Fix ebpf free call

* Fix error handling in iptables initialization

* Change log level

.github/workflows/test-infrastructure-files.yml

@@ -135,7 +135,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: run script
-        run: bash -x infrastructure_files/getting-started-with-zitadel.sh
+        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
 
       - name: test Caddy file gen
         run: test -f Caddyfile

.goreleaser.yaml

@@ -378,6 +378,11 @@ uploads:
     username: dev@wiretrustee.com
     method: PUT
 
+checksum:
+  extra_files:
+    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
+    - glob: ./release_files/install.sh
+
 release:
   extra_files:
     - glob: ./infrastructure_files/getting-started-with-zitadel.sh

README.md

@@ -57,10 +57,9 @@ NetBird uses [NAT traversal techniques](https://en.wikipedia.org/wiki/Interactiv
 - \[x] Network Routes.  
 - \[x] Private DNS.
 - \[x] Network Activity Monitoring.
-- \[x] Mobile clients (Android).
-- 
+
 **Coming soon:**
--  \[ ] Mobile clients (iOS).
+- \[ ] Mobile clients.
 
 ### Secure peer-to-peer VPN with SSO and MFA in minutes
 

client/internal/auth/pkce_flow.go

@@ -25,6 +25,8 @@ var _ OAuthFlow = &PKCEAuthorizationFlow{}
 const (
 	queryState                = "state"
 	queryCode                 = "code"
+	queryError                = "error"
+	queryErrorDesc            = "error_description"
 	defaultPKCETimeoutSeconds = 300
 )
 
@@ -141,9 +143,13 @@ func (p *PKCEAuthorizationFlow) startServer(tokenChan chan<- *oauth2.Token, errC
 		tokenValidatorFunc := func() (*oauth2.Token, error) {
 			query := req.URL.Query()
 
-			state := query.Get(queryState)
+			if authError := query.Get(queryError); authError != "" {
+				authErrorDesc := query.Get(queryErrorDesc)
+				return nil, fmt.Errorf("%s.%s", authError, authErrorDesc)
+			}
+
 			// Prevent timing attacks on state
-			if subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
+			if state := query.Get(queryState); subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
 				return nil, fmt.Errorf("invalid state")
 			}
 
@@ -161,12 +167,13 @@ func (p *PKCEAuthorizationFlow) startServer(tokenChan chan<- *oauth2.Token, errC
 
 		token, err := tokenValidatorFunc()
 		if err != nil {
-			errChan <- fmt.Errorf("PKCE authorization flow failed: %v", err)
 			renderPKCEFlowTmpl(w, err)
+			errChan <- fmt.Errorf("PKCE authorization flow failed: %v", err)
+			return
 		}
 
-		tokenChan <- token
 		renderPKCEFlowTmpl(w, nil)
+		tokenChan <- token
 	})
 
 	if err := server.ListenAndServe(); err != nil {

client/internal/dns/file_linux.go

@@ -15,7 +15,8 @@ const (
 	fileGeneratedResolvConfSearchBeginContent = "search "
 	fileGeneratedResolvConfContentFormat      = fileGeneratedResolvConfContentHeader +
 		"\n# If needed you can restore the original file by copying back %s\n\nnameserver %s\n" +
-		fileGeneratedResolvConfSearchBeginContent + "%s\n"
+		fileGeneratedResolvConfSearchBeginContent + "%s\n\n" +
+		"%s\n"
 )
 
 const (
@@ -91,7 +92,12 @@ func (f *fileConfigurator) applyDNSConfig(config hostDNSConfig) error {
 		searchDomains += " " + dConf.domain
 		appendedDomains++
 	}
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
+
+	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
+	if err != nil {
+		log.Errorf("Could not read existing resolv.conf")
+	}
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
 	err = writeDNSConfig(content, defaultResolvConfPath, f.originalPerms)
 	if err != nil {
 		err = f.restore()

client/internal/dns/host_darwin.go

@@ -182,12 +182,11 @@ func (s *systemConfigurator) addDNSState(state, domains, dnsServer string, port
 }
 
 func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error {
-	primaryServiceKey := s.getPrimaryService()
+	primaryServiceKey, existingNameserver := s.getPrimaryService()
 	if primaryServiceKey == "" {
 		return fmt.Errorf("couldn't find the primary service key")
 	}
-
-	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port)
+	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port, existingNameserver)
 	if err != nil {
 		return err
 	}
@@ -196,27 +195,32 @@ func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error
 	return nil
 }
 
-func (s *systemConfigurator) getPrimaryService() string {
+func (s *systemConfigurator) getPrimaryService() (string, string) {
 	line := buildCommandLine("show", globalIPv4State, "")
 	stdinCommands := wrapCommand(line)
 	b, err := runSystemConfigCommand(stdinCommands)
 	if err != nil {
 		log.Error("got error while sending the command: ", err)
-		return ""
+		return "", ""
 	}
 	scanner := bufio.NewScanner(bytes.NewReader(b))
+	primaryService := ""
+	router := ""
 	for scanner.Scan() {
 		text := scanner.Text()
 		if strings.Contains(text, "PrimaryService") {
-			return strings.TrimSpace(strings.Split(text, ":")[1])
+			primaryService = strings.TrimSpace(strings.Split(text, ":")[1])
+		}
+		if strings.Contains(text, "Router") {
+			router = strings.TrimSpace(strings.Split(text, ":")[1])
 		}
 	}
-	return ""
+	return primaryService, router
 }
 
-func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int) error {
+func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int, existingDNSServer string) error {
 	lines := buildAddCommandLine(keySupplementalMatchDomainsNoSearch, digitSymbol+strconv.Itoa(0))
-	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer)
+	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer+" "+existingDNSServer)
 	lines += buildAddCommandLine(keyServerPort, digitSymbol+strconv.Itoa(port))
 	addDomainCommand := buildCreateStateWithOperation(setupKey, lines)
 	stdinCommands := wrapCommand(addDomainCommand)

client/internal/dns/resolvconf_linux.go

@@ -4,6 +4,7 @@ package dns
 
 import (
 	"fmt"
+	"os"
 	"os/exec"
 	"strings"
 
@@ -59,7 +60,11 @@ func (r *resolvconf) applyDNSConfig(config hostDNSConfig) error {
 		appendedDomains++
 	}
 
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
+	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
+	if err != nil {
+		log.Errorf("Could not read existing resolv.conf")
+	}
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
 
 	err = r.applyConfig(content)
 	if err != nil {

client/internal/routemanager/iptables_linux.go

@@ -51,13 +51,17 @@ type iptablesManager struct {
 
 func newIptablesManager(parentCtx context.Context) *iptablesManager {
 	ctx, cancel := context.WithCancel(parentCtx)
-	ipv4Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	if !isIptablesClientAvailable(ipv4Client) {
+	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err != nil {
+		log.Debugf("failed to initialize iptables for ipv4: %s", err)
+	} else if !isIptablesClientAvailable(ipv4Client) {
 		log.Infof("iptables is missing for ipv4")
 		ipv4Client = nil
 	}
-	ipv6Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv6)
-	if !isIptablesClientAvailable(ipv6Client) {
+	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	if err != nil {
+		log.Debugf("failed to initialize iptables for ipv6: %s", err)
+	} else if !isIptablesClientAvailable(ipv6Client) {
 		log.Infof("iptables is missing for ipv6")
 		ipv6Client = nil
 	}

client/internal/wgproxy/factory.go

@@ -14,7 +14,7 @@ func (w *Factory) GetProxy() Proxy {
 
 func (w *Factory) Free() error {
 	if w.ebpfProxy != nil {
-		return w.ebpfProxy.CloseConn()
+		return w.ebpfProxy.Free()
 	}
 	return nil
 }

client/internal/wgproxy/factory_linux.go

@@ -12,7 +12,7 @@ func NewFactory(wgPort int) *Factory {
 	ebpfProxy := NewWGEBPFProxy(wgPort)
 	err := ebpfProxy.Listen()
 	if err != nil {
-		log.Errorf("failed to initialize ebpf proxy: %s", err)
+		log.Warnf("failed to initialize ebpf proxy, fallback to user space proxy: %s", err)
 		return f
 	}
 

client/internal/wgproxy/proxy_ebpf.go

@@ -69,7 +69,7 @@ func (p *WGEBPFProxy) Listen() error {
 	p.conn, err = net.ListenUDP("udp", &addr)
 	if err != nil {
 		cErr := p.Free()
-		if err != nil {
+		if cErr != nil {
 			log.Errorf("failed to close the wgproxy: %s", cErr)
 		}
 		return err
@@ -104,6 +104,7 @@ func (p *WGEBPFProxy) CloseConn() error {
 
 // Free resources
 func (p *WGEBPFProxy) Free() error {
+	log.Debugf("free up ebpf wg proxy")
 	var err1, err2, err3 error
 	if p.conn != nil {
 		err1 = p.conn.Close()
@@ -153,9 +154,13 @@ func (p *WGEBPFProxy) proxyToRemote() {
 			return
 		}
 
+		p.turnConnMutex.Lock()
 		conn, ok := p.turnConnStore[uint16(addr.Port)]
+		size := len(p.turnConnStore)
+		p.turnConnMutex.Unlock()
 		if !ok {
 			log.Errorf("turn conn not found by port: %d", addr.Port)
+			log.Debugf("conn store size: %d", size)
 			continue
 		}
 

client/internal/wgproxy/proxy_userspace.go

@@ -20,6 +20,7 @@ type WGUserSpaceProxy struct {
 
 // NewWGUserSpaceProxy instantiate a user space WireGuard proxy
 func NewWGUserSpaceProxy(wgPort int) *WGUserSpaceProxy {
+	log.Debugf("instantiate new userspace proxy")
 	p := &WGUserSpaceProxy{
 		localWGListenPort: wgPort,
 	}
@@ -37,6 +38,7 @@ func (p *WGUserSpaceProxy) AddTurnConn(remoteConn net.Conn) (net.Addr, error) {
 		log.Errorf("failed dialing to local Wireguard port %s", err)
 		return nil, err
 	}
+	log.Debugf("add turn conn: %s", remoteConn.RemoteAddr())
 
 	go p.proxyToRemote()
 	go p.proxyToLocal()

infrastructure_files/getting-started-with-zitadel.sh

@@ -47,10 +47,10 @@ check_jq() {
   fi
 }
 
-wait_pgdb() {
+wait_crdb() {
   set +e
   while true; do
-    if $DOCKER_COMPOSE_COMMAND exec -T pgdb pg_isready -U postgres; then
+    if $DOCKER_COMPOSE_COMMAND exec -T crdb curl -sf -o /dev/null 'http://localhost:8080/health?ready=1'; then
       break
     fi
     echo -n " ."
@@ -60,15 +60,15 @@ wait_pgdb() {
   set -e
 }
 
-init_pgdb() {
+init_crdb() {
   echo -e "\nInitializing Zitadel's CockroachDB\n\n"
-  $DOCKER_COMPOSE_COMMAND up -d pgdb
+  $DOCKER_COMPOSE_COMMAND up -d crdb
   echo ""
   # shellcheck disable=SC2028
   echo -n "Waiting cockroachDB  to become ready "
-  wait_pgdb
-  #$DOCKER_COMPOSE_COMMAND exec -T pgdb /bin/bash -c "cp /cockroach/certs/* /zitadel-certs/ && cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown -R 1000:1000 /zitadel-certs/"
-  handle_request_command_status $? "init_pgdb failed" ""
+  wait_crdb
+  $DOCKER_COMPOSE_COMMAND exec -T crdb /bin/bash -c "cp /cockroach/certs/* /zitadel-certs/ && cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown -R 1000:1000 /zitadel-certs/"
+  handle_request_command_status $? "init_crdb failed" ""
 }
 
 get_main_ip_address() {
@@ -135,7 +135,8 @@ create_new_application() {
   APPLICATION_NAME=$3
   BASE_REDIRECT_URL1=$4
   BASE_REDIRECT_URL2=$5
-  ZITADEL_DEV_MODE=$6
+  LOGOUT_URL=$6
+  ZITADEL_DEV_MODE=$7
 
   RESPONSE=$(
     curl -sS -X POST "$INSTANCE_URL/management/v1/projects/$PROJECT_ID/apps/oidc" \
@@ -148,7 +149,7 @@ create_new_application() {
       "'"$BASE_REDIRECT_URL2"'"
     ],
     "postLogoutRedirectUris": [
-       "'"$BASE_REDIRECT_URL1"'"
+       "'"$LOGOUT_URL"'"
     ],
     "RESPONSETypes": [
       "OIDC_RESPONSE_TYPE_CODE"
@@ -339,10 +340,10 @@ init_zitadel() {
 
   # create zitadel spa applications
   echo "Creating new Zitadel SPA Dashboard application"
-  DASHBOARD_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Dashboard" "$BASE_REDIRECT_URL/nb-auth" "$BASE_REDIRECT_URL/nb-silent-auth" "$ZITADEL_DEV_MODE")
+  DASHBOARD_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Dashboard" "$BASE_REDIRECT_URL/nb-auth" "$BASE_REDIRECT_URL/nb-silent-auth" "$BASE_REDIRECT_URL/" "$ZITADEL_DEV_MODE")
 
   echo "Creating new Zitadel SPA Cli application"
-  CLI_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Cli" "http://localhost:53000/" "http://localhost:54000/" "true")
+  CLI_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Cli" "http://localhost:53000/" "http://localhost:54000/" "http://localhost:53000/" "true")
 
   MACHINE_USER_ID=$(create_service_user "$INSTANCE_URL" "$PAT")
 
@@ -377,12 +378,35 @@ init_zitadel() {
   export ZITADEL_ADMIN_PASSWORD
 }
 
+check_nb_domain() {
+  DOMAIN=$1
+  if [ "$DOMAIN-x" == "-x" ]; then
+    echo "The NETBIRD_DOMAIN variable cannot be empty." > /dev/stderr
+    return 1
+  fi
+
+  if [ "$DOMAIN" == "netbird.example.com" ]; then
+    echo "The NETBIRD_DOMAIN cannot be netbird.example.com" > /dev/stderr
+    retrun 1
+  fi
+  return 0
+}
+
+read_nb_domain() {
+  READ_NETBIRD_DOMAIN=""
+  echo -n "Enter the domain you want to use for NetBird (e.g. netbird.my-domain.com): " > /dev/stderr
+  read -r READ_NETBIRD_DOMAIN
+  if ! check_nb_domain "$READ_NETBIRD_DOMAIN"; then
+    read_nb_domain
+  fi
+  echo "$READ_NETBIRD_DOMAIN"
+}
+
 initEnvironment() {
   CADDY_SECURE_DOMAIN=""
   ZITADEL_EXTERNALSECURE="false"
   ZITADEL_TLS_MODE="disabled"
   ZITADEL_MASTERKEY="$(openssl rand -base64 32 | head -c 32)"
-  USING_DOMAIN="true"
   NETBIRD_PORT=80
   NETBIRD_HTTP_PROTOCOL="http"
   TURN_USER="self"
@@ -390,18 +414,13 @@ initEnvironment() {
   TURN_MIN_PORT=49152
   TURN_MAX_PORT=65535
 
-  NETBIRD_DOMAIN=$NETBIRD_DOMAIN
-  if [ "$NETBIRD_DOMAIN-x" == "-x" ] ; then
-    echo "NETBIRD_DOMAIN is not set, using the main IP address"
+  if ! check_nb_domain "$NETBIRD_DOMAIN"; then
+    NETBIRD_DOMAIN=$(read_nb_domain)
+  fi
+
+  if [ "$NETBIRD_DOMAIN" == "use-ip" ]; then
     NETBIRD_DOMAIN=$(get_main_ip_address)
-    USING_DOMAIN="false"
-  fi
-
-  if [ "$NETBIRD_DOMAIN" == "localhost" ]; then
-    USING_DOMAIN="false"
-  fi
-
-  if [ $USING_DOMAIN == "true" ]; then
+  else
     ZITADEL_EXTERNALSECURE="true"
     ZITADEL_TLS_MODE="external"
     NETBIRD_PORT=443
@@ -439,7 +458,7 @@ initEnvironment() {
   mkdir -p machinekey
   chmod 777 machinekey
 
-  init_pgdb
+  init_crdb
 
   echo -e "\nStarting Zidatel IDP for user management\n\n"
   $DOCKER_COMPOSE_COMMAND up -d caddy zitadel
@@ -594,25 +613,16 @@ renderZitadelEnv() {
   cat <<EOF
 ZITADEL_LOG_LEVEL=debug
 ZITADEL_MASTERKEY=$ZITADEL_MASTERKEY
-#ZITADEL_DATABASE_COCKROACH_HOST=pgdb
-#ZITADEL_DATABASE_COCKROACH_USER_USERNAME=zitadel_user
-#ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE=verify-full
-#ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT="/pgdb-certs/ca.crt"
-#ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT="/pgdb-certs/client.zitadel_user.crt"
-#ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY="/pgdb-certs/client.zitadel_user.key"
-#ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_MODE=verify-full
-#ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT="/pgdb-certs/ca.crt"
-#ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT="/pgdb-certs/client.root.crt"
-#ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY="/pgdb-certs/client.root.key"
-ZITADEL_DATABASE_POSTGRES_HOST=pgdb
-ZITADEL_DATABASE_POSTGRES_PORT=5432
-ZITADEL_DATABASE_POSTGRES_DATABASE=zitadeldb
-ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=zitadeladmin
-ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=zitadeladmin
-ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable
-ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadeluser
-ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadeluser
-ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable
+ZITADEL_DATABASE_COCKROACH_HOST=crdb
+ZITADEL_DATABASE_COCKROACH_USER_USERNAME=zitadel_user
+ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE=verify-full
+ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT="/crdb-certs/ca.crt"
+ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT="/crdb-certs/client.zitadel_user.crt"
+ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY="/crdb-certs/client.zitadel_user.key"
+ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_MODE=verify-full
+ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT="/crdb-certs/ca.crt"
+ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT="/crdb-certs/client.root.crt"
+ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY="/crdb-certs/client.root.key"
 ZITADEL_EXTERNALSECURE=$ZITADEL_EXTERNALSECURE
 ZITADEL_TLS_ENABLED="false"
 ZITADEL_EXTERNALPORT=$NETBIRD_PORT
@@ -664,10 +674,11 @@ services:
     command: [
       "--port", "80",
       "--log-file", "console",
-      "--log-level", "debug",
+      "--log-level", "info",
       "--disable-anonymous-metrics=false",
       "--single-account-mode-domain=netbird.selfhosted",
       "--dns-domain=netbird.selfhosted",
+      "--idp-sign-key-refresh-enabled",
     ]
   # Coturn, AKA relay server
   coturn:
@@ -688,33 +699,23 @@ services:
     env_file:
       - ./zitadel.env
     depends_on:
-      pgdb:
+      crdb:
         condition: 'service_healthy'
     volumes:
       - ./machinekey:/machinekey
-      - netbird_zitadel_certs:/pgdb-certs:ro
-    healthcheck:
-      test: [ "CMD", "curl", "-f", "http://localhost:8080/debug/healthz" ]
-      interval: '10s'
-      timeout: '30s'
-      retries: 5
-      start_period: '20s'
+      - netbird_zitadel_certs:/crdb-certs:ro
   # CockroachDB for zitadel
-  pgdb:
+  crdb:
     restart: 'always'
     networks: [netbird]
-    image: 'postgres:15'
-    environment:
-      - POSTGRES_USER=zitadeladmin
-      - POSTGRES_PASSWORD=zitadeladmin
-      - POSTGRES_DB=zitadeldb
-    #command: 'start-single-node --advertise-addr pgdb'
+    image: 'cockroachdb/cockroach:v22.2.2'
+    command: 'start-single-node --advertise-addr crdb'
     volumes:
-      - netbird_pgdb_data:/cockroach/cockroach-data
-      - netbird_pgdb_certs:/cockroach/certs
+      - netbird_crdb_data:/cockroach/cockroach-data
+      - netbird_crdb_certs:/cockroach/certs
       - netbird_zitadel_certs:/zitadel-certs
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      test: [ "CMD", "curl", "-f", "http://localhost:8080/health?ready=1" ]
       interval: '10s'
       timeout: '30s'
       retries: 5
@@ -723,8 +724,8 @@ services:
 volumes:
   netbird_management:
   netbird_caddy_data:
-  netbird_pgdb_data:
-  netbird_pgdb_certs:
+  netbird_crdb_data:
+  netbird_crdb_certs:
   netbird_zitadel_certs:
 
 networks:

management/cmd/management.go

@@ -371,24 +371,24 @@ func handlerFunc(gRPCHandler *grpc.Server, httpHandler http.Handler) http.Handle
 }
 
 func loadMgmtConfig(mgmtConfigPath string) (*server.Config, error) {
-	config := &server.Config{}
-	_, err := util.ReadJson(mgmtConfigPath, config)
+	loadedConfig := &server.Config{}
+	_, err := util.ReadJson(mgmtConfigPath, loadedConfig)
 	if err != nil {
 		return nil, err
 	}
 	if mgmtLetsencryptDomain != "" {
-		config.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
+		loadedConfig.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
 	}
 	if mgmtDataDir != "" {
-		config.Datadir = mgmtDataDir
+		loadedConfig.Datadir = mgmtDataDir
 	}
 
 	if certKey != "" && certFile != "" {
-		config.HttpConfig.CertFile = certFile
-		config.HttpConfig.CertKey = certKey
+		loadedConfig.HttpConfig.CertFile = certFile
+		loadedConfig.HttpConfig.CertKey = certKey
 	}
 
-	oidcEndpoint := config.HttpConfig.OIDCConfigEndpoint
+	oidcEndpoint := loadedConfig.HttpConfig.OIDCConfigEndpoint
 	if oidcEndpoint != "" {
 		// if OIDCConfigEndpoint is specified, we can load DeviceAuthEndpoint and TokenEndpoint automatically
 		log.Infof("loading OIDC configuration from the provided IDP configuration endpoint %s", oidcEndpoint)
@@ -399,45 +399,45 @@ func loadMgmtConfig(mgmtConfigPath string) (*server.Config, error) {
 		log.Infof("loaded OIDC configuration from the provided IDP configuration endpoint: %s", oidcEndpoint)
 
 		log.Infof("overriding HttpConfig.AuthIssuer with a new value %s, previously configured value: %s",
-			oidcConfig.Issuer, config.HttpConfig.AuthIssuer)
-		config.HttpConfig.AuthIssuer = oidcConfig.Issuer
+			oidcConfig.Issuer, loadedConfig.HttpConfig.AuthIssuer)
+		loadedConfig.HttpConfig.AuthIssuer = oidcConfig.Issuer
 
 		log.Infof("overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value %s, previously configured value: %s",
-			oidcConfig.JwksURI, config.HttpConfig.AuthKeysLocation)
-		config.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI
+			oidcConfig.JwksURI, loadedConfig.HttpConfig.AuthKeysLocation)
+		loadedConfig.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI
 
-		if !(config.DeviceAuthorizationFlow == nil || strings.ToLower(config.DeviceAuthorizationFlow.Provider) == string(server.NONE)) {
+		if !(loadedConfig.DeviceAuthorizationFlow == nil || strings.ToLower(loadedConfig.DeviceAuthorizationFlow.Provider) == string(server.NONE)) {
 			log.Infof("overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.TokenEndpoint, config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint)
-			config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
+				oidcConfig.TokenEndpoint, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint)
+			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
 			log.Infof("overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.DeviceAuthEndpoint, config.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint)
-			config.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint = oidcConfig.DeviceAuthEndpoint
+				oidcConfig.DeviceAuthEndpoint, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint)
+			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint = oidcConfig.DeviceAuthEndpoint
 
 			u, err := url.Parse(oidcEndpoint)
 			if err != nil {
 				return nil, err
 			}
 			log.Infof("overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: %s, previously configured value: %s",
-				u.Host, config.DeviceAuthorizationFlow.ProviderConfig.Domain)
-			config.DeviceAuthorizationFlow.ProviderConfig.Domain = u.Host
+				u.Host, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Domain)
+			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Domain = u.Host
 
-			if config.DeviceAuthorizationFlow.ProviderConfig.Scope == "" {
-				config.DeviceAuthorizationFlow.ProviderConfig.Scope = server.DefaultDeviceAuthFlowScope
+			if loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Scope == "" {
+				loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Scope = server.DefaultDeviceAuthFlowScope
 			}
 		}
 
-		if config.PKCEAuthorizationFlow != nil {
+		if loadedConfig.PKCEAuthorizationFlow != nil {
 			log.Infof("overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.TokenEndpoint, config.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint)
-			config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
+				oidcConfig.TokenEndpoint, loadedConfig.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint)
+			loadedConfig.PKCEAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
 			log.Infof("overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: %s, previously configured value: %s",
-				oidcConfig.AuthorizationEndpoint, config.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint)
-			config.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint = oidcConfig.AuthorizationEndpoint
+				oidcConfig.AuthorizationEndpoint, loadedConfig.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint)
+			loadedConfig.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint = oidcConfig.AuthorizationEndpoint
 		}
 	}
 
-	return config, err
+	return loadedConfig, err
 }
 
 // OIDCConfigResponse used for parsing OIDC config response

management/server/http/api/openapi.yml

@@ -327,7 +327,7 @@ components:
           type: string
           example: valid
         auto_groups:
-          description: Setup key groups to auto-assign to peers registered with this key
+          description: List of group IDs to auto-assign to peers registered with this key
           type: array
           items:
             type: string
@@ -375,7 +375,7 @@ components:
           type: boolean
           example: false
         auto_groups:
-          description: Setup key groups to auto-assign to peers registered with this key
+          description: List of group IDs to auto-assign to peers registered with this key
           type: array
           items:
             type: string

management/server/http/api/types.gen.go

@@ -681,7 +681,7 @@ type RuleRequest struct {
 
 // SetupKey defines model for SetupKey.
 type SetupKey struct {
-	// AutoGroups Setup key groups to auto-assign to peers registered with this key
+	// AutoGroups List of group IDs to auto-assign to peers registered with this key
 	AutoGroups []string `json:"auto_groups"`
 
 	// Expires Setup Key expiration date
@@ -723,7 +723,7 @@ type SetupKey struct {
 
 // SetupKeyRequest defines model for SetupKeyRequest.
 type SetupKeyRequest struct {
-	// AutoGroups Setup key groups to auto-assign to peers registered with this key
+	// AutoGroups List of group IDs to auto-assign to peers registered with this key
 	AutoGroups []string `json:"auto_groups"`
 
 	// ExpiresIn Expiration time in seconds