
-ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE=verify-full
-ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT="/crdb-certs/ca.crt"
-ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT="/crdb-certs/client.zitadel_user.crt"
-ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY="/crdb-certs/client.zitadel_user.key"
-ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_MODE=verify-full
-ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT="/crdb-certs/ca.crt"
-ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT="/crdb-certs/client.root.crt"
-ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY="/crdb-certs/client.root.key"
+#ZITADEL_DATABASE_COCKROACH_HOST=pgdb
+#ZITADEL_DATABASE_COCKROACH_USER_USERNAME=zitadel_user
+#ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE=verify-full
+#ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT="/pgdb-certs/ca.crt"
+#ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT="/pgdb-certs/client.zitadel_user.crt"
+#ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY="/pgdb-certs/client.zitadel_user.key"
+#ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_MODE=verify-full
+#ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT="/pgdb-certs/ca.crt"
+#ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT="/pgdb-certs/client.root.crt"
+#ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY="/pgdb-certs/client.root.key"
+ZITADEL_DATABASE_POSTGRES_HOST=pgdb
+ZITADEL_DATABASE_POSTGRES_PORT=5432
+ZITADEL_DATABASE_POSTGRES_DATABASE=zitadeldb
+ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=zitadeladmin
+ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=zitadeladmin
+ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
+ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadeluser
+ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadeluser
+ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable
 ZITADEL_EXTERNALSECURE=$ZITADEL_EXTERNALSECURE
 ZITADEL_TLS_ENABLED="false"
 ZITADEL_EXTERNALPORT=$NETBIRD_PORT
@@ -674,11 +664,10 @@ services:
    command: [
      "--port", "80",
      "--log-file", "console",
-      "--log-level", "info",
+      "--log-level", "debug",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.selfhosted",
      "--dns-domain=netbird.selfhosted",
-      "--idp-sign-key-refresh-enabled",
    ]
  # Coturn, AKA relay server
  coturn:
@@ -699,23 +688,33 @@ services:
    env_file:
      - ./zitadel.env
    depends_on:
-      crdb:
+      pgdb:
        condition: 'service_healthy'
    volumes:
      - ./machinekey:/machinekey
-      - netbird_zitadel_certs:/crdb-certs:ro
+      - netbird_zitadel_certs:/pgdb-certs:ro
+    healthcheck:
+      test: [ "CMD", "curl", "-f", "http://localhost:8080/debug/healthz" ]
+      interval: '10s'
+      timeout: '30s'
+      retries: 5
+      start_period: '20s'
  # CockroachDB for zitadel
-  crdb:
+  pgdb:
    restart: 'always'
    networks: [netbird]
-    image: 'cockroachdb/cockroach:v22.2.2'
-    command: 'start-single-node --advertise-addr crdb'
+    image: 'postgres:15'
+    environment:
+      - POSTGRES_USER=zitadeladmin
+      - POSTGRES_PASSWORD=zitadeladmin
+      - POSTGRES_DB=zitadeldb
+    #command: 'start-single-node --advertise-addr pgdb'
    volumes:
-      - netbird_crdb_data:/cockroach/cockroach-data
-      - netbird_crdb_certs:/cockroach/certs
+      - netbird_pgdb_data:/cockroach/cockroach-data
+      - netbird_pgdb_certs:/cockroach/certs
      - netbird_zitadel_certs:/zitadel-certs
    healthcheck:
-      test: [ "CMD", "curl", "-f", "http://localhost:8080/health?ready=1" ]
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
      interval: '10s'
      timeout: '30s'
      retries: 5
@@ -724,8 +723,8 @@ services:
 volumes:
  netbird_management:
  netbird_caddy_data:
-  netbird_crdb_data:
-  netbird_crdb_certs:
+  netbird_pgdb_data:
+  netbird_pgdb_certs:
  netbird_zitadel_certs:

 networks:
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -371,24 +371,24 @@ func handlerFunc(gRPCHandler *grpc.Server, httpHandler http.Handler) http.Handle
 }

 func loadMgmtConfig(mgmtConfigPath string) (*server.Config, error) {
-	loadedConfig := &server.Config{}
-	_, err := util.ReadJson(mgmtConfigPath, loadedConfig)
+	config := &server.Config{}
+	_, err := util.ReadJson(mgmtConfigPath, config)
 	if err != nil {
 		return nil, err
 	}
 	if mgmtLetsencryptDomain != "" {
-		loadedConfig.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
+		config.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
 	}
 	if mgmtDataDir != "" {
-		loadedConfig.Datadir = mgmtDataDir
+		config.Datadir = mgmtDataDir
 	}

 	if certKey != "" && certFile != "" {
-		loadedConfig.HttpConfig.CertFile = certFile
-		loadedConfig.HttpConfig.CertKey = certKey
+		config.HttpConfig.CertFile = certFile
+		config.HttpConfig.CertKey = certKey
 	}

-	oidcEndpoint := loadedConfig.HttpConfig.OIDCConfigEndpoint
+	oidcEndpoint := config.HttpConfig.OIDCConfigEndpoint
 	if oidcEndpoint != "" {
 		// if OIDCConfigEndpoint is specified, we can load DeviceAuthEndpoint and TokenEndpoint automatically
 		log.Infof("loading OIDC configuration from the provided IDP configuration endpoint %s", oidcEndpoint)
@@ -399,45 +399,45 @@ func loadMgmtConfig(mgmtConfigPath string) (*server.Config, error) {
 		log.Infof("loaded OIDC configuration from the provided IDP configuration endpoint: %s", oidcEndpoint)

 		log.Infof("overriding HttpConfig.AuthIssuer with a new value %s, previously configured value: %s",
-			oidcConfig.Issuer, loadedConfig.HttpConfig.AuthIssuer)
-		loadedConfig.HttpConfig.AuthIssuer = oidcConfig.Issuer
+			oidcConfig.Issuer, config.HttpConfig.AuthIssuer)
+		config.HttpConfig.AuthIssuer = oidcConfig.Issuer

 		log.Infof("overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value %s, previously configured value: %s",
-			oidcConfig.JwksURI, loadedConfig.HttpConfig.AuthKeysLocation)
-		loadedConfig.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI
+			oidcConfig.JwksURI, config.HttpConfig.AuthKeysLocation)
+		config.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI

-		if !(loadedConfig.DeviceAuthorizationFlow == nil || strings.ToLower(loadedConfig.DeviceAuthorizationFlow.Provider) == string(server.NONE)) {
+		if !(config.DeviceAuthorizationFlow == nil || strings.ToLower(config.DeviceAuthorizationFlow.Provider) == string(server.NONE)) {
 			log.Infof("overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.TokenEndpoint, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint)
-			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
+				oidcConfig.TokenEndpoint, config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint)
+			config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
 			log.Infof("overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.DeviceAuthEndpoint, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint)
-			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint = oidcConfig.DeviceAuthEndpoint
+				oidcConfig.DeviceAuthEndpoint, config.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint)
+			config.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint = oidcConfig.DeviceAuthEndpoint

 			u, err := url.Parse(oidcEndpoint)
 			if err != nil {
 				return nil, err
 			}
 			log.Infof("overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: %s, previously configured value: %s",
-				u.Host, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Domain)
-			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Domain = u.Host
+				u.Host, config.DeviceAuthorizationFlow.ProviderConfig.Domain)
+			config.DeviceAuthorizationFlow.ProviderConfig.Domain = u.Host

-			if loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Scope == "" {
-				loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Scope = server.DefaultDeviceAuthFlowScope
+			if config.DeviceAuthorizationFlow.ProviderConfig.Scope == "" {
+				config.DeviceAuthorizationFlow.ProviderConfig.Scope = server.DefaultDeviceAuthFlowScope
 			}
 		}

-		if loadedConfig.PKCEAuthorizationFlow != nil {
+		if config.PKCEAuthorizationFlow != nil {
 			log.Infof("overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.TokenEndpoint, loadedConfig.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint)
-			loadedConfig.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
+				oidcConfig.TokenEndpoint, config.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint)
+			config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
 			log.Infof("overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.AuthorizationEndpoint, loadedConfig.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint)
-			loadedConfig.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint = oidcConfig.AuthorizationEndpoint
+				oidcConfig.AuthorizationEndpoint, config.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint)
+			config.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint = oidcConfig.AuthorizationEndpoint
 		}
 	}

-	return loadedConfig, err
+	return config, err
 }

 // OIDCConfigResponse used for parsing OIDC config response
--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -327,7 +327,7 @@ components:
          type: string
          example: valid
        auto_groups:
-          description: List of group IDs to auto-assign to peers registered with this key
+          description: Setup key groups to auto-assign to peers registered with this key
          type: array
          items:
            type: string
@@ -375,7 +375,7 @@ components:
          type: boolean
          example: false
        auto_groups:
-          description: List of group IDs to auto-assign to peers registered with this key
+          description: Setup key groups to auto-assign to peers registered with this key
          type: array
          items:
            type: string
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -681,7 +681,7 @@ type RuleRequest struct {

 // SetupKey defines model for SetupKey.
 type SetupKey struct {
-	// AutoGroups List of group IDs to auto-assign to peers registered with this key
+	// AutoGroups Setup key groups to auto-assign to peers registered with this key
 	AutoGroups []string `json:"auto_groups"`

 	// Expires Setup Key expiration date
@@ -723,7 +723,7 @@ type SetupKey struct {

 // SetupKeyRequest defines model for SetupKeyRequest.
 type SetupKeyRequest struct {
-	// AutoGroups List of group IDs to auto-assign to peers registered with this key
+	// AutoGroups Setup key groups to auto-assign to peers registered with this key
 	AutoGroups []string `json:"auto_groups"`

 	// ExpiresIn Expiration time in seconds
Author	SHA1	Message	Date
Maycon Santos	d9fa28d8a0	test postgres	2023-08-02 18:56:06 +02:00
Maycon Santos	144ac868e0	create empty files	2023-08-02 18:32:31 +02:00
Maycon Santos	b70339d3bd	use check_jq	2023-08-02 12:32:43 +02:00
Maycon Santos	ee890971a3	update texts and expose errors to stderr	2023-08-02 12:19:35 +02:00
Maycon Santos	eeb1b619b7	Automate Zitadel IDP configuration (#1006 ) Add automated zitadel configuration and netbird using a single script run infra files test only when they change or when pushed to main run releases only on changes to related files or when pushed to main push install and automated getting started script to releases page	2023-08-01 23:31:14 +02:00
Maycon Santos	4b47f6b23c	Merge branch 'main' into update-getting-started-flow	2023-07-30 16:39:49 +02:00
Maycon Santos	5883e019c9	update readme	2023-07-07 17:05:21 +02:00