mirrors/netbird-helm-charts
1
0
Fork 0
mirror of https://github.com/netbirdio/helms.git synced 2026-01-23 16:10:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial Copy

Browse Source
This commit is contained in:
M Essam Hamed
2025-04-16 19:40:46 +02:00
parent cf808e1b3e
commit 348ad60b90
62 changed files with 5909 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
.github/workflows/helm.yml vendored Normal file
View File

@@ -0,0 +1,38 @@
name: Release Helm Chart
on:
push:
paths:
# update this file to trigger helm chart release
- 'charts/kubernetes-operator/Chart.yaml'
- 'charts/netbird/Chart.yaml'
branches:
- main
jobs:
chart-release:
runs-on: ubuntu-latest
permissions:
contents: write
pages: write
steps:
- name: Checkout
uses: actions/checkout@v3.1.0
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@v3.4
with:
version: v3.4.2
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.4.1
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_RELEASE_NAME_TEMPLATE: "helm-v{{ .Version }}"

68
.github/workflows/test-chart-kubernetes-operator.yaml vendored Normal file
View File

@@ -0,0 +1,68 @@
name: Test kubernetes-operator Chart
on:
push:
pull_request:
jobs:
test-e2e:
name: Run on Ubuntu
runs-on: ubuntu-latest
steps:
- name: Clone the code
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install the latest version of kind
run: |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64
chmod +x ./kind
sudo mv ./kind /usr/local/bin/kind
- name: Verify kind installation
run: kind version
- name: Create kind cluster
run: kind create cluster
- name: Prepare operator
run: |
go mod tidy
make docker-build IMG=netbirdio/kubernetes-operator:debug
kind load docker-image netbirdio/kubernetes-operator:debug
- name: Install Helm
run: |
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
- name: Verify Helm installation
run: helm version
- name: Lint Helm Chart
run: |
helm lint ./charts/kubernetes-operator
- name: Install cert-manager via Helm
run: |
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
- name: Wait for cert-manager to be ready
run: |
kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager
kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-cainjector
kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-webhook
- name: Install Helm chart for project
run: |
helm install test-chart --create-namespace --namespace netbird --set 'operator.image.tag=debug' ./charts/kubernetes-operator
- name: Check Helm release status
run: |
helm status test-chart --namespace netbird

56
.github/workflows/test-chart-netbird.yaml vendored Normal file
View File

@@ -0,0 +1,56 @@
name: Test netbird Chart
on:
push:
pull_request:
jobs:
test-e2e:
name: Run on Ubuntu
runs-on: ubuntu-latest
steps:
- name: Clone the code
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install the latest version of kind
run: |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64
chmod +x ./kind
sudo mv ./kind /usr/local/bin/kind
- name: Verify kind installation
run: kind version
- name: Create kind cluster
run: kind create cluster
- name: Prepare operator
run: |
go mod tidy
make docker-build IMG=netbirdio/kubernetes-operator:debug
kind load docker-image netbirdio/kubernetes-operator:debug
- name: Install Helm
run: |
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
- name: Verify Helm installation
run: helm version
- name: Lint Helm Chart
run: |
helm lint ./charts/kubernetes-operator
- name: Install Helm chart for project
run: |
helm install test-chart --create-namespace --namespace netbird --set 'operator.image.tag=debug' ./charts/netbird
- name: Check Helm release status
run: |
helm status test-chart --namespace netbird

23
charts/kubernetes-operator/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
charts/kubernetes-operator/Chart.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v2
name: kubernetes-operator
description: NetBird Kubernetes Operator
type: application
version: 0.1.8
appVersion: "0.1.3"

95
charts/kubernetes-operator/crds/netbird.io_nbgroups.yaml Normal file
View File

@@ -0,0 +1,95 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: nbgroups.netbird.io
spec:
group: netbird.io
names:
kind: NBGroup
listKind: NBGroupList
plural: nbgroups
singular: nbgroup
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: NBGroup is the Schema for the nbgroups API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: NBGroupSpec defines the desired state of NBGroup.
properties:
name:
minLength: 1
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
required:
- name
type: object
status:
description: NBGroupStatus defines the observed state of NBGroup.
properties:
conditions:
items:
description: NBCondition defines a condition in NBSetupKey status.
properties:
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: |-
Status is the status of the condition.
Can be True, False, Unknown.
type: string
type:
description: Type is the type of the condition.
type: string
required:
- status
- type
type: object
type: array
groupID:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

131
charts/kubernetes-operator/crds/netbird.io_nbpolicies.yaml Normal file
View File

@@ -0,0 +1,131 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: nbpolicies.netbird.io
spec:
group: netbird.io
names:
kind: NBPolicy
listKind: NBPolicyList
plural: nbpolicies
singular: nbpolicy
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: NBPolicy is the Schema for the nbpolicies API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: NBPolicySpec defines the desired state of NBPolicy.
properties:
bidirectional:
default: true
type: boolean
description:
type: string
destinationGroups:
items:
minLength: 1
type: string
type: array
name:
description: Name Policy name
minLength: 1
type: string
ports:
items:
format: int32
maximum: 65535
minimum: 0
type: integer
type: array
protocols:
items:
enum:
- tcp
- udp
type: string
type: array
sourceGroups:
items:
minLength: 1
type: string
type: array
required:
- name
type: object
status:
description: NBPolicyStatus defines the observed state of NBPolicy.
properties:
conditions:
items:
description: NBCondition defines a condition in NBSetupKey status.
properties:
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: |-
Status is the status of the condition.
Can be True, False, Unknown.
type: string
type:
description: Type is the type of the condition.
type: string
required:
- status
- type
type: object
type: array
lastUpdatedAt:
format: date-time
type: string
managedServiceList:
items:
type: string
type: array
tcpPolicyID:
type: string
udpPolicyID:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

156
charts/kubernetes-operator/crds/netbird.io_nbresources.yaml Normal file
View File

@@ -0,0 +1,156 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: nbresources.netbird.io
spec:
group: netbird.io
names:
kind: NBResource
listKind: NBResourceList
plural: nbresources
singular: nbresource
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: NBResource is the Schema for the nbresources API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: NBResourceSpec defines the desired state of NBResource.
properties:
address:
minLength: 1
type: string
groups:
items:
minLength: 1
type: string
type: array
name:
minLength: 1
type: string
networkID:
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
policyFriendlyName:
additionalProperties:
type: string
type: object
policyName:
type: string
policySourceGroups:
items:
type: string
type: array
tcpPorts:
items:
format: int32
type: integer
type: array
udpPorts:
items:
format: int32
type: integer
type: array
required:
- address
- groups
- name
- networkID
type: object
status:
description: NBResourceStatus defines the observed state of NBResource.
properties:
conditions:
items:
description: NBCondition defines a condition in NBSetupKey status.
properties:
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: |-
Status is the status of the condition.
Can be True, False, Unknown.
type: string
type:
description: Type is the type of the condition.
type: string
required:
- status
- type
type: object
type: array
groups:
items:
type: string
type: array
networkResourceID:
type: string
policyFriendlyName:
additionalProperties:
type: string
type: object
policyName:
type: string
policyNameMapping:
additionalProperties:
type: string
type: object
policySourceGroups:
items:
type: string
type: array
tcpPorts:
items:
format: int32
type: integer
type: array
udpPorts:
items:
format: int32
type: integer
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

203
charts/kubernetes-operator/crds/netbird.io_nbroutingpeers.yaml Normal file
View File

@@ -0,0 +1,203 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: nbroutingpeers.netbird.io
spec:
group: netbird.io
names:
kind: NBRoutingPeer
listKind: NBRoutingPeerList
plural: nbroutingpeers
singular: nbroutingpeer
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: NBRoutingPeer is the Schema for the nbroutingpeers API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: NBRoutingPeerSpec defines the desired state of NBRoutingPeer.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
nodeSelector:
additionalProperties:
type: string
type: object
replicas:
format: int32
type: integer
resources:
description: ResourceRequirements describes the compute resource requirements.
properties:
claims:
description: |-
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: |-
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
type: string
request:
description: |-
Request is the name chosen for a request in the referenced claim.
If empty, everything from the claim is made available, otherwise
only the result of this request.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
tolerations:
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
type: object
status:
description: NBRoutingPeerStatus defines the observed state of NBRoutingPeer.
properties:
conditions:
items:
description: NBCondition defines a condition in NBSetupKey status.
properties:
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: |-
Status is the status of the condition.
Can be True, False, Unknown.
type: string
type:
description: Type is the type of the condition.
type: string
required:
- status
- type
type: object
type: array
networkID:
type: string
routerID:
type: string
setupKeyID:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

115
charts/kubernetes-operator/crds/netbird.io_nbsetupkeys.yaml Normal file
View File

@@ -0,0 +1,115 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.1
name: nbsetupkeys.netbird.io
spec:
group: netbird.io
names:
kind: NBSetupKey
listKind: NBSetupKeyList
plural: nbsetupkeys
singular: nbsetupkey
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: NBSetupKey is the Schema for the nbsetupkeys API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: NBSetupKeySpec defines the desired state of NBSetupKey.
properties:
managementURL:
description: ManagementURL optional, override operator management
URL
type: string
secretKeyRef:
description: SecretKeyRef is a reference to the secret containing
the setup key
properties:
key:
description: The key of the secret to select from. Must be a
valid secret key.
type: string
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
optional:
description: Specify whether the Secret or its key must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
required:
- secretKeyRef
type: object
status:
description: NBSetupKeyStatus defines the observed state of NBSetupKey.
properties:
conditions:
items:
description: NBCondition defines a condition in NBSetupKey status.
properties:
lastProbeTime:
description: Last time we probed the condition.
format: date-time
type: string
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: |-
Status is the status of the condition.
Can be True, False, Unknown.
type: string
type:
description: Type is the type of the condition.
type: string
required:
- status
- type
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

0
charts/kubernetes-operator/templates/NOTES.txt Normal file
View File

102
charts/kubernetes-operator/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,102 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "kubernetes-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kubernetes-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kubernetes-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kubernetes-operator.labels" -}}
helm.sh/chart: {{ include "kubernetes-operator.chart" . }}
{{ include "kubernetes-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kubernetes-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kubernetes-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kubernetes-operator.serviceAccountName" -}}
{{- if .Values.operator.serviceAccount.create }}
{{- default (include "kubernetes-operator.fullname" .) .Values.operator.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.operator.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the webhook service
*/}}
{{- define "kubernetes-operator.webhookService" -}}
{{- printf "%s-webhook-service" (include "kubernetes-operator.fullname" .) -}}
{{- end -}}
{{/*
Create the name of the webhook cert secret
*/}}
{{- define "kubernetes-operator.webhookCertSecret" -}}
{{- printf "%s-tls" (include "kubernetes-operator.fullname" .) -}}
{{- end -}}
{{/*
Generate certificates for webhook
*/}}
{{- define "kubernetes-operator.webhookCerts" -}}
{{- $serviceName := (include "kubernetes-operator.webhookService" .) -}}
{{- $secretName := (include "kubernetes-operator.webhookCertSecret" .) -}}
{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
{{- if (and .Values.webhook.tls.caCert .Values.webhook.tls.cert .Values.webhook.tls.key) -}}
caCert: {{ .Values.webhook.tls.caCert | b64enc }}
clientCert: {{ .Values.webhook.tls.cert | b64enc }}
clientKey: {{ .Values.webhook.tls.key | b64enc }}
{{- else if and .Values.keepTLSSecret $secret -}}
caCert: {{ index $secret.data "ca.crt" }}
clientCert: {{ index $secret.data "tls.crt" }}
clientKey: {{ index $secret.data "tls.key" }}
{{- else -}}
{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.%s" $serviceName .Release.Namespace .Values.cluster.dns) -}}
{{- $ca := genCA "kubernetes-operator-ca" 3650 -}}
{{- $cert := genSignedCert (include "kubernetes-operator.fullname" .) nil $altNames 3650 $ca -}}
caCert: {{ $ca.Cert | b64enc }}
clientCert: {{ $cert.Cert | b64enc }}
clientKey: {{ $cert.Key | b64enc }}
{{- end -}}
{{- end -}}

127
charts/kubernetes-operator/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,127 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kubernetes-operator.fullname" . }}
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.operator.replicaCount }}
selector:
matchLabels:
{{- include "kubernetes-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.operator.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" . | nindent 8 }}
{{- with .Values.operator.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.operator.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "kubernetes-operator.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.operator.securityContext | nindent 12 }}
image: "{{ .Values.operator.image.registry }}/{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
command:
- /manager
args:
{{- if .Values.operator.metrics.enabled }}
- --metrics-bind-address=:{{ .Values.operator.metrics.port}}
{{- end }}
- --leader-elect
- --health-probe-bind-address=:{{ .Values.operator.livenessProbe.port }}
- --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs
{{- if .Values.managementURL }}
- --netbird-management-url={{.Values.managementURL}}
{{- end }}
{{- if .Values.cluster.name }}
- --cluster-name={{.Values.cluster.name}}
{{- end }}
{{- if .Values.ingress.namespacedNetworks }}
- --namespaced-networks={{.Values.ingress.namespacedNetworks}}
{{- end }}
{{- if .Values.cluster.dns }}
- --cluster-dns={{.Values.cluster.dns}}
{{- end }}
{{- if or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret }}
- --netbird-api-key=$(NB_API_KEY)
{{- end }}
{{- if .Values.ingress.allowAutomaticPolicyCreation }}
- --allow-automatic-policy-creation
{{- end }}
ports:
- name: webhook-server
containerPort: {{ .Values.webhook.service.port }}
protocol: TCP
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: {{ .Values.operator.livenessProbe.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.operator.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.operator.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.operator.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.operator.livenessProbe.timeoutSeconds }}
{{- if or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret }}
envFrom:
- secretRef:
{{- if .Values.netbirdAPI.keyFromSecret }}
name: {{.Values.netbirdAPI.keyFromSecret}}
{{- else }}
name: {{ include "kubernetes-operator.fullname" . }}
{{- end }}
{{- end }}
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: {{ .Values.operator.readinessProbe.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.operator.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.operator.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.operator.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.operator.readinessProbe.timeoutSeconds }}
resources:
{{- toYaml .Values.operator.resources | nindent 12 }}
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: webhook-certs
readOnly: true
{{- with .Values.operator.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: webhook-certs
secret:
defaultMode: 420
secretName: {{ template "kubernetes-operator.webhookCertSecret" . }}
{{- with .Values.operator.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

71
charts/kubernetes-operator/templates/kubernetes-nbresource.yaml Normal file
View File

@@ -0,0 +1,71 @@
{{- if and .Values.ingress.enabled .Values.ingress.kubernetesAPI.enabled }}
{{- $routerNS := .Release.Namespace }}
{{- if .Values.ingress.namespacedNetworks }}
{{- $routerNS = "default" }}
{{- end }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "kubernetes-operator.fullname" . }}-kubernetes-service-expose
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-upgrade,post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
spec:
backOffLimit: 3
template:
metadata:
name: {{ include "kubernetes-operator.fullname" . }}
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" . | nindent 8 }}
{{- with .Values.operator.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
initContainers:
- name: wait-network-ready
image: "bitnami/kubectl:latest"
command:
- bash
- -c
args:
- kubectl wait --for 'jsonpath={.status.networkID}' -n {{ $routerNS }} nbroutingpeer router;
containers:
- name: apply-nbresource
image: "bitnami/kubectl:latest"
env:
- name: NBRESOURCE_VALUE
value: |
apiVersion: netbird.io/v1
kind: NBResource
metadata:
finalizers:
- netbird.io/cleanup
name: kubernetes
namespace: default
spec:
address: kubernetes.default.{{.Values.cluster.dns}}
groups:
{{- if .Values.ingress.kubernetesAPI.groups }}
{{ toYaml .Values.ingress.kubernetesAPI.groups }}
{{- else }}
- {{ .Values.cluster.name }}-default-api-access
{{- end }}
name: {{ .Values.ingress.kubernetesAPI.resourceName | default "default-kubernetes-api" }}
networkID: ${NETWORK_ID}
{{- if .Values.ingress.kubernetesAPI.policies }}
policyName: "{{ join "," .Values.ingress.kubernetesAPI.policies }}"
{{- end }}
tcpPorts:
- 443
command:
- bash
- -c
args:
- kubectl delete NBResource --ignore-not-found -n default kubernetes; export NETWORK_ID=$(kubectl get NBRoutingPeer -n {{ $routerNS }} router -o 'jsonpath={.status.networkID}'); echo "$NBRESOURCE_VALUE" | envsubst | kubectl apply -f -
serviceAccountName: {{ include "kubernetes-operator.serviceAccountName" . }}
restartPolicy: Never
{{- end }}

28
charts/kubernetes-operator/templates/nbpolicies.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- range $k, $v := $.Values.ingress.policies }}
---
apiVersion: netbird.io/v1
kind: NBPolicy
metadata:
finalizers:
- netbird.io/cleanup
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" $ | nindent 4 }}
name: {{ $k }}
spec:
name: {{ $v.name }}
sourceGroups:
{{ toYaml $v.sourceGroups | nindent 4}}
{{- if $v.description }}
description: {{ $v.description }}
{{- end }}
{{- if $v.protocols }}
protocols: {{ $v.protocols }}
{{- end }}
{{- if $v.ports }}
ports: {{ $v.ports }}
{{- end }}
{{- if hasKey $v "bidirectional" }}
bidirectional: {{ $v.bidirectional }}
{{- end }}
{{- end }}

75
charts/kubernetes-operator/templates/nbroutingpeers.yaml Normal file
View File

@@ -0,0 +1,75 @@
{{- if and .Values.ingress.enabled .Values.ingress.router.enabled }}
{{- if .Values.ingress.namespacedNetworks }}
{{ $defaults := .Values.ingress.router }}
{{ range $k, $v := .Values.ingress.router.namespaces }}
apiVersion: netbird.io/v1
kind: NBRoutingPeer
metadata:
finalizers:
- netbird.io/cleanup
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" $ | nindent 4 }}
name: router
namespace: {{ $k }}
{{ $spec := merge $defaults $v }}
{{- if or (or (or $spec.replicas $spec.resources) (or $spec.labels $spec.annotations)) (or $spec.nodeSelector $spec.tolerations) }}
spec:
{{- if $spec.replicas }}
replicas: {{ $spec.replicas }}
{{- end }}
{{- if $spec.resources }}
resources: {{ $spec.resources }}
{{- end }}
{{- if $spec.labels }}
labels: {{ $spec.labels }}
{{- end }}
{{- if $spec.annotations }}
annotations: {{ $spec.annotations }}
{{- end }}
{{- if $spec.nodeSelector }}
nodeSelector: {{ $spec.nodeSelector }}
{{- end }}
{{- if $spec.tolerations }}
tolerations: {{ $spec.tolerations }}
{{- end }}
{{- end }}
---
{{- end }}
{{- else }}
{{- with .Values.ingress.router }}
apiVersion: netbird.io/v1
kind: NBRoutingPeer
metadata:
finalizers:
- netbird.io/cleanup
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" $ | nindent 4 }}
name: router
{{- if or (or (or .replicas .resources) (or .labels .annotations)) (or .nodeSelector .tolerations) }}
spec:
{{- if .replicas }}
replicas: {{ .replicas }}
{{- end }}
{{- if .resources }}
resources: {{ .resources }}
{{- end }}
{{- if .labels }}
labels: {{ .labels }}
{{- end }}
{{- if .annotations }}
annotations: {{ .annotations }}
{{- end }}
{{- if .nodeSelector }}
nodeSelector: {{ .nodeSelector }}
{{- end }}
{{- if .tolerations }}
tolerations: {{ .tolerations }}
{{- end }}
{{- else }}
spec: {}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

69
charts/kubernetes-operator/templates/pre-delete.yaml Normal file
View File

@@ -0,0 +1,69 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "kubernetes-operator.fullname" . }}-delete-routers
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
spec:
backoffLimit: 3
template:
metadata:
name: {{ include "kubernetes-operator.fullname" . }}
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" . | nindent 8 }}
{{- with .Values.operator.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
containers:
- name: pre-delete
image: "bitnami/kubectl:latest"
args:
- delete
- --all
- -A
- --cascade=foreground
- --ignore-not-found
- NBRoutingPeer
serviceAccountName: {{ include "kubernetes-operator.serviceAccountName" . }}
restartPolicy: Never
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "kubernetes-operator.fullname" . }}-delete-policies
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
spec:
backoffLimit: 3
template:
metadata:
name: {{ include "kubernetes-operator.fullname" . }}
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" . | nindent 8 }}
{{- with .Values.operator.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
containers:
- name: pre-delete
image: "bitnami/kubectl:latest"
args:
- delete
- --all
- --cascade=foreground
- --ignore-not-found
- NBPolicy
serviceAccountName: {{ include "kubernetes-operator.serviceAccountName" . }}
restartPolicy: Never
---

195
charts/kubernetes-operator/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,195 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kubernetes-operator.fullname" . }}
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- netbird.io
resources:
- nbsetupkeys
verbs:
- get
- list
- watch
- apiGroups:
- netbird.io
resources:
- nbsetupkeys/finalizers
verbs:
- update
- apiGroups:
- netbird.io
resources:
- nbsetupkeys/status
verbs:
- get
- patch
- update
{{- if or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret }}
- apiGroups:
- netbird.io
resources:
- nbgroups
- nbresources
- nbroutingpeers
- nbpolicies
verbs:
- get
- patch
- update
- list
- watch
- create
- delete
- apiGroups:
- netbird.io
resources:
- nbgroups/status
- nbresources/status
- nbroutingpeers/status
- nbpolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- netbird.io
resources:
- nbgroups/finalizers
- nbresources/finalizers
- nbroutingpeers/finalizers
- nbpolicies/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services/finalizers
verbs:
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- patch
- update
- list
- watch
- create
- delete
{{- end }}
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
{{- if or (or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret) .Values.clusterSecretsPermissions.allowAllSecrets }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
{{- if or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret }}
- patch
- update
- create
- delete
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kubernetes-operator.fullname" . }}
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kubernetes-operator.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "kubernetes-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kubernetes-operator.fullname" . }}
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kubernetes-operator.fullname" . }}
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "kubernetes-operator.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "kubernetes-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

11
charts/kubernetes-operator/templates/secret.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.netbirdAPI.key }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "kubernetes-operator.fullname" . }}
labels:
app.kubernetes.io/component: operator
{{- include "kubernetes-operator.labels" . | nindent 4 }}
stringData:
NB_API_KEY: {{ .Values.netbirdAPI.key }}
{{- end }}

33
charts/kubernetes-operator/templates/service.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if .Values.operator.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kubernetes-operator.fullname" . }}-metrics
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
spec:
type: {{ .Values.operator.metrics.type }}
ports:
- name: http
port: {{ .Values.operator.metrics.port }}
protocol: TCP
targetPort: {{ .Values.operator.metrics.port }}
selector:
{{- include "kubernetes-operator.selectorLabels" . | nindent 4 }}
{{- end }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "kubernetes-operator.webhookService" . }}
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
spec:
type: {{ .Values.webhook.service.type }}
ports:
- name: https
port: {{ .Values.webhook.service.port }}
protocol: TCP
targetPort: {{ .Values.webhook.service.targetPort }}
selector:
{{- include "kubernetes-operator.selectorLabels" . | nindent 4 }}

13
charts/kubernetes-operator/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.operator.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kubernetes-operator.serviceAccountName" . }}
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
{{- with .Values.operator.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.operator.serviceAccount.automount }}
{{- end }}

253
charts/kubernetes-operator/templates/webhook.yaml Normal file
View File

@@ -0,0 +1,253 @@
{{ $tls := fromYaml ( include "kubernetes-operator.webhookCerts" . ) }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if $.Values.webhook.enableCertManager }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "kubernetes-operator.fullname" . }}-serving-cert
{{- end }}
name: {{ include "kubernetes-operator.fullname" . }}-mpod-webhook
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
webhooks:
- clientConfig:
{{- if not $.Values.webhook.enableCertManager }}
caBundle: {{ $tls.caCert }}
{{ end }}
service:
name: {{ template "kubernetes-operator.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /mutate--v1-pod
failurePolicy: Fail
name: mpod-v1.netbird.io
admissionReviewVersions:
- v1
{{- if .Values.webhook.namespaceSelectors }}
namespaceSelector:
matchExpressions:
{{ toYaml .Values.webhook.namespaceSelectors | nindent 4 }}
{{ end }}
objectSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: NotIn
values:
- {{ include "kubernetes-operator.name" . }}
{{- if .Values.webhook.objectSelector.matchExpressions }}
{{- toYaml .Values.webhook.objectSelector.matchExpressions | nindent 4 }}
{{- end }}
{{- if .Values.webhook.objectSelector.matchLabels }}
matchLabels:
{{- toYaml .Values.webhook.objectSelector.matchLabels | nindent 6 }}
{{- end }}
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
{{- if $.Values.webhook.enableCertManager }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "kubernetes-operator.fullname" . }}-serving-cert
{{- end }}
name: {{ include "kubernetes-operator.fullname" . }}-vnbsetupkey-webhook
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
webhooks:
- clientConfig:
{{- if not $.Values.webhook.enableCertManager }}
caBundle: {{ $tls.caCert }}
{{ end }}
service:
name: {{ template "kubernetes-operator.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /validate-netbird-io-v1-nbsetupkey
failurePolicy: Fail
name: vnbsetupkey-v1.netbird.io
admissionReviewVersions:
- v1
{{- if .Values.webhook.namespaceSelectors }}
namespaceSelector:
matchExpressions:
{{ toYaml .Values.webhook.namespaceSelectors | nindent 4 }}
{{ end }}
rules:
- apiGroups:
- netbird.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- "nbsetupkeys"
sideEffects: None
{{- if and $.Values.ingress.enabled (or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret) }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
{{- if $.Values.webhook.enableCertManager }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "kubernetes-operator.fullname" . }}-serving-cert
{{- end }}
name: {{ include "kubernetes-operator.fullname" . }}-vnbresource-webhook
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
webhooks:
- clientConfig:
{{- if not $.Values.webhook.enableCertManager }}
caBundle: {{ $tls.caCert }}
{{ end }}
service:
name: {{ template "kubernetes-operator.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /validate-netbird-io-v1-nbresource
failurePolicy: Fail
name: vnbresource-v1.netbird.io
admissionReviewVersions:
- v1
{{- if .Values.webhook.namespaceSelectors }}
namespaceSelector:
matchExpressions:
{{ toYaml .Values.webhook.namespaceSelectors | nindent 4 }}
{{ end }}
rules:
- apiGroups:
- netbird.io
apiVersions:
- v1
operations:
- DELETE
resources:
- "nbresources"
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
{{- if $.Values.webhook.enableCertManager }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "kubernetes-operator.fullname" . }}-serving-cert
{{- end }}
name: {{ include "kubernetes-operator.fullname" . }}-vnbroutingpeer-webhook
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
webhooks:
- clientConfig:
{{- if not $.Values.webhook.enableCertManager }}
caBundle: {{ $tls.caCert }}
{{ end }}
service:
name: {{ template "kubernetes-operator.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /validate-netbird-io-v1-nbroutingpeer
failurePolicy: Fail
name: vnbroutingpeer-v1.netbird.io
admissionReviewVersions:
- v1
{{- if .Values.webhook.namespaceSelectors }}
namespaceSelector:
matchExpressions:
{{ toYaml .Values.webhook.namespaceSelectors | nindent 4 }}
{{ end }}
rules:
- apiGroups:
- netbird.io
apiVersions:
- v1
operations:
- DELETE
resources:
- "nbroutingpeers"
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
{{- if $.Values.webhook.enableCertManager }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "kubernetes-operator.fullname" . }}-serving-cert
{{- end }}
name: {{ include "kubernetes-operator.fullname" . }}-vnbgroup-webhook
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
webhooks:
- clientConfig:
{{- if not $.Values.webhook.enableCertManager }}
caBundle: {{ $tls.caCert }}
{{ end }}
service:
name: {{ template "kubernetes-operator.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /validate-netbird-io-v1-nbgroup
failurePolicy: Fail
name: vnbgroup-v1.netbird.io
admissionReviewVersions:
- v1
{{- if .Values.webhook.namespaceSelectors }}
namespaceSelector:
matchExpressions:
{{ toYaml .Values.webhook.namespaceSelectors | nindent 4 }}
{{ end }}
rules:
- apiGroups:
- netbird.io
apiVersions:
- v1
operations:
- DELETE
resources:
- "nbgroups"
sideEffects: None
{{- end }}
---
{{- if not $.Values.webhook.enableCertManager }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kubernetes-operator.webhookCertSecret" . }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubernetes-operator.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
ca.crt: {{ $tls.caCert }}
tls.crt: {{ $tls.clientCert }}
tls.key: {{ $tls.clientKey }}
{{- else }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "kubernetes-operator.fullname" . }}-serving-cert
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubernetes-operator.labels" . | indent 4 }}
spec:
dnsNames:
- {{ template "kubernetes-operator.webhookService" . }}.{{ .Release.Namespace }}.svc
- {{ template "kubernetes-operator.webhookService" . }}.{{ .Release.Namespace }}.{{ .Values.cluster.dns }}
issuerRef:
kind: Issuer
name: {{ template "kubernetes-operator.fullname" . }}-selfsigned-issuer
secretName: {{ template "kubernetes-operator.webhookCertSecret" . }}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ template "kubernetes-operator.fullname" . }}-selfsigned-issuer
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubernetes-operator.labels" . | indent 4 }}
spec:
selfSigned: {}
{{- end }}

193
charts/kubernetes-operator/values.yaml Normal file
View File

@@ -0,0 +1,193 @@
clusterSecretsPermissions:
# Required for NBSetupKey validation
# Required for Ingress functionality to create and validate secrets for routing peers
allowAllSecrets: true
webhook:
service:
type: ClusterIP
port: 443
targetPort: 9443
# TLS configuration for webhook
# Optional, unused if webhook.enableCertManager is set to true
tls: {}
# Use cert-manager to provision webhook certificates (recommended)
enableCertManager: true
# Narrow down validation and mutation webhooks namespaces
namespaceSelectors: []
# - key: foo
# operator: In
# values:
# - bar
# Narrow down validation and mutation webhooks objects
objectSelector:
matchExpressions: []
# - key: app.kubernetes.io/name
# operator: NotIn
# values:
# - foo
operator:
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
# Set operator image registry
registry: docker.io
# Set operator image repository
repository: netbirdio/kubernetes-operator
# This sets the pull policy for images.
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
metrics:
enabled: true
type: ClusterIP
port: 8080
# This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# This is to override the chart name.
nameOverride: ""
fullnameOverride: ""
#This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
podSecurityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
service:
# This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: ClusterIP
# This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
port: 9443
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe:
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
# Additional volumes on the output Deployment definition.
volumes: []
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
nodeSelector: {}
tolerations: []
affinity: {}
ingress:
# Enable ingress capabilities to expose services
enabled: false
# Create router per namespace, useful for strict networking requirements
namespacedNetworks: false
# Allow creating policies through Service annotations
allowAutomaticPolicyCreation: false
kubernetesAPI:
enabled: false
groups: []
# - group1
# - group2
policies: []
# - default
router:
# Deploy routing peer(s)
enabled: false
# replicas: 3
# resources:
# requests:
# cpu: 100m
# memory: 100Mi
# limits:
# cpu: 100m
# memory: 100Mi
# labels: {}
# annotations: {}
# nodeSelector: {}
# tolerations: []
# Only needed if namespacedNetworks is set to true
namespaces: {}
# default:
# replicas: 3
# resources:
# requests:
# cpu: 100m
# memory: 100Mi
# limits:
# cpu: 100m
# memory: 100Mi
# labels: {}
# annotations: {}
# nodeSelector: {}
# tolerations: []
# NetBird Policies for use with exposed services
policies: {}
# default:
# name: Kubernetes Default Policy
# sourceGroups:
# - All
cluster:
# Cluster DNS name (used for webhooks certificates and for network resource DNS names)
dns: svc.cluster.local
# Cluster name (used for generating network and network resource names in NetBird)
name: kubernetes
netbirdAPI: {}
# NetBird Service Account Token
# key: "nbp_m0LM9ZZvDUzFO0pY50iChDOTxJgKFM3DIqmZ"
# keyFromSecret: "Secret name with NB_API_KEY=Service Account Token"

23
charts/netbird/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

8
charts/netbird/Chart.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
apiVersion: v2
name: netbird
description: NetBird VPN management platform
type: application
version: 1.6.1
appVersion: "0.36.5"
icon: https://images.crunchbase.com/image/upload/c_pad,h_256,w_256,f_auto,q_auto:eco,dpr_1/kuu5tm1wt09ztp6ctlag

258
charts/netbird/README.md Normal file
View File

@@ -0,0 +1,258 @@
# netbird
Forked from [TOT MICRO's Helm Repository](https://github.com/totmicro/helms).
![Version: 1.6.1](https://img.shields.io/badge/Version-1.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.36.5](https://img.shields.io/badge/AppVersion-0.36.5-informational?style=flat-square)
# NetBird Helm Chart
This Helm chart installs and configures the [NetBird](https://github.com/netbirdio/netbird) services within a Kubernetes cluster. The chart includes the management, signal, and relay components of NetBird, providing secure peer-to-peer network connections across various environments.
## Prerequisites
- Helm 3.x
- Kubernetes 1.19+
## Installation
To install the chart with the release name `netbird`:
```bash
helm repo add netbirdio https://netbirdio.github.io/helms
helm install netbird netbirdio/netbird
```
You can override default values by specifying a `values.yaml` file:
```bash
helm install netbird netbirdio/netbird -f values.yaml
```
### Uninstalling the Chart
To uninstall/delete the `netbird` release:
```bash
helm uninstall netbird
```
This will remove all the resources associated with the release.
## Configuration
The following table lists the configurable parameters of the NetBird Helm chart and their default values.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| dashboard.affinity | object | `{}` | |
| dashboard.containerPort | int | `80` | |
| dashboard.enabled | bool | `true` | |
| dashboard.env | object | `{}` | |
| dashboard.envFromSecret | object | `{}` | |
| dashboard.envRaw | list | `[]` | |
| dashboard.image.pullPolicy | string | `"IfNotPresent"` | |
| dashboard.image.repository | string | `"netbirdio/dashboard"` | |
| dashboard.image.tag | string | `"v2.9.0"` | |
| dashboard.imagePullSecrets | list | `[]` | |
| dashboard.ingress.annotations | object | `{}` | |
| dashboard.ingress.className | string | `""` | |
| dashboard.ingress.enabled | bool | `false` | |
| dashboard.ingress.hosts[0].host | string | `"chart-example.local"` | |
| dashboard.ingress.hosts[0].paths[0].path | string | `"/"` | |
| dashboard.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| dashboard.ingress.tls | list | `[]` | |
| dashboard.lifecycle | object | `{}` | |
| dashboard.livenessProbe.httpGet.path | string | `"/"` | |
| dashboard.livenessProbe.httpGet.port | string | `"http"` | |
| dashboard.livenessProbe.periodSeconds | int | `5` | |
| dashboard.nodeSelector | object | `{}` | |
| dashboard.podAnnotations | object | `{}` | |
| dashboard.podCommand.args | list | `[]` | |
| dashboard.podSecurityContext | object | `{}` | |
| dashboard.readinessProbe.httpGet.path | string | `"/"` | |
| dashboard.readinessProbe.httpGet.port | string | `"http"` | |
| dashboard.readinessProbe.initialDelaySeconds | int | `5` | |
| dashboard.readinessProbe.periodSeconds | int | `5` | |
| dashboard.replicaCount | int | `1` | |
| dashboard.resources | object | `{}` | |
| dashboard.securityContext | object | `{}` | |
| dashboard.service.name | string | `"http"` | |
| dashboard.service.port | int | `80` | |
| dashboard.service.type | string | `"ClusterIP"` | |
| dashboard.serviceAccount.annotations | object | `{}` | |
| dashboard.serviceAccount.create | bool | `true` | |
| dashboard.serviceAccount.name | string | `""` | |
| dashboard.tolerations | list | `[]` | |
| extraManifests | object | `{}` | |
| fullnameOverride | string | `""` | |
| global.namespace | string | `""` | |
| management.affinity | object | `{}` | |
| management.configmap | string | `""` | |
| management.containerPort | int | `80` | |
| management.deploymentAnnotations | object | `{}` | |
| management.dnsDomain | string | `"netbird.selfhosted"` | |
| management.enabled | bool | `true` | |
| management.env | object | `{}` | |
| management.envFromSecret | object | `{}` | |
| management.envRaw | list | `[]` | |
| management.grpcContainerPort | int | `33073` | |
| management.image.pullPolicy | string | `"IfNotPresent"` | |
| management.image.repository | string | `"netbirdio/management"` | |
| management.image.tag | string | `""` | |
| management.imagePullSecrets | list | `[]` | |
| management.ingress.annotations | object | `{}` | |
| management.ingress.className | string | `""` | |
| management.ingress.enabled | bool | `false` | |
| management.ingress.hosts[0].host | string | `"example.com"` | |
| management.ingress.hosts[0].paths[0].path | string | `"/"` | |
| management.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| management.ingress.tls | list | `[]` | |
| management.ingressGrpc.annotations | object | `{}` | |
| management.ingressGrpc.className | string | `""` | |
| management.ingressGrpc.enabled | bool | `false` | |
| management.ingressGrpc.hosts[0].host | string | `"example.com"` | |
| management.ingressGrpc.hosts[0].paths[0].path | string | `"/"` | |
| management.ingressGrpc.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| management.ingressGrpc.tls | list | `[]` | |
| management.lifecycle | object | `{}` | |
| management.livenessProbe.failureThreshold | int | `3` | |
| management.livenessProbe.initialDelaySeconds | int | `15` | |
| management.livenessProbe.periodSeconds | int | `10` | |
| management.livenessProbe.tcpSocket.port | string | `"http"` | |
| management.livenessProbe.timeoutSeconds | int | `3` | |
| management.metrics.enabled | bool | `false` | |
| management.metrics.port | int | `9090` | |
| management.nodeSelector | object | `{}` | |
| management.persistentVolume.accessModes[0] | string | `"ReadWriteOnce"` | |
| management.persistentVolume.enabled | bool | `true` | |
| management.persistentVolume.size | string | `"10Mi"` | |
| management.persistentVolume.storageClass | string | `null` | |
| management.persistentVolume.existingPVName | string | `""` | |
| management.podAnnotations | object | `{}` | |
| management.podCommand.args[0] | string | `"--port=80"` | |
| management.podCommand.args[1] | string | `"--log-file=console"` | |
| management.podCommand.args[2] | string | `"--log-level=info"` | |
| management.podCommand.args[3] | string | `"--disable-anonymous-metrics=false"` | |
| management.podCommand.args[4] | string | `"--single-account-mode-domain=netbird.example.com"` | |
| management.podCommand.args[5] | string | `"--dns-domain=netbird.selfhosted"` | |
| management.podSecurityContext | object | `{}` | |
| management.readinessProbe.failureThreshold | int | `3` | |
| management.readinessProbe.initialDelaySeconds | int | `15` | |
| management.readinessProbe.periodSeconds | int | `10` | |
| management.readinessProbe.tcpSocket.port | string | `"http"` | |
| management.readinessProbe.timeoutSeconds | int | `3` | |
| management.replicaCount | int | `1` | |
| management.resources | object | `{}` | |
| management.securityContext | object | `{}` | |
| management.service.name | string | `"http"` | |
| management.service.port | int | `80` | |
| management.service.type | string | `"ClusterIP"` | |
| management.serviceAccount.annotations | object | `{}` | |
| management.serviceAccount.create | bool | `true` | |
| management.serviceAccount.name | string | `""` | |
| management.serviceGrpc.name | string | `"grpc"` | |
| management.serviceGrpc.port | int | `33073` | |
| management.serviceGrpc.type | string | `"ClusterIP"` | |
| management.tolerations | list | `[]` | |
| management.useBackwardsGrpcService | bool | `false` | |
| metrics.serviceMonitor.annotations | object | `{}` | |
| metrics.serviceMonitor.enabled | bool | `false` | |
| metrics.serviceMonitor.honorLabels | bool | `false` | |
| metrics.serviceMonitor.interval | string | `""` | |
| metrics.serviceMonitor.jobLabel | string | `""` | |
| metrics.serviceMonitor.labels | object | `{}` | |
| metrics.serviceMonitor.metricRelabelings | list | `[]` | |
| metrics.serviceMonitor.namespace | string | `""` | |
| metrics.serviceMonitor.relabelings | list | `[]` | |
| metrics.serviceMonitor.scrapeTimeout | string | `""` | |
| metrics.serviceMonitor.selector | object | `{}` | |
| nameOverride | string | `""` | |
| relay.affinity | object | `{}` | |
| relay.deploymentAnnotations | object | `{}` | |
| relay.enabled | bool | `true` | |
| relay.env | object | `{}` | |
| relay.envFromSecret | object | `{}` | |
| relay.envRaw | list | `[]` | |
| relay.image.pullPolicy | string | `"IfNotPresent"` | |
| relay.image.repository | string | `"netbirdio/relay"` | |
| relay.image.tag | string | `""` | |
| relay.imagePullSecrets | list | `[]` | |
| relay.ingress.annotations | object | `{}` | |
| relay.ingress.className | string | `""` | |
| relay.ingress.enabled | bool | `false` | |
| relay.ingress.hosts[0].host | string | `"example.com"` | |
| relay.ingress.hosts[0].paths[0].path | string | `"/relay"` | |
| relay.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| relay.ingress.tls | list | `[]` | |
| relay.livenessProbe.initialDelaySeconds | int | `5` | |
| relay.livenessProbe.periodSeconds | int | `5` | |
| relay.livenessProbe.tcpSocket.port | string | `"http"` | |
| relay.logLevel | string | `"info"` | |
| relay.metrics.containerPort | int | `33080` | |
| relay.metrics.enabled | bool | `false` | |
| relay.metrics.port | int | `9090` | |
| relay.nodeSelector | object | `{}` | |
| relay.podAnnotations | object | `{}` | |
| relay.podSecurityContext | object | `{}` | |
| relay.readinessProbe.initialDelaySeconds | int | `5` | |
| relay.readinessProbe.periodSeconds | int | `5` | |
| relay.readinessProbe.tcpSocket.port | string | `"http"` | |
| relay.replicaCount | int | `1` | |
| relay.resources | object | `{}` | |
| relay.securityContext | object | `{}` | |
| relay.service.name | string | `"http"` | |
| relay.service.port | int | `33080` | |
| relay.service.type | string | `"ClusterIP"` | |
| relay.serviceAccount.annotations | object | `{}` | |
| relay.serviceAccount.create | bool | `true` | |
| relay.serviceAccount.name | string | `""` | |
| relay.tolerations | list | `[]` | |
| signal.affinity | object | `{}` | |
| signal.containerPort | int | `80` | |
| signal.deploymentAnnotations | object | `{}` | |
| signal.enabled | bool | `true` | |
| signal.image.pullPolicy | string | `"IfNotPresent"` | |
| signal.image.repository | string | `"netbirdio/signal"` | |
| signal.image.tag | string | `""` | |
| signal.imagePullSecrets | list | `[]` | |
| signal.ingress.annotations | object | `{}` | |
| signal.ingress.className | string | `""` | |
| signal.ingress.enabled | bool | `false` | |
| signal.ingress.hosts[0].host | string | `"example.com"` | |
| signal.ingress.hosts[0].paths[0].path | string | `"/signalexchange.SignalExchange"` | |
| signal.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| signal.ingress.tls | list | `[]` | |
| signal.livenessProbe.initialDelaySeconds | int | `5` | |
| signal.livenessProbe.periodSeconds | int | `5` | |
| signal.livenessProbe.tcpSocket.port | string | `"grpc"` | |
| signal.logLevel | string | `"info"` | |
| signal.metrics.enabled | bool | `false` | |
| signal.metrics.port | int | `9090` | |
| signal.nodeSelector | object | `{}` | |
| signal.podAnnotations | object | `{}` | |
| signal.podSecurityContext | object | `{}` | |
| signal.readinessProbe.initialDelaySeconds | int | `5` | |
| signal.readinessProbe.periodSeconds | int | `5` | |
| signal.readinessProbe.tcpSocket.port | string | `"grpc"` | |
| signal.replicaCount | int | `1` | |
| signal.resources | object | `{}` | |
| signal.securityContext | object | `{}` | |
| signal.service.name | string | `"grpc"` | |
| signal.service.port | int | `80` | |
| signal.service.type | string | `"ClusterIP"` | |
| signal.serviceAccount.annotations | object | `{}` | |
| signal.serviceAccount.create | bool | `true` | |
| signal.serviceAccount.name | string | `""` | |
| signal.tolerations | list | `[]` | |
For more configuration options, refer to the `values.yaml` file.
You can find working examples [here](./examples)
## STUN/TURN Server
If you need to deploy a High Available stun/turn server, please refer to this [blog](https://medium.com/l7mp-technologies/deploying-a-scalable-stun-service-in-kubernetes-c7b9726fa41d)
## Contributing
We welcome contributions to improve this chart! Please submit a pull request to the GitHub repository with any changes or suggestions.

44
charts/netbird/examples/istio/zitadel/README.md Normal file
View File

@@ -0,0 +1,44 @@
# Netbird Self-Hosted Setup
This example provides a fully configured and tested setup for deploying Netbird using the following components:
- **Service Mesh**: Istio
- **Database Storage**: SQLite
- **Identity Provider**: Zitadel
## Prerequisites
Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#zitadel) to configure your Zitadel Identity Provider and generate the necessary parameters:
- `idpClientID`
- `idpServiceUser`
- `idpServiceUserSecret`
- `idpProjectID`
## Kubernetes Secret Configuration
This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs:
- `idpClientID`: `xxxxxx` # The `clientID` from the Zitadel netbird application.
- `idpServiceUser`: `xxxxxx` # The `service user` from the Zitadel with permissions to read Zitadel directory.
- `idpServiceUserSecret`: `xxxxxx` # The `client secret` from the Zitadel netbird service user.
- `idpProjectID`: `xxxxxx` # The `project ID` from the Zitadel.
- `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service.
- `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`.
- `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`.
- `turnServerUser`: `xxxxxx` # TURN server username.
- `turnServerPassword`: `xxxxxx` # TURN server password.
- `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`.
> **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup.
## Deployment
Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints:
- `netbird-dashboard.example.com` - The Netbird dashboard.
- `netbird.example.com` - The main Netbird services (management|relay|signal).
## Additional info
Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`.

212
charts/netbird/examples/istio/zitadel/values.yaml Normal file
View File

@@ -0,0 +1,212 @@
fullnameOverride: netbird
management:
configmap: |-
{
"Stuns": [
{
"Proto": "udp",
"URI": "{{ .STUN_SERVER }}",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "{{ .TURN_SERVER }}",
"Username": "{{ .TURN_SERVER_USER }}",
"Password": "{{ .TURN_SERVER_PASSWORD }}"
}
]
},
"Relay": {
"Addresses": ["rels://netbird.example.com:443/relay"],
"CredentialsTTL": "24h",
"Secret": "{{ .RELAY_PASSWORD }}"
},
"Signal": {
"Proto": "https",
"URI": "netbird.example.com:443",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}",
"HttpConfig": {
"AuthIssuer": "https://zitadel.example.com",
"AuthAudience": "{{ .IDP_CLIENT_ID }}",
"OIDCConfigEndpoint": "https://zitadel.example.com/.well-known/openid-configuration",
"AuthKeysLocation": "https://zitadel.example.com/oauth/v2/keys",
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthUserIDClaim": "",
"IdpSignKeyRefreshEnabled": true,
"ExtraAuthAudience": "{{ .IDP_PROJECT_ID }}"
},
"IdpManagerConfig": {
"ManagerType": "zitadel",
"ClientConfig": {
"Issuer": "https://zitadel.example.com",
"TokenEndpoint": "https://zitadel.example.com/oauth/v2/token",
"ClientID": "{{ .IDP_SERVICE_USER }}",
"ClientSecret": "{{ .IDP_SERVICE_USER_SECRET }}",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"ManagementEndpoint": "https://zitadel.example.com/management/v1"
}
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "zitadel.example.com",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndidpInteractiveClientIDpoint": "https://zitadel.example.com/oauth/v2/token",
"DeviceAuthEndpoint": "https://zitadel.example.com/oauth/v2/device_authorization",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "",
"Audience": "{{ .IDP_CLIENT_ID }}",
"DeviceAuthEndpoint": "",
"Scope": "openid profile email offline_access api groups zitadel:grants",
"UseIDToken": false,
"RedirectURLs": ["http://localhost:53000/", "http://localhost:54000/"],
"TokenEndpoint": "https://zitadel.example.com/oauth/v2/token",
"AuthorizationEndpoint": "https://zitadel.example.com/oauth/v2/authorize"
}
},
"StoreConfig": {
"Engine": "sqlite"
},
"ReverseProxy": {
"TrustedHTTPProxies": null,
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": null
}
}
image:
tag: 0.32.0
persistentVolume:
enabled: true
size: 5Gi
envFromSecret:
STUN_SERVER: netbird/stunServer
TURN_SERVER: netbird/turnServer
TURN_SERVER_USER: netbird/turnServerUser
TURN_SERVER_PASSWORD: netbird/turnServerPassword
RELAY_PASSWORD: netbird/relayPassword
DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey
IDP_SERVICE_USER: netbird/idpServiceUser
IDP_SERVICE_USER_SECRET: netbird/idpServiceUserSecret
IDP_PROJECT_ID: netbird/idpProjectID
IDP_CLIENT_ID: netbird/idpClientID
signal:
image:
tag: 0.32.0
relay:
image:
tag: 0.32.0
envFromSecret:
NB_AUTH_SECRET: netbird/relayPassword
env:
NB_LOG_LEVEL: info
NB_LISTEN_ADDRESS: ":33080"
NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay
dashboard:
enabled: true
image:
tag: v2.9.0
env:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443
NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443
# OIDC
AUTH_AUTHORITY: https://zitadel.example.com
USE_AUTH0: false
AUTH_SUPPORTED_SCOPES: openid profile email offline_access api groups
AUTH_REDIRECT_URI: /nb-auth
AUTH_SILENT_REDIRECT_URI: /nb-silent-auth
envFromSecret:
AUTH_CLIENT_ID: netbird/idpClientID
AUTH_CLIENT_SECRET: netbird/idpClientSecret
extraManifests:
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: netbird-mgmt
spec:
gateways:
- istio-gw/ext-gw
hosts:
- "netbird.example.com"
http:
- match:
- uri:
prefix: /api
route:
- destination:
host: netbird-management
port:
number: 80
- match:
- uri:
prefix: /management.ManagementService
route:
- destination:
host: netbird-management
port:
number: 80
- match:
- uri:
prefix: /relay
route:
- destination:
host: netbird-relay
port:
number: 33080
- match:
- uri:
prefix: /signalexchange.SignalExchange
route:
- destination:
host: netbird-signal
port:
number: 80
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: netbird-dashboard-mgmt-vs
namespace: netbird
spec:
gateways:
- istio-gw/ext-gw
hosts:
- "netbird-dashboard.example.com"
http:
- match:
- uri:
prefix: /
route:
- destination:
host: netbird-dashboard
port:
number: 80

44
charts/netbird/examples/nginx-ingress/auth0/README.md Normal file
View File

@@ -0,0 +1,44 @@
# Netbird Self-Hosted Setup
This example provides a fully configured and tested setup for deploying Netbird using the following components:
- **Ingress Controller**: Nginx
- **Database Storage**: SQLite
- **Identity Provider**: Auth0
## Prerequisites
Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#auth0) to configure your Auth0 Identity Provider and generate the necessary parameters:
- `idpClientID`
- `idpClientSecret`
- `idpInteractiveClientID`
- `idpDashboardClientID`
## Kubernetes Secret Configuration
This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs:
- `idpClientID`: `xxxxxx` # The `clientId` from the Auth0 netbird application.
- `idpClientSecret`: `xxxxxx` # The `clientSecret` from the Auth0 netbird application.
- `idpInteractiveClientID`: `xxxxxx` # The `clientId` from the Auth0 netbird interactive application.
- `idpDashboardClientID`: `xxxxxx` # The `clientId` from the Auth0 netbird dashboard application.
- `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service.
- `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`.
- `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`.
- `turnServerUser`: `xxxxxx` # TURN server username.
- `turnServerPassword`: `xxxxxx` # TURN server password.
- `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`.
> **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup.
## Deployment
Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints:
- `netbird-dashboard.example.com` - The Netbird dashboard.
- `netbird.example.com` - The main Netbird services (management|relay|signal).
## Additional info
Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`.

253
charts/netbird/examples/nginx-ingress/auth0/values.yaml Normal file
View File

@@ -0,0 +1,253 @@
fullnameOverride: netbird
management:
configmap: |-
{
"Stuns": [
{
"Proto": "udp",
"URI": "{{ .STUN_SERVER }}",
"Username": "",
"Password": null
}
],
"Relay": {
"Addresses": ["rels://netbird.example.com:443/relay"],
"CredentialsTTL": "24h",
"Secret": "{{ .RELAY_PASSWORD }}"
},
"TURNConfig": {
"Turns": [
{
"Proto": "udp",
"URI": "{{ .TURN_SERVER }}",
"Username": "{{ .TURN_SERVER_USER }}",
"Password": "{{ .TURN_SERVER_PASSWORD }}"
}
],
"CredentialsTTL": "12h",
"Secret": "secret",
"TimeBasedCredentials": false
},
"Signal": {
"Proto": "https",
"URI": "netbird.example.com:443",
"Username": "",
"Password": null
},
"ReverseProxy": {
"TrustedHTTPProxies": [],
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": ["0.0.0.0/0"]
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}",
"StoreConfig": {
"Engine": "sqlite"
},
"HttpConfig": {
"Address": "0.0.0.0:33073",
"AuthIssuer": "https://example.eu.auth0.com/",
"AuthAudience": "netbird-banking",
"AuthKeysLocation": "https://example.eu.auth0.com/.well-known/jwks.json",
"AuthUserIDClaim": "",
"CertFile": "",
"CertKey": "",
"IdpSignKeyRefreshEnabled": false,
"OIDCConfigEndpoint": "https://example.eu.auth0.com/.well-known/openid-configuration"
},
"IdpManagerConfig": {
"ManagerType": "auth0",
"ClientConfig": {
"Issuer": "https://example.eu.auth0.com/",
"TokenEndpoint": "https://example.eu.auth0.com/oauth/token",
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "{{ .IDP_CLIENT_SECRET }}",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Audience": "https://example.eu.auth0.com/api/v2/"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"Audience": "netbird-banking",
"AuthorizationEndpoint": "",
"Domain": "",
"ClientID": "{{ .IDP_INTERACTIVE_CLIENT_ID }}",
"ClientSecret": "",
"TokenEndpoint": "https://example.eu.auth0.com/oauth/token",
"DeviceAuthEndpoint": "https://example.eu.auth0.com/oauth/device/code",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"Audience": "netbird-banking",
"ClientID": "{{ .IDP_DASHBOARD_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "",
"AuthorizationEndpoint": "https://example.eu.auth0.com/authorize",
"TokenEndpoint": "https://example.eu.auth0.com/oauth/token",
"Scope": "openid groups profile email offline_access api email_verified groups",
"RedirectURLs": ["http://localhost:53000"],
"UseIDToken": false
}
}
}
envFromSecret:
STUN_SERVER: netbird/stunServer
TURN_SERVER: netbird/turnServer
TURN_SERVER_USER: netbird/turnServerUser
TURN_SERVER_PASSWORD: netbird/turnServerPassword
RELAY_PASSWORD: netbird/relayPassword
IDP_CLIENT_ID: netbird/idpClientID
IDP_CLIENT_SECRET: netbird/idpClientSecret
IDP_INTERACTIVE_CLIENT_ID: netbird/idpInteractiveClientID
IDP_DASHBOARD_CLIENT_ID: netbird/idpDashboardClientID
DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey
podCommand:
args:
- --port=80
- --log-file=console
- --log-level=error
- --disable-anonymous-metrics=false
- --dns-domain=netbird.selfhosted"
image:
tag: 0.32.0
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: netbird.example.com
paths:
- path: /api
pathType: ImplementationSpecific
tls:
- secretName: netbird-api-tls
hosts:
- netbird.example.com
ingressGrpc:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: netbird.example.com
paths:
- path: /management.ManagementService
pathType: ImplementationSpecific
tls:
- secretName: netbird-grpc-tls
hosts:
- netbird.example.com
persistentVolume:
enabled: true
useBackwardsGrpcService: true
signal:
image:
tag: 0.32.0
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: netbird.example.com
paths:
- path: /signalexchange.SignalExchange
pathType: ImplementationSpecific
tls:
- secretName: netbird-signal-tls
hosts:
- netbird.example.com
relay:
resources:
requests:
cpu: 300m
memory: 128Mi
limits:
cpu: 1000m
memory: 256Mi
image:
tag: 0.32.0
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: netbird.example.com
paths:
- path: /relay
pathType: ImplementationSpecific
tls:
- secretName: netbird-relay-tls
hosts:
- netbird.example.com
envFromSecret:
NB_AUTH_SECRET: netbird/relayPassword
env:
NB_LOG_LEVEL: info
NB_LISTEN_ADDRESS: ":33080"
NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay
dashboard:
enabled: true
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: netbird-dashboard.example.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: netbird-dashboard-tls
hosts:
- netbird-dashboard.example.com
image:
tag: v2.9.0
env:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443
NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443
# OIDC
AUTH_CLIENT_SECRET:
AUTH_AUTHORITY: https://example.eu.auth0.com/
AUTH_AUDIENCE: netbird-banking
USE_AUTH0: "true"
AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
AUTH_REDIRECT_URI:
AUTH_SILENT_REDIRECT_URI:
NETBIRD_TOKEN_SOURCE: accessToken
NGINX_SSL_PORT:
LETSENCRYPT_DOMAIN:
LETSENCRYPT_EMAIL:
envFromSecret:
AUTH_CLIENT_ID: netbird/idpDashboardClientID

43
charts/netbird/examples/nginx-ingress/authentik/README.md Normal file
View File

@@ -0,0 +1,43 @@
# Netbird Self-Hosted Setup
This example provides a fully configured and tested setup for deploying Netbird using the following components:
- **Ingress Controller**: Nginx Ingress
- **Database Storage**: External PostgreSQL
- **Identity Provider**: Authentik
## Prerequisites
Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#authentik) to configure your Authentik Identity Provider and generate the necessary parameters:
- `idpClientID`
- `idpServiceAccountUser`
- `idpServiceAccountPassword`
## Kubernetes Secret Configuration
This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs:
- `idpClientID`: `xxxxxx` # The `clientId` from the Authentik application.
- `idpServiceAccountPassword`: `xxxxxx` # Service account password from Authentik.
- `idpServiceAccountUser`: `xxxxxx` # Service account user from Authentik.
- `postgresDSN`: `xxxxxx` # PostgreSQL DSN, e.g., `postgresql://netbird:xxx0@192.168.1.20:5432/netbird`.
- `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service.
- `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`.
- `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`.
- `turnServerUser`: `xxxxxx` # TURN server username.
- `turnServerPassword`: `xxxxxx` # TURN server password.
- `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`.
> **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup.
## Deployment
Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints:
- `netbird-dashboard.example.com` - The Netbird dashboard.
- `netbird.example.com` - The main Netbird services (management|relay|signal).
## Additional info
Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`.

242
charts/netbird/examples/nginx-ingress/authentik/values.yaml Normal file
View File

@@ -0,0 +1,242 @@
fullnameOverride: netbird
management:
configmap: |-
{
"Stuns": [
{
"Proto": "udp",
"URI": "{{ .STUN_SERVER }}",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "{{ .TURN_SERVER }}",
"Username": "{{ .TURN_SERVER_USER }}",
"Password": "{{ .TURN_SERVER_PASSWORD }}"
}
]
},
"Relay": {
"Addresses": ["rels://netbird.example.com:443/relay"],
"CredentialsTTL": "24h",
"Secret": "{{ .RELAY_PASSWORD }}"
},
"Signal": {
"Proto": "https",
"URI": "netbird.example.com:443",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "{{ .IDP_CLIENT_ID }}",
"AuthIssuer": "https://idp.example.com/application/o/example-netbird/",
"AuthUserIDClaim": "",
"AuthKeysLocation": "https://idp.example.com/application/o/example-netbird/jwks/",
"OIDCConfigEndpoint": "https://idp.example.com/application/o/example-netbird/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": false
},
"IdpManagerConfig": {
"ManagerType": "authentik",
"ClientConfig": {
"Issuer": "https://idp.example.com/application/o/example-netbird",
"TokenEndpoint": "https://idp.example.com/application/o/token/",
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Password": "{{ .IDP_SERVICE_ACCOUNT_PASSWORD }}",
"Username": "{{ .IDP_SERVICE_ACCOUNT_USER }}"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "idp.example.com",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://idp.example.com/application/o/token/",
"DeviceAuthEndpoint": "https://idp.example.com/application/o/device/",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://idp.example.com/application/o/token/",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://idp.example.com/application/o/authorize/",
"Scope": "openid profile email offline_access api",
"UseIDToken": false,
"RedirectURLs": ["http://localhost:53000"]
}
},
"StoreConfig": {
"Engine": "postgres"
},
"ReverseProxy": {
"TrustedHTTPProxies": null,
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": null
}
}
image:
tag: 0.32.0
ingress:
enabled: true
className: public
annotations:
cert-manager.io/cluster-issuer: example-issuer
hosts:
- host: netbird.example.com
paths:
- path: /api
pathType: ImplementationSpecific
tls:
- secretName: netbird-api-tls
hosts:
- netbird.example.com
ingressGrpc:
enabled: true
className: public
annotations:
cert-manager.io/cluster-issuer: example-issuer
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: netbird.example.com
paths:
- path: /management.ManagementService
pathType: ImplementationSpecific
tls:
- secretName: netbird-grpc-tls
hosts:
- netbird.example.com
persistentVolume:
enabled: false
envFromSecret:
NETBIRD_STORE_ENGINE_POSTGRES_DSN: netbird/postgresDSN
STUN_SERVER: netbird/stunServer
TURN_SERVER: netbird/turnServer
TURN_SERVER_USER: netbird/turnServerUser
TURN_SERVER_PASSWORD: netbird/turnServerPassword
RELAY_PASSWORD: netbird/relayPassword
DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey
IDP_CLIENT_ID: netbird/idpClientID
IDP_SERVICE_ACCOUNT_USER: netbird/idpServiceAccountUser
IDP_SERVICE_ACCOUNT_PASSWORD: netbird/idpServiceAccountPassword
useBackwardsGrpcService: true
signal:
image:
tag: 0.32.0
ingress:
enabled: true
className: public
annotations:
cert-manager.io/cluster-issuer: example-issuer
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: netbird.example.com
paths:
- path: /signalexchange.SignalExchange
pathType: ImplementationSpecific
tls:
- secretName: netbird-signal-tls
hosts:
- netbird.example.com
relay:
image:
tag: 0.32.0
ingress:
enabled: true
className: public
annotations:
cert-manager.io/cluster-issuer: example-issuer
hosts:
- host: netbird.example.com
paths:
- path: /relay
pathType: ImplementationSpecific
tls:
- secretName: netbird-relay-tls
hosts:
- netbird.example.com
envFromSecret:
NB_AUTH_SECRET: netbird/relayPassword
env:
NB_LOG_LEVEL: info
NB_LISTEN_ADDRESS: ":33080"
NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay
dashboard:
enabled: true
ingress:
enabled: true
className: public
annotations:
cert-manager.io/cluster-issuer: example-issuer
hosts:
- host: netbird-dashboard.example.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: netbird-dashboard-tls
hosts:
- netbird-dashboard.example.com
image:
tag: v2.9.0
env:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443
NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443
# OIDC
AUTH_CLIENT_SECRET:
AUTH_AUTHORITY: https://idp.example.com/application/o/example-netbird/
USE_AUTH0: false
AUTH_SUPPORTED_SCOPES: openid profile email offline_access api
AUTH_REDIRECT_URI:
AUTH_SILENT_REDIRECT_URI:
NETBIRD_TOKEN_SOURCE: accessToken
NGINX_SSL_PORT:
LETSENCRYPT_DOMAIN:
LETSENCRYPT_EMAIL:
envFromSecret:
AUTH_CLIENT_ID: netbird/idpClientID
AUTH_AUDIENCE: netbird/idpClientID

46
charts/netbird/examples/nginx-ingress/google/README.md Normal file
View File

@@ -0,0 +1,46 @@
# Netbird Self-Hosted Setup
This example provides a fully configured and tested setup for deploying Netbird using the following components:
- **Ingress Controller**: Nginx
- **Database Storage**: SQLite
- **Identity Provider**: Google
## Prerequisites
Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#google-workspace) to configure your Google Identity Provider and generate the necessary parameters:
- `idpClientID`
- `idpClientSecret`
- `CustomerId`
Additionally, you will need the service account key downloaded as part of the documented steps for setting up the Google IDP.
## Kubernetes Secret Configuration
This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs:
- `idpClientID`: `xxxxxx` # The `clientId` from the Auth0 netbird application.
- `idpClientSecret`: `xxxxxx` # The `clientSecret` from the Auth0 netbird application.
- `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service.
- `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`.
- `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`.
- `turnServerUser`: `xxxxxx` # TURN server username.
- `turnServerPassword`: `xxxxxx` # TURN server password.
- `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`.
- `customerID`: `xxxxxxx` # The Google Workspace Customer ID belong to the directory of users that will be enumerated for access to Netbird. Found [here](https://support.google.com/a/answer/10070793?hl=en).
You will also be required to set up a kubernetes secret for `netbird-gcp-service-account` which contains the `sa.json` belong to the service account generated in the prerequisites.
> **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup.
## Deployment
Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints:
- `netbird-dashboard.example.com` - The Netbird dashboard.
- `netbird.example.com` - The main Netbird services (management|relay|signal).
## Additional info
Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`.

254
charts/netbird/examples/nginx-ingress/google/values.yaml Normal file
View File

@@ -0,0 +1,254 @@
fullnameOverride: netbird
management:
configmap: |-
{
"Stuns": [
{
"Proto": "udp",
"URI": "{{ .STUN_SERVER }}",
"Username": "",
"Password": null
}
],
"Relay": {
"Addresses": ["rels://netbird.example.com:443/relay"],
"CredentialsTTL": "24h",
"Secret": "{{ .RELAY_PASSWORD }}"
},
"TURNConfig": {
"Turns": [
{
"Proto": "udp",
"URI": "{{ .TURN_SERVER }}",
"Username": "{{ .TURN_SERVER_USER }}",
"Password": "{{ .TURN_SERVER_PASSWORD }}"
}
],
"CredentialsTTL": "12h",
"Secret": "secret",
"TimeBasedCredentials": false
},
"Signal": {
"Proto": "https",
"URI": "netbird.example.com:443",
"Username": "",
"Password": null
},
"ReverseProxy": {
"TrustedHTTPProxies": [],
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": ["0.0.0.0/0"]
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}",
"StoreConfig": {
"Engine": "sqlite"
},
"HttpConfig": {
"Address": "0.0.0.0:33073",
"AuthIssuer": "https://accounts.google.com",
"AuthAudience": "{{ .IDP_CLIENT_ID }}",
"AuthKeysLocation": "https://www.googleapis.com/oauth2/v3/certs",
"AuthUserIDClaim": "",
"CertFile": "",
"CertKey": "",
"IdpSignKeyRefreshEnabled": true,
"OIDCConfigEndpoint": "https://accounts.google.com/.well-known/openid-configuration"
},
"IdpManagerConfig": {
"ManagerType": "google",
"ClientConfig": {
"Issuer": "https://accounts.google.com",
"TokenEndpoint": "https://oauth2.googleapis.com/token",
"ClientID": "",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"CustomerId": "{{ .CUSTOMER_ID }}",
"ServiceAccountKey": "{{ .SERVICE_ACCOUNT_KEY }}"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"Audience": "{{ .IDP_CLIENT_ID }}",
"AuthorizationEndpoint": "",
"Domain": "",
"ClientID": "",
"ClientSecret": "",
"TokenEndpoint": "https://oauth2.googleapis.com/token",
"DeviceAuthEndpoint": "https://oauth2.googleapis.com/device/code",
"Scope": "openid",
"UseIDToken": true,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"Audience": "{{ .IDP_CLIENT_ID }}",
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "{{ .IDP_CLIENT_SECRET }}",
"Domain": "",
"AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"TokenEndpoint": "https://oauth2.googleapis.com/token",
"Scope": "openid profile email",
"RedirectURLs": ["http://localhost:53000"],
"UseIDToken": true
}
}
}
envFromSecret:
STUN_SERVER: netbird/stunServer
TURN_SERVER: netbird/turnServer
TURN_SERVER_USER: netbird/turnServerUser
TURN_SERVER_PASSWORD: netbird/turnServerPassword
RELAY_PASSWORD: netbird/relayPassword
IDP_CLIENT_ID: netbird/idpClientID
IDP_CLIENT_SECRET: netbird/idpClientSecret
DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey
SERVICE_ACCOUNT_KEY: netbird-gcp-service-account/sa.json
CUSTOMER_ID: netbird/customerID
podCommand:
args:
- --port=80
- --log-file=console
- --log-level=error
- --disable-anonymous-metrics=false
- --dns-domain=netbird.selfhosted"
image:
tag: 0.36.5
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: netbird.example.com
paths:
- path: /api
pathType: ImplementationSpecific
tls:
- secretName: netbird-api-tls
hosts:
- netbird.example.com
ingressGrpc:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: netbird.example.com
paths:
- path: /management.ManagementService
pathType: ImplementationSpecific
tls:
- secretName: netbird-grpc-tls
hosts:
- netbird.example.com
persistentVolume:
enabled: true
useBackwardsGrpcService: true
signal:
image:
tag: 0.36.5
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: netbird.example.com
paths:
- path: /signalexchange.SignalExchange
pathType: ImplementationSpecific
tls:
- secretName: netbird-signal-tls
hosts:
- netbird.example.com
relay:
resources:
requests:
cpu: 300m
memory: 128Mi
limits:
cpu: 1000m
memory: 256Mi
image:
tag: 0.36.5
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: netbird.example.com
paths:
- path: /relay
pathType: ImplementationSpecific
tls:
- secretName: netbird-relay-tls
hosts:
- netbird.example.com
envFromSecret:
NB_AUTH_SECRET: netbird/relayPassword
env:
NB_LOG_LEVEL: info
NB_LISTEN_ADDRESS: ":33080"
NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay
dashboard:
enabled: true
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: netbird-dashboard.example.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: netbird-dashboard-tls
hosts:
- netbird-dashboard.example.com
image:
tag: v2.9.0
env:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443
NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443
# OIDC
AUTH_AUTHORITY: https://accounts.google.com
USE_AUTH0: "false"
AUTH_SUPPORTED_SCOPES: "openid profile email"
AUTH_REDIRECT_URI: /auth
AUTH_SILENT_REDIRECT_URI: /silent-auth
NETBIRD_TOKEN_SOURCE: idToken
NGINX_SSL_PORT: "443"
LETSENCRYPT_DOMAIN:
LETSENCRYPT_EMAIL:
envFromSecret:
AUTH_AUDIENCE: netbird/idpClientID
AUTH_CLIENT_ID: netbird/idpClientID
AUTH_CLIENT_SECRET: netbird/idpClientSecret

42
charts/netbird/examples/nginx-ingress/okta/README.md Normal file
View File

@@ -0,0 +1,42 @@
# Netbird Self-Hosted Setup
This example provides a fully configured and tested setup for deploying Netbird using the following components:
- **Ingress Controller**: Nginx
- **Database Storage**: SQLite
- **Identity Provider**: Okta
## Prerequisites
Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#okta) to configure your Okta Identity Provider and generate the necessary parameters:
- `idpClientID`
- `oktaApiToken`
- `idpNativeAppClientID`
## Kubernetes Secret Configuration
This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs:
- `idpClientID`: `xxxxxx` # The `clientId` from the Okta netbird application.
- `oktaApiToken`: `xxxxxx`# The Okta API Token with permissions to read okta directory.
- `idpNativeAppClientID`: `xxxxxx` # The `clientId` from the Okta netbird nativeapp application.
- `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service.
- `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`.
- `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`.
- `turnServerUser`: `xxxxxx` # TURN server username.
- `turnServerPassword`: `xxxxxx` # TURN server password.
- `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`.
> **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup.
## Deployment
Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints:
- `netbird-dashboard.example.com` - The Netbird dashboard.
- `netbird.example.com` - The main Netbird services (management|relay|signal).
## Additional info
Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`.

258
charts/netbird/examples/nginx-ingress/okta/values.yaml Normal file
View File

@@ -0,0 +1,258 @@
fullnameOverride: netbird
management:
configmap: |-
{
"Stuns": [
{
"Proto": "udp",
"URI": "{{ .STUN_SERVER }}",
"Username": "",
"Password": null
}
],
"TURNConfig": {
"Turns": [
{
"Proto": "udp",
"URI": "{{ .TURN_SERVER }}",
"Username": "{{ .TURN_SERVER_USER }}",
"Password": "{{ .TURN_SERVER_PASSWORD }}"
}
],
"CredentialsTTL": "12h",
"Secret": "secret",
"TimeBasedCredentials": false
},
"Relay": {
"Addresses": [
"rels://netbird.example.com:443/relay"
],
"CredentialsTTL": "24h",
"Secret": "{{ .RELAY_PASSWORD }}"
},
"Signal": {
"Proto": "https",
"URI": "netbird.example.com:443",
"Username": "",
"Password": null
},
"ReverseProxy": {
"TrustedHTTPProxies": [],
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": [
"0.0.0.0/0"
]
},
"Datadir": "",
"DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}",
"StoreConfig": {
"Engine": "sqlite"
},
"HttpConfig": {
"Address": "0.0.0.0:33073",
"AuthIssuer": "https://example.okta.com",
"AuthAudience": "{{ .IDP_CLIENT_ID }}",
"AuthKeysLocation": "https://example.okta.com/oauth2/v1/keys",
"AuthUserIDClaim": "",
"IdpSignKeyRefreshEnabled": false,
"OIDCConfigEndpoint": "https://example.okta.com/.well-known/openid-configuration"
},
"IdpManagerConfig": {
"ManagerType": "okta",
"ClientConfig": {
"Issuer": "https://example.okta.com",
"TokenEndpoint": "https://example.okta.com/oauth2/v1/token",
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"ApiToken": "{{ .OKTA_API_TOKEN }}"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"Audience": "{{ .IDP_NATIVEAPP_CLIENT_ID }}",
"AuthorizationEndpoint": "",
"Domain": "",
"ClientID": "nativeclientid",
"ClientSecret": "",
"TokenEndpoint": "https://example.okta.com/oauth2/v1/token",
"DeviceAuthEndpoint": "https://example.okta.com/oauth2/v1/device/authorize",
"Scope": "openid email groups",
"UseIDToken": true,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"Audience": "{{ .IDP_CLIENT_ID }}",
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "",
"AuthorizationEndpoint": "https://example.okta.com/oauth2/v1/authorize",
"TokenEndpoint": "https://example.okta.com/oauth2/v1/token",
"Scope": "openid profile email groups",
"RedirectURLs": [
"http://localhost:53000"
],
"UseIDToken": true
}
}
}
envFromSecret:
STUN_SERVER: netbird/stunServer
TURN_SERVER: netbird/turnServer
TURN_SERVER_USER: netbird/turnServerUser
TURN_SERVER_PASSWORD: netbird/turnServerPassword
RELAY_PASSWORD: netbird/relayPassword
DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey
IDP_CLIENT_ID: netbird/idpClientID
OKTA_API_TOKEN: netbird/oktaApiToken
IDP_NATIVEAPP_CLIENT_ID: netbird/idpNativeAppClientID`
podCommand:
args:
- --port=80
- --log-file=console
- --log-level=info
- --disable-anonymous-metrics=false
- --dns-domain=netbird.selfhosted"
image:
tag: 0.32.0
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: netbird.example.com
paths:
- path: /api
pathType: ImplementationSpecific
tls:
- secretName: netbird-api-tls
hosts:
- netbird.example.com
ingressGrpc:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: netbird.example.com
paths:
- path: /management.ManagementService
pathType: ImplementationSpecific
tls:
- secretName: netbird-grpc-tls
hosts:
- netbird.example.com
persistentVolume:
enabled: true
useBackwardsGrpcService: true
signal:
image:
tag: 0.32.0
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: GRPC
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: netbird.example.com
paths:
- path: /signalexchange.SignalExchange
pathType: ImplementationSpecific
tls:
- secretName: netbird-signal-tls
hosts:
- netbird.example.com
relay:
resources:
requests:
cpu: 300m
memory: 128Mi
limits:
cpu: 1000m
memory: 128Mi
image:
tag: 0.32.0
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: netbird.example.com
paths:
- path: /relay
pathType: ImplementationSpecific
tls:
- secretName: netbird-relay-tls
hosts:
- netbird.example.com
envFromSecret:
NB_AUTH_SECRET: netbird/relayPassword
env:
NB_LOG_LEVEL: info
NB_LISTEN_ADDRESS: ":33080"
NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay
dashboard:
enabled: true
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: netbird-dashboard.example.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: netbird-dashboard-tls
hosts:
- netbird-dashboard.example.com
image:
tag: v2.9.0
env:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443
NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443
# OIDC
AUTH_CLIENT_SECRET:
AUTH_AUTHORITY: https://example.okta.com
USE_AUTH0: "false"
AUTH_SUPPORTED_SCOPES: openid profile email groups
AUTH_REDIRECT_URI: /auth
AUTH_SILENT_REDIRECT_URI: /silent-auth
NETBIRD_TOKEN_SOURCE: idToken
# SSL
NGINX_SSL_PORT:
#Letsencrypt
LETSENCRYPT_DOMAIN:
LETSENCRYPT_EMAIL:
envFromSecret:
AUTH_CLIENT_ID: netbird/idpClientID
AUTH_AUDIENCE: netbird/idpNativeAppClientID`

42
charts/netbird/examples/traefik-ingress/authentik/README.md Normal file
View File

@@ -0,0 +1,42 @@
# Netbird Self-Hosted Setup
This example provides a fully configured and tested setup for deploying Netbird using the following components:
- **Ingress Controller**: Traefik
- **Database Storage**: External PostgreSQL
- **Identity Provider**: Authentik
## Prerequisites
Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#authentik) to configure your Authentik Identity Provider and generate the necessary parameters:
- `idpClientID`
- `idpServiceAccountUser`
- `idpServiceAccountPassword`
## Kubernetes Secret Configuration
This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs:
- `idpClientID`: `xxxxxx` # The `clientId` from the Authentik application.
- `idpServiceAccountPassword`: `xxxxxx` # Service account password from Authentik.
- `idpServiceAccountUser`: `xxxxxx` # Service account user from Authentik.
- `postgresDSN`: `xxxxxx` # PostgreSQL DSN, e.g., `postgresql://netbird:xxx0@192.168.1.20:5432/netbird`.
- `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service.
- `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`.
- `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`.
- `turnServerUser`: `xxxxxx` # TURN server username.
- `turnServerPassword`: `xxxxxx` # TURN server password.
- `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`.
> **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup.
## Deployment
Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints:
- `netbird.example.com` - The main Netbird services (dashboard|management|relay|signal).
## Additional info
Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`.

209
charts/netbird/examples/traefik-ingress/authentik/values.yaml Normal file
View File

@@ -0,0 +1,209 @@
fullnameOverride: netbird
management:
configmap: |-
{
"Stuns": [
{
"Proto": "udp",
"URI": "{{ .STUN_SERVER }}",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "{{ .TURN_SERVER }}",
"Username": "{{ .TURN_SERVER_USER }}",
"Password": "{{ .TURN_SERVER_PASSWORD }}"
}
]
},
"Relay": {
"Addresses": ["rels://netbird.example.com:443/relay"],
"CredentialsTTL": "24h",
"Secret": "{{ .RELAY_PASSWORD }}"
},
"Signal": {
"Proto": "https",
"URI": "netbird.example.com:443",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "{{ .IDP_CLIENT_ID }}",
"AuthIssuer": "https://idp.example.com/application/o/netbird/",
"AuthUserIDClaim": "",
"AuthKeysLocation": "https://idp.example.com/application/o/netbird/jwks/",
"OIDCConfigEndpoint": "https://idp.example.com/application/o/netbird/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": false
},
"IdpManagerConfig": {
"ManagerType": "authentik",
"ClientConfig": {
"Issuer": "https://idp.example.com/application/o/totmicro-traefik-netbird",
"TokenEndpoint": "https://idp.example.com/application/o/token/",
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Password": "{{ .IDP_SERVICE_ACCOUNT_PASSWORD }}",
"Username": "{{ .IDP_SERVICE_ACCOUNT_USER }}"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "idp.example.com",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://idp.example.com/application/o/token/",
"DeviceAuthEndpoint": "https://idp.example.com/application/o/device/",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://idp.example.com/application/o/token/",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://idp.example.com/application/o/authorize/",
"Scope": "openid profile email offline_access api",
"UseIDToken": false,
"RedirectURLs": ["http://localhost:53000"]
}
},
"StoreConfig": {
"Engine": "postgres"
},
"ReverseProxy": {
"TrustedHTTPProxies": null,
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": null
}
}
image:
tag: 0.32.0
persistentVolume:
enabled: false
envFromSecret:
NETBIRD_STORE_ENGINE_POSTGRES_DSN: netbird/postgresDSN
STUN_SERVER: netbird/stunServer
TURN_SERVER: netbird/turnServer
TURN_SERVER_USER: netbird/turnServerUser
TURN_SERVER_PASSWORD: netbird/turnServerPassword
RELAY_PASSWORD: netbird/relayPassword
IDP_CLIENT_ID: netbird/idpClientID
IDP_SERVICE_ACCOUNT_USER: netbird/idpServiceAccountUser
IDP_SERVICE_ACCOUNT_PASSWORD: netbird/idpServiceAccountPassword
DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey
signal:
image:
tag: 0.32.0
relay:
image:
tag: 0.32.0
envFromSecret:
NB_AUTH_SECRET: netbird/relayPassword
env:
NB_LOG_LEVEL: info
NB_LISTEN_ADDRESS: ":33080"
NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay
dashboard:
enabled: true
image:
tag: v2.9.0
env:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443
NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443
# OIDC
AUTH_CLIENT_SECRET:
AUTH_AUTHORITY: https://idp.example.com/application/o/netbird/
USE_AUTH0: false
AUTH_SUPPORTED_SCOPES: openid profile email offline_access api
AUTH_REDIRECT_URI:
AUTH_SILENT_REDIRECT_URI:
NETBIRD_TOKEN_SOURCE: accessToken
NGINX_SSL_PORT:
LETSENCRYPT_DOMAIN:
LETSENCRYPT_EMAIL:
envFromSecret:
AUTH_CLIENT_ID: netbird/idpClientID
AUTH_AUDIENCE: netbird/idpClientID
extraManifests:
- apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: netbird-traefik
labels:
argocd.argoproj.io/instance: netbird-traefik
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`netbird.example.com`) && !PathPrefix(`/api`) && !PathPrefix(`/management`) && !PathPrefix(`/signalexchange`) && !PathPrefix(`/relay`)
services:
- name: netbird-traefik-dashboard
namespace: netbird-traefik
passHostHeader: true
port: 80
- kind: Rule
match: Host(`netbird.example.com`) && PathPrefix(`/api`)
services:
- name: netbird-traefik-management
namespace: netbird-traefik
passHostHeader: true
port: 80
- kind: Rule
match: Host(`netbird.example.com`) && PathPrefix(`/relay`)
services:
- name: netbird-traefik-relay
namespace: netbird-traefik
passHostHeader: true
port: 33080
- kind: Rule
match: Host(`netbird.example.com`) && PathPrefix(`/management`)
services:
- name: netbird-traefik-management
namespace: netbird-traefik
passHostHeader: true
port: 80
scheme: h2c
- kind: Rule
match: Host(`netbird.example.com`) && PathPrefix(`/signalexchange`)
services:
- name: netbird-traefik-signal
namespace: netbird-traefik
passHostHeader: true
port: 80
scheme: h2c
tls:
secretName: netbird-tls

173
charts/netbird/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,173 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "netbird.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "netbird.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "netbird.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "netbird.common.labels" -}}
helm.sh/chart: {{ include "netbird.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Common management labels
*/}}
{{- define "netbird.management.labels" -}}
helm.sh/chart: {{ include "netbird.chart" . }}
{{ include "netbird.management.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Common signal labels
*/}}
{{- define "netbird.signal.labels" -}}
helm.sh/chart: {{ include "netbird.chart" . }}
{{ include "netbird.signal.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Common relay labels
*/}}
{{- define "netbird.relay.labels" -}}
helm.sh/chart: {{ include "netbird.chart" . }}
{{ include "netbird.relay.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Common dashboard labels
*/}}
{{- define "netbird.dashboard.labels" -}}
helm.sh/chart: {{ include "netbird.chart" . }}
{{ include "netbird.dashboard.selectorLabels" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Management selector labels
*/}}
{{- define "netbird.management.selectorLabels" -}}
app.kubernetes.io/name: {{ include "netbird.name" . }}-management
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Signal selector labels
*/}}
{{- define "netbird.signal.selectorLabels" -}}
app.kubernetes.io/name: {{ include "netbird.name" . }}-signal
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Relay selector labels
*/}}
{{- define "netbird.relay.selectorLabels" -}}
app.kubernetes.io/name: {{ include "netbird.name" . }}-relay
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Dashboard selector labels
*/}}
{{- define "netbird.dashboard.selectorLabels" -}}
app.kubernetes.io/name: {{ include "netbird.name" . }}-dashboard
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the management service account to use
*/}}
{{- define "netbird.management.serviceAccountName" -}}
{{- if .Values.management.serviceAccount.create }}
{{- default (printf "%s-management" (include "netbird.fullname" .)) .Values.management.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.management.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the signal service account to use
*/}}
{{- define "netbird.signal.serviceAccountName" -}}
{{- if .Values.signal.serviceAccount.create }}
{{- default (printf "%s-signal" (include "netbird.fullname" .)) .Values.signal.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.signal.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the relay service account to use
*/}}
{{- define "netbird.relay.serviceAccountName" -}}
{{- if .Values.relay.serviceAccount.create }}
{{- default (printf "%s-relay" (include "netbird.fullname" .)) .Values.relay.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.relay.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the dashboard service account to use
*/}}
{{- define "netbird.dashboard.serviceAccountName" -}}
{{- if .Values.dashboard.serviceAccount.create }}
{{- default (printf "%s-dashboard" (include "netbird.fullname" .)) .Values.dashboard.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.dashboard.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Allow the release namespace to be overridden
*/}}
{{- define "netbird.namespace" -}}
{{- default .Release.Namespace .Values.global.namespace -}}
{{- end -}}

96
charts/netbird/templates/dashboard-deployment.yaml Normal file
View File

@@ -0,0 +1,96 @@
{{- if .Values.dashboard.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "netbird.fullname" . }}-dashboard
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.dashboard.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.dashboard.replicaCount }}
selector:
matchLabels:
{{- include "netbird.dashboard.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.dashboard.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "netbird.dashboard.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.dashboard.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "netbird.dashboard.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.dashboard.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
{{- if .Values.dashboard.podCommand.args }}
command: ["/bin/sh", "-c"]
args:
{{- range .Values.dashboard.podCommand.args }}
- {{ . }}
{{- end }}
{{- end }}
securityContext:
{{- toYaml .Values.dashboard.securityContext | nindent 12 }}
image: "{{ .Values.dashboard.image.repository }}:{{ .Values.dashboard.image.tag }}"
imagePullPolicy: {{ .Values.dashboard.image.pullPolicy }}
{{- if or (.Values.dashboard.env) (.Values.dashboard.envRaw) (.Values.dashboard.envFromSecret) }}
env:
{{- range $key, $val := .Values.dashboard.env }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
{{- if .Values.dashboard.envRaw }}
{{- with .Values.dashboard.envRaw }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- range $key, $val := .Values.dashboard.envFromSecret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ (split "/" $val)._0 }}
key: {{ (split "/" $val)._1 }}
{{- end }}
{{- end }}
{{- with .Values.dashboard.lifecycle }}
lifecycle: {{ toYaml . | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.dashboard.containerPort }}
protocol: TCP
{{- if .Values.dashboard.livenessProbe }}
{{- with .Values.dashboard.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.dashboard.readinessProbe }}
{{- with .Values.dashboard.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
resources:
{{- toYaml .Values.dashboard.resources | nindent 12 }}
{{- with .Values.dashboard.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.dashboard.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.dashboard.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

45
charts/netbird/templates/dashboard-ingress.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if .Values.dashboard.enabled -}}
{{- if .Values.dashboard.ingress.enabled -}}
{{- $fullName := printf "%s-dashboard" (include "netbird.fullname" .) -}}
{{- $svcPort := .Values.dashboard.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.dashboard.labels" . | nindent 4 }}
{{- with .Values.dashboard.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.dashboard.ingress.className }}
{{- if .Values.dashboard.ingress.tls }}
tls:
{{- range .Values.dashboard.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.dashboard.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

18
charts/netbird/templates/dashboard-service.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.dashboard.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "netbird.fullname" . }}-dashboard
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.dashboard.labels" . | nindent 4 }}
spec:
type: {{ .Values.dashboard.service.type }}
ports:
- port: {{ .Values.dashboard.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "netbird.dashboard.selectorLabels" . | nindent 4 }}
{{- end }}

15
charts/netbird/templates/dashboard-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.dashboard.enabled -}}
{{- if .Values.dashboard.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "netbird.dashboard.serviceAccountName" . }}
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.dashboard.labels" . | nindent 4 }}
{{- with .Values.dashboard.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

12
charts/netbird/templates/management-cm.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.management.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "netbird.fullname" . }}-management
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.management.labels" . | nindent 4 }}
data:
management.json: |-
{{- .Values.management.configmap | nindent 4 }}
{{- end -}}

123
charts/netbird/templates/management-deployment.yaml Normal file
View File

@@ -0,0 +1,123 @@
{{- if .Values.management.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "netbird.fullname" . }}-management
namespace: {{ include "netbird.namespace" . }}
{{- with .Values.management.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "netbird.management.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.management.replicaCount }}
selector:
matchLabels:
{{- include "netbird.management.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print .Template.BasePath "/management-cm.yaml") . | sha256sum }}
{{- with .Values.management.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "netbird.management.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.management.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "netbird.management.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.management.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}-management
securityContext:
{{- toYaml .Values.management.securityContext | nindent 12 }}
image: "{{ .Values.management.image.repository }}:{{ .Values.management.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.management.image.pullPolicy }}
{{- if hasKey .Values.management.podCommand "args" }}
args:
{{- range .Values.management.podCommand.args }}
- {{ . }}
{{- end }}
{{- end }}
{{- if or (.Values.management.env) (.Values.management.envRaw) (.Values.management.envFromSecret) }}
env:
{{- range $key, $val := .Values.management.env }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
{{- if .Values.management.envRaw }}
{{- with .Values.management.envRaw }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- range $key, $val := .Values.management.envFromSecret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ (split "/" $val)._0 }}
key: {{ (split "/" $val)._1 }}
{{- end }}
{{- end }}
{{- with .Values.management.lifecycle }}
lifecycle: {{ toYaml . | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.management.containerPort }}
protocol: TCP
- name: grpc
containerPort: {{ .Values.management.grpcContainerPort }}
protocol: TCP
- name: metrics
containerPort: {{ .Values.management.metrics.port }}
protocol: TCP
{{- if .Values.management.livenessProbe }}
{{- with .Values.management.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.management.readinessProbe }}
{{- with .Values.management.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
resources:
{{- toYaml .Values.management.resources | nindent 12 }}
volumeMounts:
- mountPath: /etc/netbird
name: config
- mountPath: /var/lib/netbird
name: management
{{- with .Values.management.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.management.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.management.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ include "netbird.fullname" . }}-management
- name: management
{{- if .Values.management.persistentVolume.enabled }}
persistentVolumeClaim:
claimName: {{ include "netbird.fullname" . }}-management
{{- else }}
emptyDir: {}
{{- end }}
{{- end -}}

48
charts/netbird/templates/management-ingress-grpc.yaml Normal file
View File

@@ -0,0 +1,48 @@
{{- if .Values.management.enabled -}}
{{- if .Values.management.ingressGrpc.enabled -}}
{{- $fullName := printf "%s-management-grpc" (include "netbird.fullname" .) -}}
{{- $useBackwardsGrpcService := .Values.management.useBackwardsGrpcService -}}
{{- $svcNameGrpc := printf "%s-management-grpc" (include "netbird.fullname" .) -}}
{{- $svcPortGrpc := .Values.management.serviceGrpc.port -}}
{{- $svcName := printf "%s-management" (include "netbird.fullname" .) -}}
{{- $svcPort := .Values.management.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.management.labels" . | nindent 4 }}
{{- with .Values.management.ingressGrpc.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.management.ingressGrpc.className }}
{{- if .Values.management.ingressGrpc.tls }}
tls:
{{- range .Values.management.ingressGrpc.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.management.ingressGrpc.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ if $useBackwardsGrpcService }}{{ $svcNameGrpc }}{{ else }}{{ $svcName }}{{ end }}
port:
number: {{ if $useBackwardsGrpcService }}{{ $svcPortGrpc }}{{ else }}{{ $svcPort }}{{ end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

44
charts/netbird/templates/management-ingress.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{- if .Values.management.enabled -}}
{{- if .Values.management.ingress.enabled -}}
{{- $fullName := printf "%s-management" (include "netbird.fullname" .) -}}
{{- $svcPort := .Values.management.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.management.labels" . | nindent 4 }}
{{- with .Values.management.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.management.ingress.className }}
{{- if .Values.management.ingress.tls }}
tls:
{{- range .Values.management.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.management.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

23
charts/netbird/templates/management-pvc.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if .Values.management.enabled -}}
{{- if .Values.management.persistentVolume.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "netbird.fullname" . }}-management
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.management.labels" . | nindent 4 }}
spec:
accessModes:
{{ toYaml .Values.management.persistentVolume.accessModes }}
{{- if or .Values.management.persistentVolume.storageClass (eq .Values.management.persistentVolume.storageClass "") }}
storageClassName: "{{ .Values.management.persistentVolume.storageClass }}"
{{- end }}
{{- if .Values.management.persistentVolume.existingPVName }}
volumeName: "{{ .Values.management.persistentVolume.existingPVName }}"
{{- end }}
resources:
requests:
storage: "{{ .Values.management.persistentVolume.size }}"
{{- end -}}
{{- end -}}

18
charts/netbird/templates/management-service-grpc.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.management.enabled .Values.management.useBackwardsGrpcService -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "netbird.fullname" . }}-management-grpc
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.management.labels" . | nindent 4 }}
spec:
type: {{ .Values.management.serviceGrpc.type }}
ports:
- port: {{ .Values.management.serviceGrpc.port }}
targetPort: {{ .Values.management.serviceGrpc.name }}
protocol: TCP
name: {{ .Values.management.serviceGrpc.name }}
selector:
{{- include "netbird.management.selectorLabels" . | nindent 4 }}
{{- end }}

24
charts/netbird/templates/management-service.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if .Values.management.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "netbird.fullname" . }}-management
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.management.labels" . | nindent 4 }}
spec:
type: {{ .Values.management.service.type }}
ports:
- port: {{ .Values.management.service.port }}
targetPort: {{ .Values.management.service.name }}
protocol: TCP
name: {{ .Values.management.service.name }}
{{- if .Values.management.metrics.enabled }}
- port: {{ .Values.management.metrics.port }}
targetPort: metrics
protocol: TCP
name: metrics
{{- end }}
selector:
{{- include "netbird.management.selectorLabels" . | nindent 4 }}
{{- end }}

15
charts/netbird/templates/management-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.management.enabled -}}
{{- if .Values.management.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "netbird.management.serviceAccountName" . }}
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.management.labels" . | nindent 4 }}
{{- with .Values.management.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

89
charts/netbird/templates/relay-deployment.yaml Normal file
View File

@@ -0,0 +1,89 @@
{{- if .Values.relay.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "netbird.fullname" . }}-relay
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.relay.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.relay.replicaCount }}
selector:
matchLabels:
{{- include "netbird.relay.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.relay.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "netbird.relay.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.relay.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "netbird.relay.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.relay.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}-relay
securityContext:
{{- toYaml .Values.relay.securityContext | nindent 12 }}
image: "{{ .Values.relay.image.repository }}:{{ .Values.relay.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.relay.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.relay.containerPort }}
protocol: TCP
- name: metrics
containerPort: {{ .Values.relay.metrics.port}}
protocol: TCP
{{- if .Values.relay.livenessProbe }}
{{- with .Values.relay.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.relay.readinessProbe }}
{{- with .Values.relay.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
resources:
{{- toYaml .Values.relay.resources | nindent 12 }}
{{- if or (.Values.relay.env) (.Values.relay.envRaw) (.Values.relay.envFromSecret) }}
env:
{{- range $key, $val := .Values.relay.env }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end }}
{{- if .Values.relay.envRaw }}
{{- with .Values.relay.envRaw }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- range $key, $val := .Values.relay.envFromSecret }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ (split "/" $val)._0 }}
key: {{ (split "/" $val)._1 }}
{{- end }}
{{- end }}
{{- with .Values.relay.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.relay.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.relay.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

45
charts/netbird/templates/relay-ingress.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if .Values.relay.enabled -}}
{{- if .Values.relay.ingress.enabled -}}
{{- $fullName := printf "%s-relay" (include "netbird.fullname" .) -}}
{{- $svcPort := .Values.relay.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.relay.labels" . | nindent 4 }}
{{- with .Values.relay.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.relay.ingress.className }}
{{- if .Values.relay.ingress.tls }}
tls:
{{- range .Values.relay.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.relay.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

24
charts/netbird/templates/relay-service.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if .Values.relay.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "netbird.fullname" . }}-relay
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.relay.labels" . | nindent 4 }}
spec:
type: {{ .Values.relay.service.type }}
ports:
- port: {{ .Values.relay.service.port }}
targetPort: {{ .Values.relay.service.name }}
protocol: TCP
name: {{ .Values.relay.service.name }}
{{- if .Values.relay.metrics.enabled }}
- port: {{ .Values.relay.metrics.port}}
targetPort: metrics
protocol: TCP
name: metrics
{{- end}}
selector:
{{- include "netbird.relay.selectorLabels" . | nindent 4 }}
{{- end }}

15
charts/netbird/templates/relay-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.relay.enabled -}}
{{- if .Values.relay.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "netbird.relay.serviceAccountName" . }}
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.relay.labels" . | nindent 4 }}
{{- with .Values.relay.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

48
charts/netbird/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,48 @@
{{- if .Values.metrics.serviceMonitor.enabled}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "netbird.name" . }}
namespace: {{ default (include "netbird.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }}
labels:
{{- include "netbird.common.labels" . | nindent 4 }}
{{- if .Values.metrics.serviceMonitor.labels }}
{{- toYaml .Values.metrics.serviceMonitor.labels | nindent 4 }}
{{- end }}
app.kubernetes.io/name: {{ include "netbird.name" . }}-monitor
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.metrics.serviceMonitor.annotations }}
annotations:
{{- toYaml .Values.metrics.serviceMonitor.annotations | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }}
selector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.metrics.serviceMonitor.selector }}
{{- toYaml .Values.metrics.serviceMonitor.selector | nindent 6 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote}}
endpoints:
- port: metrics
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings:
{{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }}
{{- end }}
{{- end }}

78
charts/netbird/templates/signal-deployment.yaml Normal file
View File

@@ -0,0 +1,78 @@
{{- if .Values.signal.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "netbird.fullname" . }}-signal
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.signal.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.signal.replicaCount }}
selector:
matchLabels:
{{- include "netbird.signal.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.signal.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "netbird.signal.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.signal.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "netbird.signal.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.signal.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}-signal
securityContext:
{{- toYaml .Values.signal.securityContext | nindent 12 }}
image: "{{ .Values.signal.image.repository }}:{{ .Values.signal.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.signal.image.pullPolicy }}
args:
- "--port"
- "{{ .Values.signal.service.port }}"
- "--log-level"
- "{{ .Values.signal.logLevel }}"
- "--log-file"
- "console"
ports:
- name: grpc
containerPort: {{ .Values.signal.containerPort }}
protocol: TCP
- name: metrics
containerPort: {{ .Values.signal.metrics.port }}
protocol: TCP
{{- if .Values.signal.livenessProbe }}
{{- with .Values.signal.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.signal.readinessProbe }}
{{- with .Values.signal.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
resources:
{{- toYaml .Values.signal.resources | nindent 12 }}
{{- with .Values.signal.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.signal.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.signal.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

45
charts/netbird/templates/signal-ingress.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if .Values.signal.enabled -}}
{{- if .Values.signal.ingress.enabled -}}
{{- $fullName := printf "%s-signal" (include "netbird.fullname" .) -}}
{{- $svcPort := .Values.signal.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.signal.labels" . | nindent 4 }}
{{- with .Values.signal.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.signal.ingress.className }}
{{- if .Values.signal.ingress.tls }}
tls:
{{- range .Values.signal.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.signal.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

26
charts/netbird/templates/signal-service.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if .Values.signal.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "netbird.fullname" . }}-signal
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.signal.labels" . | nindent 4 }}
spec:
type: {{ .Values.signal.service.type }}
ports:
- port: {{ .Values.signal.service.port }}
targetPort: {{ .Values.signal.service.name }}
protocol: TCP
name: {{ .Values.signal.service.name }}
{{- if .Values.signal.metrics.enabled }}
- port: {{ .Values.signal.metrics.port }}
targetPort: metrics
protocol: TCP
name: metrics
{{- end }}
selector:
{{- include "netbird.signal.selectorLabels" . | nindent 4 }}
{{- end }}

16
charts/netbird/templates/signal-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.signal.enabled -}}
{{- if .Values.signal.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "netbird.signal.serviceAccountName" . }}
namespace: {{ include "netbird.namespace" . }}
labels:
{{- include "netbird.signal.labels" . | nindent 4 }}
{{- with .Values.signal.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

4
charts/netbird/templates/xtraManifests.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{- range .Values.extraManifests }}
---
{{ tpl (toYaml .) $ }}
{{- end }}

826
charts/netbird/values.yaml Normal file
View File

@@ -0,0 +1,826 @@
## @section NetBird Parameters
## @param global.namespace Kubernetes namespace for the NetBird components.
##
global:
namespace: ""
## @param nameOverride Override the name of the chart.
##
nameOverride: ""
## @param fullnameOverride Override the full name of the chart.
##
fullnameOverride: ""
## @section NetBird Management
management:
## @param management.enabled Enable or disable NetBird management component.
##
enabled: true
## @param management.podCommand Define the arguments for the management pod.
##
podCommand:
args:
- --port=80
- --log-file=console
- --log-level=info
- --disable-anonymous-metrics=false
- --single-account-mode-domain=netbird.example.com
- --dns-domain=netbird.selfhosted
configmap: |- # Placeholder for ConfigMap data
lifecycle: {} # Define lifecycle hooks (preStop, postStart) if needed.
## @param management.replicaCount Number of management pod replicas.
##
replicaCount: 1
## @param management.env Environment variables for the management pod.
##
env: {}
## @param management.envRaw Raw environment variables for the management pod.
##
envRaw: []
#- name: NETBIRD_STORE_ENGINE_POSTGRES_DSN
# valueFrom:
# secretKeyRef:
# name: netbird-management
# key: postgresDSN
## @param management.envFromSecret Environment variables from secrets.
##
envFromSecret: {}
#ENV_VAR: secretName/secretKey
image:
## @param management.image.repository Docker image repository for the management component.
##
repository: netbirdio/management
## @param management.image.pullPolicy Docker image pull policy.
##
pullPolicy: IfNotPresent
## @param management.image.tag Docker image tag. Overrides the default tag.
##
tag: ""
## @param management.imagePullSecrets Docker registry credentials for pulling the management image.
##
imagePullSecrets: []
serviceAccount:
## @param management.serviceAccount.create Whether to create a service account.
##
create: true
## @param management.serviceAccount.annotations Annotations for the service account.
##
annotations: {}
## @param management.serviceAccount.name Name of the service account to use.
##
name: ""
## @param management.deploymentAnnotations Annotations for the management deployment.
##
deploymentAnnotations: {}
## @param management.podAnnotations Annotations for the management pod(s).
##
podAnnotations: {}
## @param management.podSecurityContext Security context for the management pod(s).
##
podSecurityContext: {}
# fsGroup: 2000
## @param management.securityContext Security context for the management container.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
## @param management.useBackwardsGrpcService Use the backwards-compatible GRPC service.
useBackwardsGrpcService: false
metrics:
## @param signal.metrics.enabled enables/disables metrics
##
enabled: false
## @param signal.metrics.port target metrics port
##
port: 9090
## @param management.containerPort Container port for the management service.
##
containerPort: 80
service:
## @param management.service.type Service type for the management component.
##
type: ClusterIP
## @param management.service.port Port for the management service.
##
port: 80
## @param management.service.name Name for the management service.
##
name: http
## @param management.grpcContainerPort Container port for the management service.
##
grpcContainerPort: 33073
serviceGrpc:
## @param management.serviceGrpc.type Service type for the management component.
##
type: ClusterIP
## @param management.serviceGrpc.port Port for the management service.
##
port: 33073
## @param management.serviceGrpc.name Name for the management service.
##
name: grpc
ingress:
## @param management.ingress.enabled Enable or disable ingress for the management component.
##
enabled: false
## @param management.ingress.className Ingress class name.
##
className: ""
## @param management.ingress.annotations Annotations for the ingress resource.
##
annotations: {}
hosts:
## @param management.ingress.hosts[0].host Host for the ingress.
##
- host: example.com
paths:
## @param management.ingress.hosts[0].paths[0].path Path for the ingress.
##
- path: /
## @param management.ingress.hosts[0].paths[0].pathType Path type for the ingress.
##
pathType: ImplementationSpecific
## @param management.ingress.tls TLS settings for the ingress.
##
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
ingressGrpc:
## @param management.ingressGrpc.enabled Enable or disable GRPC ingress.
##
enabled: false
## @param management.ingressGrpc.className Ingress class name for GRPC.
##
className: ""
## @param management.ingressGrpc.annotations Annotations for the GRPC ingress resource.
##
annotations: {}
hosts:
## @param management.ingressGrpc.hosts[0].host Host for GRPC ingress.
##
- host: example.com
paths:
## @param management.ingressGrpc.hosts[0].paths[0].path Path for GRPC ingress.
##
- path: /
## @param management.ingressGrpc.hosts[0].paths[0].pathType Path type for GRPC ingress.
##
pathType: ImplementationSpecific
## @param management.ingressGrpc.tls TLS settings for GRPC ingress.
##
tls: []
## @param management.resources Resource requests and limits for the management pod.
##
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## @param management.nodeSelector Node selector for scheduling the management pod.
##
nodeSelector: {}
## @param management.tolerations Tolerations for scheduling the management pod.
##
tolerations: []
## @param management.affinity Affinity rules for scheduling the management pod.
##
affinity: {}
persistentVolume:
## @param management.persistentVolume.enabled Enable or disable persistent volume for the management pod.
##
enabled: true
## @param management.persistentVolume.accessModes Access modes for the persistent volume.
##
accessModes:
- ReadWriteOnce
## @param management.persistentVolume.size Size of the persistent volume.
##
size: 10Mi
## @param management.persistentVolume.storageClass Storage Class of the persistent volume.
##
storageClass: null
## @param management.persistentVolume.existingPVName The name of an existing persistent volume which should be claimed and used for the management pod.
##
existingPVName: ""
## @param management.dnsDomain DNS domain for the management component.
##
dnsDomain: netbird.selfhosted
## @param management.livenessProbe for the management component.
##
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 3
tcpSocket:
port: http
## @param management.readinessProbe for the management component.
##
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 3
tcpSocket:
port: http
## @section NetBird Signal
signal:
enabled: true
## @param signal.logLevel Log level for the signal component.
##
logLevel: info
## @param signal.replicaCount Number of signal pod replicas.
##
replicaCount: 1
image:
## @param signal.image.repository Docker image repository for the signal component.
##
repository: netbirdio/signal
## @param signal.image.pullPolicy Docker image pull policy for the signal component.
##
pullPolicy: IfNotPresent
## @param signal.image.tag Docker image tag for the signal component.
##
tag: ""
## @param signal.imagePullSecrets Docker registry credentials for pulling the signal image.
##
imagePullSecrets: []
serviceAccount:
## @param signal.serviceAccount.create Whether to create a service account for the signal component.
##
create: true
## @param signal.serviceAccount.annotations Annotations for the signal service account.
##
annotations: {}
## @param signal.serviceAccount.name Name of the signal service account.
##
name: ""
## @param signal.deploymentAnnotations Annotations for the signal deployment.
##
deploymentAnnotations: {}
## @param signal.podAnnotations Annotations for the signal pod(s).
##
podAnnotations: {}
## @param signal.podSecurityContext Security context for the signal pod(s).
##
podSecurityContext: {}
# fsGroup: 2000
## @param signal.securityContext Security context for the signal container.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
metrics:
## @param signal.metrics.enabled enables/disables metrics
##
enabled: false
## @param signal.metrics.port target metrics port
##
port: 9090
## @param signal.containerPort Container port for the signal service.
##
containerPort: 80
service:
## @param signal.service.type Service type for the signal component.
##
type: ClusterIP
name: grpc
## @param signal.service.port Port for the signal service.
##
port: 80
ingress:
## @param signal.ingress.enabled Enable or disable ingress for the signal component.
##
enabled: false
## @param signal.ingress.className Ingress class name for the signal component.
##
className: ""
## @param signal.ingress.annotations Annotations for the signal ingress resource.
##
annotations: {}
hosts:
## @param signal.ingress.hosts[0].host Host for the signal ingress.
##
- host: example.com
paths:
## @param signal.ingress.hosts[0].paths[0].path Path for the signal ingress.
##
- path: /signalexchange.SignalExchange
## @param signal.ingress.hosts[0].paths[0].pathType Path type for the signal ingress.
##
pathType: ImplementationSpecific
## @param signal.ingress.tls TLS settings for the signal ingress.
##
tls: []
## @
## param signal.resources Resource requests and limits for the signal pod.
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## @param signal.nodeSelector Node selector for scheduling the signal pod.
##
nodeSelector: {}
## @param signal.tolerations Tolerations for scheduling the signal pod.
##
tolerations: []
## @param signal.affinity Affinity rules for scheduling the signal pod.
##
affinity: {}
## @param management.livenessProbe for the signal component.
##
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 5
tcpSocket:
port: grpc
## @param dashboard.readinessProbe for the signal component.
##
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 5
tcpSocket:
port: grpc
## @section NetBird Relay Parameters
relay:
## @param relay.enabled Enable or disable the NetBird relay component.
##
enabled: true
## @param relay.replicaCount Number of relay pod replicas.
##
replicaCount: 1
## @param relay.logLevel Log level for the relay component.
##
logLevel: info
## @param relay.env Environment variables for the management pod.
##
env: {}
## @param relay.envRaw Raw environment variables for the management pod.
##
envRaw: []
## @param relay.envFromSecret Environment variables from secrets.
##
envFromSecret: {}
#ENV_VAR: secretName/secretKey
image:
## @param relay.image.repository Docker image repository for the relay component.
##
repository: netbirdio/relay
## @param relay.image.pullPolicy Docker image pull policy for the relay component.
##
pullPolicy: IfNotPresent
## @param relay.image.tag Docker image tag for the relay component.
##
tag: ""
## @param relay.imagePullSecrets Docker registry credentials for pulling the relay image.
##
imagePullSecrets: []
serviceAccount:
## @param relay.serviceAccount.create Whether to create a service account for the relay component.
##
create: true
## @param relay.serviceAccount.annotations Annotations for the relay service account.
##
annotations: {}
## @param relay.serviceAccount.name Name of the relay service account.
##
name: ""
## @param relay.deploymentAnnotations Annotations for the relay deployment.
##
deploymentAnnotations: {}
## @param relay.podAnnotations Annotations for the relay pod(s).
##
podAnnotations: {}
## @param relay.podSecurityContext Security context for the relay pod(s).
##
podSecurityContext: {}
# fsGroup: 2000
## @param relay.securityContext Security context for the relay container.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
metrics:
## @param signal.metrics.enabled enables/disables metrics
##
enabled: false
## @param signal.metrics.port target metrics port
##
port: 9090
## @param relay.containerPort Container port for the relay service.
##
containerPort: 33080
service:
## @param relay.service.type Service type for the relay component.
##
type: ClusterIP
## @param relay.service.port Port for the relay service.
##
port: 33080
## @param relay.service.name Name for the relay service.
##
name: http
ingress:
## @param relay.ingress.enabled Enable or disable ingress for the relay component.
##
enabled: false
## @param relay.ingress.className Ingress class name for the relay component.
##
className: ""
## @param relay.ingress.annotations Annotations for the relay ingress resource.
##
annotations: {}
hosts:
## @param relay.ingress.hosts[0].host Host for the relay ingress.
##
- host: example.com
paths:
## @param relay.ingress.hosts[0].paths[0].path Path for the relay ingress.
##
- path: /relay
## @param relay.ingress.hosts[0].paths[0].pathType Path type for the relay ingress.
##
pathType: ImplementationSpecific
## @param relay.ingress.tls TLS settings for the relay ingress.
##
tls: []
## @param relay.resources Resource requests and limits for the relay pod.
##
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## @param relay.nodeSelector Node selector for scheduling the relay pod.
##
nodeSelector: {}
## @param relay.tolerations Tolerations for scheduling the relay pod.
##
tolerations: []
## @param relay.affinity Affinity rules for scheduling the relay pod.
##
affinity: {}
## @param management.livenessProbe for the relay component.
##
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 5
tcpSocket:
port: http
## @param dashboard.readinessProbe for the relay component.
##
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 5
tcpSocket:
port: http
dashboard:
## @param dashboard.enabled Enable or disable the NetBird dashboard component.
##
enabled: true
## @param management.podCommand Define the arguments for the management pod.
##
podCommand:
args: []
# - sed -i 's/listen \[\:\:\]\:80 default_server\;//g' /etc/nginx/http.d/default.conf && /usr/bin/supervisord -c /etc/supervisord.conf
## @param replicaCount Number of replicas to deploy
replicaCount: 1
image:
## @param image.repository image repository
repository: netbirdio/dashboard
## @param image.pullPolicy image pull policy
pullPolicy: IfNotPresent
## @param image.tag image tag (immutable tags are recommended)
tag: "v2.9.0"
## @param imagePullSecrets image pull secrets
imagePullSecrets: []
serviceAccount:
## @param dashboard.serviceAccount.create Specifies whether a service account should be
## created
create: true
## @param dashboard.serviceAccount.annotations Annotations to add to the service account
annotations: {}
## @param serviceAccount.name The name of the service account to use.
# If not set and create is true, a name is generated using the fullname
# template
name: ""
## @param dashboard.podAnnotations Annotations for pods
## ref:
## https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
## Configure Pods Security Context
## ref:
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext
podSecurityContext: {}
# fsGroup: 2000
## Configure Container Security Context
## ref:
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param dashboard.securityContext
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
## @param dashboard.containerPort
containerPort: 80
service:
## @param dashboard.service.type
type: ClusterIP
## @param dashboard.service.port
port: 80
## @param dashboard.service.name
name: http
ingress:
## @param dashboard.ingress.enabled
enabled: false
## @param dashboard.ingress.className
className: ""
## @param dashboard.ingress.annotations
annotations: {}
# kubernetes.io/tls-acme: "true"
hosts:
## @param dashboard.ingress.hosts[0].host
- host: chart-example.local
## @param dashboard.ingress.hosts[0].host
paths:
## @param dashboard.ingress.hosts[0].paths[0].path
- path: /
## @param dashboard.ingress.hosts[0].paths[0].pathType
pathType: ImplementationSpecific
## @param dashboard.ingress.tls
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## @param dashboard.resources
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## @param dashboard.nodeSelector
nodeSelector: {}
## @param dashboard.tolerations
tolerations: []
## @param dashboard.affinity
affinity: {}
## @param dashboard.env
##
env: {}
## @param dashboard.envRaw
##
envRaw: []
## @param dashboard.envFromSecret
##
envFromSecret: {}
#ENV_VAR: secretName/secretKey
lifecycle: {} # Define lifecycle hooks (preStop, postStart) if needed.
## @param dashboard.livenessProbe for the management component.
##
livenessProbe:
periodSeconds: 5
httpGet:
path: /
port: http
## @param dashboard.readinessProbe for the management component.
##
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 5
httpGet:
path: /
port: http
## @section NetBird Extra Manifests to be included in the chart
extraManifests: {}
# - apiVersion: v1
# kind: ServiceAccount
# .....
## @section Prometheus metrics
metrics:
## Prometheus Operator ServiceMonitor configuration
##
serviceMonitor:
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
##
enabled: false
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
##
namespace: ""
## @param metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
##
annotations: {}
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
##
labels: {}
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
##
jobLabel: ""
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
##
honorLabels: false
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
## e.g:
## interval: 10s
##
interval: ""
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
## e.g:
## scrapeTimeout: 10s
##
scrapeTimeout: ""
## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
##
metricRelabelings: []
## @param metrics.serviceMonitor.relabelings Specify general relabeling
##
relabelings: []
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
## selector:
## prometheus: my-prometheus
##
selector: {}