update helm charts

charts/wonder-mesh-net/templates/configmap-keycloak.yaml

@@ -50,6 +50,24 @@ data:
             }
           ]
         }
+      ],
+      "identityProviders": [
+        {{- range $index, $idp := .Values.keycloak.identityProviders }}
+        {{- if $index }},{{ end }}
+        {
+          "alias": {{ $idp.alias | quote }},
+          "providerId": {{ $idp.providerId | quote }},
+          "enabled": {{ $idp.enabled | default true }},
+          "trustEmail": {{ $idp.trustEmail | default false }},
+          "config": {
+            "clientId": {{ $idp.config.clientId | quote }},
+            "clientSecret": {{ $idp.config.clientSecret | quote }}
+            {{- if $idp.config.defaultScope }},
+            "defaultScope": {{ $idp.config.defaultScope | quote }}
+            {{- end }}
+          }
+        }
+        {{- end }}
       ]
     }
 {{- end }}

charts/wonder-mesh-net/templates/deployment.yaml

@@ -61,11 +61,17 @@ spec:
               value: {{ .Values.headscale.config.unix_socket | quote }}
             {{- if .Values.keycloak.enabled }}
             - name: KEYCLOAK_URL
-              # If Keycloak is enabled in chart, point to the internal service.
-              # Note: For OIDC browser flow to work, this internal URL must be reachable by browser too (e.g. tunneling/VPN),
-              # OR the user must manually set coordinator.oidc.url to a public URL and keycloak.service.type/Ingress accordingly.
-              # Here we default to the service DNS for backend communication.
+              {{- if .Values.keycloak.ingress.enabled }}
+              {{- if .Values.keycloak.ingress.tls }}
+              value: "https://{{ .Values.keycloak.ingress.host }}"
+              {{- else }}
+              value: "http://{{ .Values.keycloak.ingress.host }}"
+              {{- end }}
+              {{- else }}
+              # Keycloak ingress not enabled, using internal service URL.
+              # Note: For OIDC browser flow to work, enable keycloak.ingress or use port-forwarding/VPN.
               value: "http://{{ include "wonder-mesh-net.fullname" . }}-keycloak:{{ .Values.keycloak.service.port }}"
+              {{- end }}
             - name: KEYCLOAK_REALM
               value: {{ .Values.coordinator.oidc.realm | quote }}
             - name: KEYCLOAK_CLIENT_ID

charts/wonder-mesh-net/templates/ingress-keycloak.yaml

@@ -0,0 +1,36 @@
+{{- if and .Values.keycloak.enabled .Values.keycloak.ingress.enabled -}}
+{{- $fullName := include "wonder-mesh-net.fullname" . -}}
+{{- $svcPort := .Values.keycloak.service.port -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-keycloak
+  labels:
+    {{- include "wonder-mesh-net.labels" . | nindent 4 }}
+    app.kubernetes.io/component: keycloak
+  {{- with .Values.keycloak.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.keycloak.ingress.className }}
+  ingressClassName: {{ .Values.keycloak.ingress.className }}
+  {{- end }}
+  {{- if .Values.keycloak.ingress.tls }}
+  tls:
+    - hosts:
+        - {{ .Values.keycloak.ingress.host | quote }}
+      secretName: {{ .Values.keycloak.ingress.tls.secretName }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.keycloak.ingress.host | quote }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $fullName }}-keycloak
+                port:
+                  number: {{ $svcPort }}
+{{- end }}

charts/wonder-mesh-net/values.schema.json

@@ -123,6 +123,26 @@
             "port": { "type": "integer", "minimum": 1, "maximum": 65535 }
           }
         },
+        "ingress": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "className": { "type": "string" },
+            "annotations": {
+              "type": "object",
+              "additionalProperties": { "type": "string" }
+            },
+            "host": { "type": "string" },
+            "tls": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "secretName": { "type": "string" }
+              }
+            }
+          }
+        },
         "persistence": {
           "type": "object",
           "additionalProperties": false,
@@ -161,6 +181,54 @@
             },
             { "type": "null" }
           ]
+        },
+        "identityProviders": {
+          "type": "array",
+          "description": "Identity providers for social login (GitHub, Google, etc.)",
+          "items": {
+            "type": "object",
+            "additionalProperties": false,
+            "required": ["alias", "providerId", "config"],
+            "properties": {
+              "alias": {
+                "type": "string",
+                "description": "Unique identifier for this identity provider (e.g., 'github', 'google')"
+              },
+              "providerId": {
+                "type": "string",
+                "description": "The provider type (e.g., 'github', 'google', 'oidc')"
+              },
+              "enabled": {
+                "type": "boolean",
+                "default": true,
+                "description": "Whether this identity provider is enabled"
+              },
+              "trustEmail": {
+                "type": "boolean",
+                "default": false,
+                "description": "Whether to trust email addresses from this provider"
+              },
+              "config": {
+                "type": "object",
+                "additionalProperties": false,
+                "required": ["clientId", "clientSecret"],
+                "properties": {
+                  "clientId": {
+                    "type": "string",
+                    "description": "OAuth client ID"
+                  },
+                  "clientSecret": {
+                    "type": "string",
+                    "description": "OAuth client secret"
+                  },
+                  "defaultScope": {
+                    "type": "string",
+                    "description": "Default OAuth scopes to request"
+                  }
+                }
+              }
+            }
+          }
         }
       }
     },

charts/wonder-mesh-net/values.yaml

@@ -62,6 +62,12 @@ keycloak:
   service:
     type: ClusterIP
     port: 8080
+  ingress:
+    enabled: false
+    className: ""
+    annotations: {}
+    host: auth.example.com
+    tls: {}
   persistence:
     enabled: false
     size: 1Gi
@@ -93,6 +99,26 @@ keycloak:
     #   periodSeconds: 10
     #   timeoutSeconds: 5
 
+  # Identity providers for social login (GitHub, Google, etc.)
+  # These are imported into the Keycloak realm on startup
+  identityProviders: []
+  # Example:
+  # identityProviders:
+  #   - alias: github
+  #     providerId: github
+  #     enabled: true
+  #     trustEmail: true
+  #     config:
+  #       clientId: "your-github-client-id"
+  #       clientSecret: "your-github-client-secret"
+  #   - alias: google
+  #     providerId: google
+  #     enabled: true
+  #     trustEmail: true
+  #     config:
+  #       clientId: "your-google-client-id"
+  #       clientSecret: "your-google-client-secret"
+
 serviceAccount:
   create: true
   annotations: {}

internal/app/coordinator/controller/oidc.go

@@ -26,7 +26,7 @@ func isSafeRedirectPath(path string) bool {
 }
 
 const (
-	defaultPostLoginRedirect = "/"
+	defaultPostLoginRedirect = "/ui/"
 )
 
 // OIDCController handles OIDC authentication endpoints.

internal/app/coordinator/server.go

@@ -443,10 +443,20 @@ func (s *Server) Run() error {
 
 	slog.Info("initializing ACL policy")
 	ctx := context.Background()
-	if err := s.wonderNetService.InitializeACLPolicy(ctx); err != nil {
-		slog.Warn("initialize ACL policy", "error", err)
-	} else {
+	var aclErr error
+	for i := 0; i < 10; i++ {
+		if err := s.wonderNetService.InitializeACLPolicy(ctx); err != nil {
+			aclErr = err
+			slog.Warn("initialize ACL policy, retrying", "error", err, "attempt", i+1)
+			time.Sleep(time.Duration(i+1) * time.Second)
+			continue
+		}
 		slog.Info("ACL policy initialized successfully")
+		aclErr = nil
+		break
+	}
+	if aclErr != nil {
+		slog.Error("initialize ACL policy, giving up after retries", "error", aclErr)
 	}
 
 	httpServer := &http.Server{

internal/app/coordinator/webui/embed.go

@@ -3,8 +3,10 @@ package webui
 import (
 	"embed"
 	"fmt"
+	"io"
 	"io/fs"
 	"net/http"
+	"path"
 	"strings"
 )
 
@@ -19,21 +21,70 @@ func Handler() (http.Handler, error) {
 	if err != nil {
 		return nil, fmt.Errorf("embed static fs: %w", err)
 	}
-	fileServer := http.FileServer(http.FS(subFS))
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		path := r.URL.Path
-		if path == "" || path == "/" {
-			path = "/index.html"
+		urlPath := r.URL.Path
+		if urlPath == "" || urlPath == "/" {
+			urlPath = "/index.html"
 		}
 
-		cleanPath := strings.TrimPrefix(path, "/")
+		cleanPath := strings.TrimPrefix(urlPath, "/")
 		if _, err := fs.Stat(subFS, cleanPath); err != nil {
-			path = "/index.html"
+			cleanPath = "index.html"
 		}
 
-		req := r.Clone(r.Context())
-		req.URL.Path = path
-		fileServer.ServeHTTP(w, req)
+		f, err := subFS.Open(cleanPath)
+		if err != nil {
+			http.NotFound(w, r)
+			return
+		}
+		defer f.Close()
+
+		stat, err := f.Stat()
+		if err != nil {
+			http.Error(w, "internal error", http.StatusInternalServerError)
+			return
+		}
+
+		if stat.IsDir() {
+			cleanPath = path.Join(cleanPath, "index.html")
+			f.Close()
+			f, err = subFS.Open(cleanPath)
+			if err != nil {
+				http.NotFound(w, r)
+				return
+			}
+			defer f.Close()
+			stat, _ = f.Stat()
+		}
+
+		w.Header().Set("Content-Type", contentType(cleanPath))
+		if rs, ok := f.(io.ReadSeeker); ok {
+			http.ServeContent(w, r, cleanPath, stat.ModTime(), rs)
+		} else {
+			w.WriteHeader(http.StatusOK)
+			io.Copy(w, f)
+		}
 	}), nil
 }
+
+func contentType(name string) string {
+	switch {
+	case strings.HasSuffix(name, ".html"):
+		return "text/html; charset=utf-8"
+	case strings.HasSuffix(name, ".css"):
+		return "text/css; charset=utf-8"
+	case strings.HasSuffix(name, ".js"):
+		return "application/javascript"
+	case strings.HasSuffix(name, ".json"):
+		return "application/json"
+	case strings.HasSuffix(name, ".svg"):
+		return "image/svg+xml"
+	case strings.HasSuffix(name, ".png"):
+		return "image/png"
+	case strings.HasSuffix(name, ".ico"):
+		return "image/x-icon"
+	default:
+		return "application/octet-stream"
+	}
+}

webui/src/api/client.ts

@@ -42,7 +42,7 @@ class ApiClient {
   }
 
   async createJoinToken(): Promise<JoinTokenResponse> {
-    return this.fetch('/coordinator/api/v1/join-token', { method: 'POST' })
+    return this.fetch('/coordinator/api/v1/join-token')
   }
 
   async getApiKeys(): Promise<ApiKeyInfo[]> {

webui/src/pages/JoinToken.tsx

@@ -57,7 +57,7 @@ export default function JoinToken() {
             <div style={{ marginTop: '1.5rem', padding: '1rem', backgroundColor: '#f5f5f5', borderRadius: '4px' }}>
               <p style={{ marginBottom: '0.5rem', fontWeight: 500 }}>Usage:</p>
               <code style={{ display: 'block', wordBreak: 'break-all' }}>
-                wonder worker join --token YOUR_TOKEN
+                wonder worker join --coordinator-url https://wonder-net.strrl.dev {'<token>'}
               </code>
             </div>
           </div>