Join the crew

Get an account

Ask your Ops teams for an account. In return, they should provide you:

the Netbird management url
a Netbird setup key
the root certificate of the PKI

Join the VPN

Connection

Install the Netbird client on your workstation.
Use the Netbird's management url and setup key to join the vpn like so:

netbird up --management-url <given management url> --setup-key <given setup key>

DNS resolution

With VPN connection, you should be able to resolve git.<toc_workspace>.toc, for example if your TOC instance is named carapuce you should be able to resolve its private network address:

$ dig git.carapuce.toc

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> git.carapuce.toc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50045
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 03afd4c76a77225c0100000067856ed1e09d673c2f99d784 (good)
;; QUESTION SECTION:
;git.carapuce.toc.      IN  A

;; ANSWER SECTION:
git.carapuce.toc.   300 IN  CNAME   worker.carapuce.toc.
worker.carapuce.toc.    300 IN  A   10.42.42.3

;; Query time: 16 msec
;; SERVER: 100.72.126.200#53(100.72.126.200) (UDP)
;; WHEN: Mon Jan 13 20:51:41 CET 2025
;; MSG SIZE  rcvd: 157

Tip

DNS resolution can be tricky to set up depending on your system and its default tooling. In case of trouble, look into:

Debian: resolveconf vs. openresolv

Trust the platform's PKI

Take the given root CA certificate and follow this guide for your system.

This is mandatory for TLS verification.

Corner-case: daemons

If you already had any containerd running, think about restarting the service so it can take the new certificate authority into account.

Corner-case: web browsers

Depending on your workstation's setup, you might also need to import the root CA certificate into your browser to avoid unrelevant security alerts.