├── .github └── workflows │ ├── release.yml │ └── validate.yml ├── README.md └── charts └── netbird ├── .helmignore ├── Chart.yaml ├── README.md ├── examples ├── istio │ └── zitadel │ │ ├── README.md │ │ └── values.yaml ├── nginx-ingress │ ├── auth0 │ │ ├── README.md │ │ └── values.yaml │ ├── authentik │ │ ├── README.md │ │ └── values.yaml │ ├── google │ │ ├── README.md │ │ └── values.yaml │ └── okta │ │ ├── README.md │ │ └── values.yaml └── traefik-ingress │ └── authentik │ ├── README.md │ └── values.yaml ├── templates ├── _helpers.tpl ├── dashboard-deployment.yaml ├── dashboard-ingress.yaml ├── dashboard-service.yaml ├── dashboard-serviceaccount.yaml ├── management-cm.yaml ├── management-deployment.yaml ├── management-ingress-grpc.yaml ├── management-ingress.yaml ├── management-pvc.yaml ├── management-service-grpc.yaml ├── management-service.yaml ├── management-serviceaccount.yaml ├── relay-deployment.yaml ├── relay-ingress.yaml ├── relay-service.yaml ├── relay-serviceaccount.yaml ├── service-monitor.yaml ├── signal-deployment.yaml ├── signal-ingress.yaml ├── signal-service.yaml ├── signal-serviceaccount.yaml └── xtraManifests.yaml └── values.yaml /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release Charts 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | 8 | jobs: 9 | check-release: 10 | runs-on: ubuntu-latest 11 | outputs: 12 | release_exists: ${{ steps.check_release.outputs.release_exists }} 13 | steps: 14 | - uses: actions/checkout@v4 15 | - name: Check if release with the same chart version exists 16 | id: check_release 17 | run: | 18 | VERSION=$(yq ".name + \"-\" + .version" charts/netbird/Chart.yaml) 19 | echo "Checking for release $VERSION..." 20 | RELEASE=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ 21 | "https://api.github.com/repos/${{ github.repository }}/releases/tags/$VERSION") 22 | if [[ "$RELEASE" == *"Not Found"* ]]; then 23 | echo "No release found for version $VERSION. Continuing steps..." 24 | echo "release_exists=false" >> $GITHUB_ENV 25 | echo "release_exists=false" >> $GITHUB_OUTPUT 26 | else 27 | echo "Release for version $VERSION exists. Skipping steps..." 28 | echo "release_exists=true" >> $GITHUB_ENV 29 | echo "release_exists=true" >> $GITHUB_OUTPUT 30 | fi 31 | 32 | helm-validate: 33 | needs: [check-release] 34 | if: needs.check-release.outputs.release_exists == 'false' 35 | runs-on: ubuntu-latest 36 | steps: 37 | - uses: actions/checkout@v4 38 | - uses: bmuschko/setup-kubeconform@v1 39 | - name: Validate Helm Charts 40 | shell: bash 41 | run: | 42 | set -o pipefail 43 | for chart in $(find charts -type f -name 'Chart.yaml' | sed -r 's|/[^/]+$||' | sort | uniq); do helm dep up ${chart}; done 44 | for d in charts/*/ ; do 45 | echo "$d" 46 | helm lint --quiet "$d" 47 | helm template x "$d" --include-crds > helm_output.yaml 48 | echo "Validate K8s 1.30" 49 | cat helm_output.yaml | kubeconform -summary -strict -ignore-missing-schemas -kubernetes-version=1.30.0 -cache /tmp 50 | echo "Validate K8s 1.31" 51 | cat helm_output.yaml | kubeconform -summary -strict -ignore-missing-schemas -kubernetes-version=1.31.0 -cache /tmp 52 | done 53 | 54 | release: 55 | needs: [helm-validate] 56 | if: needs.check-release.outputs.release_exists == 'false' 57 | permissions: 58 | contents: write 59 | runs-on: ubuntu-latest 60 | steps: 61 | - name: Checkout 62 | uses: actions/checkout@v3 63 | with: 64 | fetch-depth: 0 65 | 66 | - name: Configure Git 67 | run: | 68 | git config user.name "$GITHUB_ACTOR" 69 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 70 | 71 | - name: Install Helm 72 | uses: azure/setup-helm@v4 73 | env: 74 | GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 75 | 76 | - name: Run chart-releaser 77 | uses: helm/chart-releaser-action@v1.6.0 78 | env: 79 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 80 | -------------------------------------------------------------------------------- /.github/workflows/validate.yml: -------------------------------------------------------------------------------- 1 | name: CI Validate Charts Manifests 2 | on: 3 | pull_request: 4 | 5 | jobs: 6 | helm-validate: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v4 10 | - uses: bmuschko/setup-kubeconform@v1 11 | - name: Validate Helm Charts 12 | shell: bash 13 | run: | 14 | set -o pipefail 15 | for chart in $(find charts -type f -name 'Chart.yaml' | sed -r 's|/[^/]+$||' | sort | uniq);do helm dep up ${chart};done 16 | for d in charts/*/ ; do 17 | echo "$d" 18 | helm lint --quiet "$d" 19 | helm template x "$d" --include-crds > helm_output.yaml 20 | echo "Validate K8s 1.30" 21 | cat helm_output.yaml | kubeconform -summary -strict -ignore-missing-schemas -kubernetes-version=1.30.0 -cache /tmp 22 | echo "Validate K8s 1.31" 23 | cat helm_output.yaml | kubeconform -summary -strict -ignore-missing-schemas -kubernetes-version=1.31.0 -cache /tmp 24 | done 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # TOT MICRO Helm Charts 2 | 3 | Welcome to the TOTMICRO Helm repository, offering Helm charts to easily deploy and manage NetBird and its dashboard in your Kubernetes environment. 4 | 5 | ## How to Use 6 | 7 | To use these Helm charts, you will first need to add this repository to Helm. 8 | 9 | ### Add Helm Repository 10 | 11 | Run the following command to add this Helm repository: 12 | 13 | ```bash 14 | helm repo add totmicro https://totmicro.github.io/helms 15 | ``` 16 | 17 | ### Installing Charts 18 | 19 | Once the repository is added, you can install any of the charts as follows: 20 | 21 | 1. **NetBird Chart**: 22 | 23 | ```bash 24 | helm install netbird totmicro/netbird 25 | ``` 26 | 27 | ### Updating Charts 28 | 29 | To get the latest version of the charts, run: 30 | 31 | ```bash 32 | helm repo update 33 | ``` 34 | 35 | ### Uninstalling Charts 36 | 37 | You can uninstall the charts using Helm’s `uninstall` command: 38 | 39 | 1. **Uninstall NetBird**: 40 | 41 | ```bash 42 | helm uninstall netbird 43 | ``` 44 | 45 | ## Releasing New Helm Chart Versions 46 | 47 | New chart versions are automatically published through [GitHub Actions](./.github/workflows/release.yml). To deploy a new version, make sure to increment the chart version; otherwise, it will not be published. 48 | 49 | ## Contributing 50 | 51 | Feel free to open issues or pull requests if you would like to contribute to these Helm charts. 52 | 53 | -------------------------------------------------------------------------------- /charts/netbird/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/netbird/Chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v2 3 | name: netbird 4 | description: NetBird VPN management platform 5 | type: application 6 | version: 1.7.1 7 | appVersion: "0.45.1" 8 | icon: https://images.crunchbase.com/image/upload/c_pad,h_256,w_256,f_auto,q_auto:eco,dpr_1/kuu5tm1wt09ztp6ctlag 9 | -------------------------------------------------------------------------------- /charts/netbird/README.md: -------------------------------------------------------------------------------- 1 | # netbird 2 | 3 | ![Version: 1.7.1](https://img.shields.io/badge/Version-1.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.45.1](https://img.shields.io/badge/AppVersion-0.45.1-informational?style=flat-square) 4 | 5 | # NetBird Helm Chart 6 | 7 | This Helm chart installs and configures the [NetBird](https://github.com/netbirdio/netbird) services within a Kubernetes cluster. The chart includes the management, signal, and relay components of NetBird, providing secure peer-to-peer network connections across various environments. 8 | 9 | ## Prerequisites 10 | 11 | - Helm 3.x 12 | - Kubernetes 1.19+ 13 | 14 | ## Installation 15 | 16 | To install the chart with the release name `netbird`: 17 | 18 | ```bash 19 | helm repo add totmicro https://totmicro.github.io/helms 20 | helm install netbird totmicro/netbird 21 | ``` 22 | 23 | You can override default values by specifying a `values.yaml` file: 24 | 25 | ```bash 26 | helm install netbird totmicro/netbird -f values.yaml 27 | ``` 28 | 29 | ### Uninstalling the Chart 30 | 31 | To uninstall/delete the `netbird` release: 32 | 33 | ```bash 34 | helm uninstall netbird 35 | ``` 36 | 37 | This will remove all the resources associated with the release. 38 | 39 | ## Configuration 40 | 41 | The following table lists the configurable parameters of the NetBird Helm chart and their default values. 42 | 43 | ## Values 44 | 45 | | Key | Type | Default | Description | 46 | |-----|------|---------|-------------| 47 | | dashboard.volumeMounts | list | `[]` | | 48 | | dashboard.volumes | list | `[]` | | 49 | | dashboard.affinity | object | `{}` | | 50 | | dashboard.containerPort | int | `80` | | 51 | | dashboard.enabled | bool | `true` | | 52 | | dashboard.env | object | `{}` | | 53 | | dashboard.envFromSecret | object | `{}` | | 54 | | dashboard.envRaw | list | `[]` | | 55 | | dashboard.image.pullPolicy | string | `"IfNotPresent"` | | 56 | | dashboard.image.repository | string | `"netbirdio/dashboard"` | | 57 | | dashboard.image.tag | string | `"v2.12.0"` | | 58 | | dashboard.imagePullSecrets | list | `[]` | | 59 | | dashboard.ingress.annotations | object | `{}` | | 60 | | dashboard.ingress.className | string | `""` | | 61 | | dashboard.ingress.enabled | bool | `false` | | 62 | | dashboard.ingress.hosts[0].host | string | `"chart-example.local"` | | 63 | | dashboard.ingress.hosts[0].paths[0].path | string | `"/"` | | 64 | | dashboard.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | 65 | | dashboard.ingress.tls | list | `[]` | | 66 | | dashboard.lifecycle | object | `{}` | | 67 | | dashboard.livenessProbe.httpGet.path | string | `"/"` | | 68 | | dashboard.livenessProbe.httpGet.port | string | `"http"` | | 69 | | dashboard.livenessProbe.periodSeconds | int | `5` | | 70 | | dashboard.nodeSelector | object | `{}` | | 71 | | dashboard.podAnnotations | object | `{}` | | 72 | | dashboard.podCommand.args | list | `[]` | | 73 | | dashboard.podSecurityContext | object | `{}` | | 74 | | dashboard.readinessProbe.httpGet.path | string | `"/"` | | 75 | | dashboard.readinessProbe.httpGet.port | string | `"http"` | | 76 | | dashboard.readinessProbe.initialDelaySeconds | int | `5` | | 77 | | dashboard.readinessProbe.periodSeconds | int | `5` | | 78 | | dashboard.replicaCount | int | `1` | | 79 | | dashboard.resources | object | `{}` | | 80 | | dashboard.securityContext | object | `{}` | | 81 | | dashboard.service.name | string | `"http"` | | 82 | | dashboard.service.port | int | `80` | | 83 | | dashboard.service.type | string | `"ClusterIP"` | | 84 | | dashboard.serviceAccount.annotations | object | `{}` | | 85 | | dashboard.serviceAccount.create | bool | `true` | | 86 | | dashboard.serviceAccount.name | string | `""` | | 87 | | dashboard.tolerations | list | `[]` | | 88 | | extraManifests | object | `{}` | | 89 | | fullnameOverride | string | `""` | | 90 | | global.namespace | string | `""` | | 91 | | management.volumeMounts | list | `[]` | | 92 | | management.volumes | list | `[]` | | 93 | | management.affinity | object | `{}` | | 94 | | management.configmap | string | `""` | | 95 | | management.containerPort | int | `80` | | 96 | | management.deploymentAnnotations | object | `{}` | | 97 | | management.enabled | bool | `true` | | 98 | | management.env | object | `{}` | | 99 | | management.envFromSecret | object | `{}` | | 100 | | management.envRaw | list | `[]` | | 101 | | management.grpcContainerPort | int | `33073` | | 102 | | management.image.pullPolicy | string | `"IfNotPresent"` | | 103 | | management.image.repository | string | `"netbirdio/management"` | | 104 | | management.image.tag | string | `""` | | 105 | | management.imagePullSecrets | list | `[]` | | 106 | | management.ingress.annotations | object | `{}` | | 107 | | management.ingress.className | string | `""` | | 108 | | management.ingress.enabled | bool | `false` | | 109 | | management.ingress.hosts[0].host | string | `"example.com"` | | 110 | | management.ingress.hosts[0].paths[0].path | string | `"/"` | | 111 | | management.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | 112 | | management.ingress.tls | list | `[]` | | 113 | | management.ingressGrpc.annotations | object | `{}` | | 114 | | management.ingressGrpc.className | string | `""` | | 115 | | management.ingressGrpc.enabled | bool | `false` | | 116 | | management.ingressGrpc.hosts[0].host | string | `"example.com"` | | 117 | | management.ingressGrpc.hosts[0].paths[0].path | string | `"/"` | | 118 | | management.ingressGrpc.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | 119 | | management.ingressGrpc.tls | list | `[]` | | 120 | | management.lifecycle | object | `{}` | | 121 | | management.livenessProbe.failureThreshold | int | `3` | | 122 | | management.livenessProbe.initialDelaySeconds | int | `15` | | 123 | | management.livenessProbe.periodSeconds | int | `10` | | 124 | | management.livenessProbe.tcpSocket.port | string | `"http"` | | 125 | | management.livenessProbe.timeoutSeconds | int | `3` | | 126 | | management.metrics.enabled | bool | `false` | | 127 | | management.metrics.port | int | `9090` | | 128 | | management.nodeSelector | object | `{}` | | 129 | | management.persistentVolume.accessModes[0] | string | `"ReadWriteOnce"` | | 130 | | management.persistentVolume.enabled | bool | `true` | | 131 | | management.persistentVolume.existingPVName | string | `""` | | 132 | | management.persistentVolume.size | string | `"10Mi"` | | 133 | | management.persistentVolume.storageClass | string | `nil` | | 134 | | management.podAnnotations | object | `{}` | | 135 | | management.podCommand.args[0] | string | `"--port=80"` | | 136 | | management.podCommand.args[1] | string | `"--log-file=console"` | | 137 | | management.podCommand.args[2] | string | `"--log-level=info"` | | 138 | | management.podCommand.args[3] | string | `"--disable-anonymous-metrics=false"` | | 139 | | management.podCommand.args[4] | string | `"--single-account-mode-domain=netbird.selfhosted"` | | 140 | | management.podCommand.args[5] | string | `"--dns-domain=netbird.selfhosted"` | | 141 | | management.podSecurityContext | object | `{}` | | 142 | | management.readinessProbe.failureThreshold | int | `3` | | 143 | | management.readinessProbe.initialDelaySeconds | int | `15` | | 144 | | management.readinessProbe.periodSeconds | int | `10` | | 145 | | management.readinessProbe.tcpSocket.port | string | `"http"` | | 146 | | management.readinessProbe.timeoutSeconds | int | `3` | | 147 | | management.replicaCount | int | `1` | | 148 | | management.resources | object | `{}` | | 149 | | management.securityContext | object | `{}` | | 150 | | management.service.name | string | `"http"` | | 151 | | management.service.port | int | `80` | | 152 | | management.service.type | string | `"ClusterIP"` | | 153 | | management.serviceAccount.annotations | object | `{}` | | 154 | | management.serviceAccount.create | bool | `true` | | 155 | | management.serviceAccount.name | string | `""` | | 156 | | management.serviceGrpc.name | string | `"grpc"` | | 157 | | management.serviceGrpc.port | int | `33073` | | 158 | | management.serviceGrpc.type | string | `"ClusterIP"` | | 159 | | management.tolerations | list | `[]` | | 160 | | management.useBackwardsGrpcService | bool | `false` | | 161 | | metrics.serviceMonitor.annotations | object | `{}` | | 162 | | metrics.serviceMonitor.enabled | bool | `false` | | 163 | | metrics.serviceMonitor.honorLabels | bool | `false` | | 164 | | metrics.serviceMonitor.interval | string | `""` | | 165 | | metrics.serviceMonitor.jobLabel | string | `""` | | 166 | | metrics.serviceMonitor.labels | object | `{}` | | 167 | | metrics.serviceMonitor.metricRelabelings | list | `[]` | | 168 | | metrics.serviceMonitor.namespace | string | `""` | | 169 | | metrics.serviceMonitor.relabelings | list | `[]` | | 170 | | metrics.serviceMonitor.scrapeTimeout | string | `""` | | 171 | | metrics.serviceMonitor.selector | object | `{}` | | 172 | | nameOverride | string | `""` | | 173 | | relay.volumeMounts | list | `[]` | | 174 | | relay.volumes | list | `[]` | | 175 | | relay.affinity | object | `{}` | | 176 | | relay.containerPort | int | `33080` | | 177 | | relay.deploymentAnnotations | object | `{}` | | 178 | | relay.enabled | bool | `true` | | 179 | | relay.env | object | `{}` | | 180 | | relay.envFromSecret | object | `{}` | | 181 | | relay.envRaw | list | `[]` | | 182 | | relay.image.pullPolicy | string | `"IfNotPresent"` | | 183 | | relay.image.repository | string | `"netbirdio/relay"` | | 184 | | relay.image.tag | string | `""` | | 185 | | relay.imagePullSecrets | list | `[]` | | 186 | | relay.ingress.annotations | object | `{}` | | 187 | | relay.ingress.className | string | `""` | | 188 | | relay.ingress.enabled | bool | `false` | | 189 | | relay.ingress.hosts[0].host | string | `"example.com"` | | 190 | | relay.ingress.hosts[0].paths[0].path | string | `"/relay"` | | 191 | | relay.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | 192 | | relay.ingress.tls | list | `[]` | | 193 | | relay.livenessProbe.initialDelaySeconds | int | `5` | | 194 | | relay.livenessProbe.periodSeconds | int | `5` | | 195 | | relay.livenessProbe.tcpSocket.port | string | `"http"` | | 196 | | relay.logLevel | string | `"info"` | | 197 | | relay.metrics.enabled | bool | `false` | | 198 | | relay.metrics.port | int | `9090` | | 199 | | relay.nodeSelector | object | `{}` | | 200 | | relay.podAnnotations | object | `{}` | | 201 | | relay.podSecurityContext | object | `{}` | | 202 | | relay.readinessProbe.initialDelaySeconds | int | `5` | | 203 | | relay.readinessProbe.periodSeconds | int | `5` | | 204 | | relay.readinessProbe.tcpSocket.port | string | `"http"` | | 205 | | relay.replicaCount | int | `1` | | 206 | | relay.resources | object | `{}` | | 207 | | relay.securityContext | object | `{}` | | 208 | | relay.service.name | string | `"http"` | | 209 | | relay.service.port | int | `33080` | | 210 | | relay.service.type | string | `"ClusterIP"` | | 211 | | relay.serviceAccount.annotations | object | `{}` | | 212 | | relay.serviceAccount.create | bool | `true` | | 213 | | relay.serviceAccount.name | string | `""` | | 214 | | relay.tolerations | list | `[]` | | 215 | | signal.volumeMounts | list | `[]` | | 216 | | signal.volumes | list | `[]` | | 217 | | signal.affinity | object | `{}` | | 218 | | signal.containerPort | int | `80` | | 219 | | signal.deploymentAnnotations | object | `{}` | | 220 | | signal.enabled | bool | `true` | | 221 | | signal.image.pullPolicy | string | `"IfNotPresent"` | | 222 | | signal.image.repository | string | `"netbirdio/signal"` | | 223 | | signal.image.tag | string | `""` | | 224 | | signal.imagePullSecrets | list | `[]` | | 225 | | signal.ingress.annotations | object | `{}` | | 226 | | signal.ingress.className | string | `""` | | 227 | | signal.ingress.enabled | bool | `false` | | 228 | | signal.ingress.hosts[0].host | string | `"example.com"` | | 229 | | signal.ingress.hosts[0].paths[0].path | string | `"/signalexchange.SignalExchange"` | | 230 | | signal.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | 231 | | signal.ingress.tls | list | `[]` | | 232 | | signal.livenessProbe.initialDelaySeconds | int | `5` | | 233 | | signal.livenessProbe.periodSeconds | int | `5` | | 234 | | signal.livenessProbe.tcpSocket.port | string | `"grpc"` | | 235 | | signal.logLevel | string | `"info"` | | 236 | | signal.metrics.enabled | bool | `false` | | 237 | | signal.metrics.port | int | `9090` | | 238 | | signal.nodeSelector | object | `{}` | | 239 | | signal.podAnnotations | object | `{}` | | 240 | | signal.podSecurityContext | object | `{}` | | 241 | | signal.readinessProbe.initialDelaySeconds | int | `5` | | 242 | | signal.readinessProbe.periodSeconds | int | `5` | | 243 | | signal.readinessProbe.tcpSocket.port | string | `"grpc"` | | 244 | | signal.replicaCount | int | `1` | | 245 | | signal.resources | object | `{}` | | 246 | | signal.securityContext | object | `{}` | | 247 | | signal.service.name | string | `"grpc"` | | 248 | | signal.service.port | int | `80` | | 249 | | signal.service.type | string | `"ClusterIP"` | | 250 | | signal.serviceAccount.annotations | object | `{}` | | 251 | | signal.serviceAccount.create | bool | `true` | | 252 | | signal.serviceAccount.name | string | `""` | | 253 | | signal.tolerations | list | `[]` | | 254 | 255 | For more configuration options, refer to the `values.yaml` file. 256 | 257 | You can find working examples [here](./examples) 258 | 259 | ## STUN/TURN Server 260 | 261 | If you need to deploy a High Available stun/turn server, please refer to this [blog](https://medium.com/l7mp-technologies/deploying-a-scalable-stun-service-in-kubernetes-c7b9726fa41d) 262 | 263 | ## Contributing 264 | 265 | We welcome contributions to improve this chart! Please submit a pull request to the GitHub repository with any changes or suggestions. 266 | -------------------------------------------------------------------------------- /charts/netbird/examples/istio/zitadel/README.md: -------------------------------------------------------------------------------- 1 | # Netbird Self-Hosted Setup 2 | 3 | This example provides a fully configured and tested setup for deploying Netbird using the following components: 4 | 5 | - **Service Mesh**: Istio 6 | - **Database Storage**: SQLite 7 | - **Identity Provider**: Zitadel 8 | 9 | ## Prerequisites 10 | 11 | Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#zitadel) to configure your Zitadel Identity Provider and generate the necessary parameters: 12 | 13 | - `idpClientID` 14 | - `idpServiceUser` 15 | - `idpServiceUserSecret` 16 | - `idpProjectID` 17 | 18 | ## Kubernetes Secret Configuration 19 | 20 | This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs: 21 | 22 | - `idpClientID`: `xxxxxx` # The `clientID` from the Zitadel netbird application. 23 | - `idpServiceUser`: `xxxxxx` # The `service user` from the Zitadel with permissions to read Zitadel directory. 24 | - `idpServiceUserSecret`: `xxxxxx` # The `client secret` from the Zitadel netbird service user. 25 | - `idpProjectID`: `xxxxxx` # The `project ID` from the Zitadel. 26 | - `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service. 27 | - `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`. 28 | - `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`. 29 | - `turnServerUser`: `xxxxxx` # TURN server username. 30 | - `turnServerPassword`: `xxxxxx` # TURN server password. 31 | - `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`. 32 | 33 | > **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup. 34 | 35 | ## Deployment 36 | 37 | Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints: 38 | 39 | - `netbird-dashboard.example.com` - The Netbird dashboard. 40 | - `netbird.example.com` - The main Netbird services (management|relay|signal). 41 | 42 | ## Additional info 43 | 44 | Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`. 45 | -------------------------------------------------------------------------------- /charts/netbird/examples/istio/zitadel/values.yaml: -------------------------------------------------------------------------------- 1 | fullnameOverride: netbird 2 | management: 3 | configmap: |- 4 | { 5 | "Stuns": [ 6 | { 7 | "Proto": "udp", 8 | "URI": "{{ .STUN_SERVER }}", 9 | "Username": "", 10 | "Password": "" 11 | } 12 | ], 13 | "TURNConfig": { 14 | "TimeBasedCredentials": false, 15 | "CredentialsTTL": "12h0m0s", 16 | "Secret": "secret", 17 | "Turns": [ 18 | { 19 | "Proto": "udp", 20 | "URI": "{{ .TURN_SERVER }}", 21 | "Username": "{{ .TURN_SERVER_USER }}", 22 | "Password": "{{ .TURN_SERVER_PASSWORD }}" 23 | } 24 | ] 25 | }, 26 | "Relay": { 27 | "Addresses": ["rels://netbird.example.com:443/relay"], 28 | "CredentialsTTL": "24h", 29 | "Secret": "{{ .RELAY_PASSWORD }}" 30 | }, 31 | "Signal": { 32 | "Proto": "https", 33 | "URI": "netbird.example.com:443", 34 | "Username": "", 35 | "Password": "" 36 | }, 37 | "Datadir": "/var/lib/netbird/", 38 | "DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}", 39 | "HttpConfig": { 40 | "AuthIssuer": "https://zitadel.example.com", 41 | "AuthAudience": "{{ .IDP_CLIENT_ID }}", 42 | "OIDCConfigEndpoint": "https://zitadel.example.com/.well-known/openid-configuration", 43 | "AuthKeysLocation": "https://zitadel.example.com/oauth/v2/keys", 44 | "LetsEncryptDomain": "", 45 | "CertFile": "", 46 | "CertKey": "", 47 | "AuthUserIDClaim": "", 48 | "IdpSignKeyRefreshEnabled": true, 49 | "ExtraAuthAudience": "{{ .IDP_PROJECT_ID }}" 50 | }, 51 | "IdpManagerConfig": { 52 | "ManagerType": "zitadel", 53 | "ClientConfig": { 54 | "Issuer": "https://zitadel.example.com", 55 | "TokenEndpoint": "https://zitadel.example.com/oauth/v2/token", 56 | "ClientID": "{{ .IDP_SERVICE_USER }}", 57 | "ClientSecret": "{{ .IDP_SERVICE_USER_SECRET }}", 58 | "GrantType": "client_credentials" 59 | }, 60 | "ExtraConfig": { 61 | "ManagementEndpoint": "https://zitadel.example.com/management/v1" 62 | } 63 | }, 64 | "DeviceAuthorizationFlow": { 65 | "Provider": "hosted", 66 | "ProviderConfig": { 67 | "ClientID": "{{ .IDP_CLIENT_ID }}", 68 | "ClientSecret": "", 69 | "Domain": "zitadel.example.com", 70 | "Audience": "{{ .IDP_CLIENT_ID }}", 71 | "TokenEndidpInteractiveClientIDpoint": "https://zitadel.example.com/oauth/v2/token", 72 | "DeviceAuthEndpoint": "https://zitadel.example.com/oauth/v2/device_authorization", 73 | "AuthorizationEndpoint": "", 74 | "Scope": "openid", 75 | "UseIDToken": false, 76 | "RedirectURLs": null 77 | } 78 | }, 79 | "PKCEAuthorizationFlow": { 80 | "ProviderConfig": { 81 | "ClientID": "{{ .IDP_CLIENT_ID }}", 82 | "ClientSecret": "", 83 | "Domain": "", 84 | "Audience": "{{ .IDP_CLIENT_ID }}", 85 | "DeviceAuthEndpoint": "", 86 | "Scope": "openid profile email offline_access api groups zitadel:grants", 87 | "UseIDToken": false, 88 | "RedirectURLs": ["http://localhost:53000/", "http://localhost:54000/"], 89 | "TokenEndpoint": "https://zitadel.example.com/oauth/v2/token", 90 | "AuthorizationEndpoint": "https://zitadel.example.com/oauth/v2/authorize" 91 | } 92 | }, 93 | "StoreConfig": { 94 | "Engine": "sqlite" 95 | }, 96 | "ReverseProxy": { 97 | "TrustedHTTPProxies": null, 98 | "TrustedHTTPProxiesCount": 0, 99 | "TrustedPeers": null 100 | } 101 | } 102 | 103 | image: 104 | tag: 0.32.0 105 | persistentVolume: 106 | enabled: true 107 | size: 5Gi 108 | envFromSecret: 109 | STUN_SERVER: netbird/stunServer 110 | TURN_SERVER: netbird/turnServer 111 | TURN_SERVER_USER: netbird/turnServerUser 112 | TURN_SERVER_PASSWORD: netbird/turnServerPassword 113 | RELAY_PASSWORD: netbird/relayPassword 114 | DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey 115 | IDP_SERVICE_USER: netbird/idpServiceUser 116 | IDP_SERVICE_USER_SECRET: netbird/idpServiceUserSecret 117 | IDP_PROJECT_ID: netbird/idpProjectID 118 | IDP_CLIENT_ID: netbird/idpClientID 119 | 120 | signal: 121 | image: 122 | tag: 0.32.0 123 | 124 | relay: 125 | image: 126 | tag: 0.32.0 127 | envFromSecret: 128 | NB_AUTH_SECRET: netbird/relayPassword 129 | env: 130 | NB_LOG_LEVEL: info 131 | NB_LISTEN_ADDRESS: ":33080" 132 | NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay 133 | 134 | dashboard: 135 | enabled: true 136 | image: 137 | tag: v2.9.0 138 | env: 139 | # Endpoints 140 | NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443 141 | NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443 142 | # OIDC 143 | AUTH_AUTHORITY: https://zitadel.example.com 144 | USE_AUTH0: false 145 | AUTH_SUPPORTED_SCOPES: openid profile email offline_access api groups 146 | AUTH_REDIRECT_URI: /nb-auth 147 | AUTH_SILENT_REDIRECT_URI: /nb-silent-auth 148 | envFromSecret: 149 | AUTH_CLIENT_ID: netbird/idpClientID 150 | AUTH_CLIENT_SECRET: netbird/idpClientSecret 151 | extraManifests: 152 | - apiVersion: networking.istio.io/v1 153 | kind: VirtualService 154 | metadata: 155 | name: netbird-mgmt 156 | spec: 157 | gateways: 158 | - istio-gw/ext-gw 159 | hosts: 160 | - "netbird.example.com" 161 | http: 162 | - match: 163 | - uri: 164 | prefix: /api 165 | route: 166 | - destination: 167 | host: netbird-management 168 | port: 169 | number: 80 170 | - match: 171 | - uri: 172 | prefix: /management.ManagementService 173 | route: 174 | - destination: 175 | host: netbird-management 176 | port: 177 | number: 80 178 | - match: 179 | - uri: 180 | prefix: /relay 181 | route: 182 | - destination: 183 | host: netbird-relay 184 | port: 185 | number: 33080 186 | - match: 187 | - uri: 188 | prefix: /signalexchange.SignalExchange 189 | route: 190 | - destination: 191 | host: netbird-signal 192 | port: 193 | number: 80 194 | - apiVersion: networking.istio.io/v1 195 | kind: VirtualService 196 | metadata: 197 | name: netbird-dashboard-mgmt-vs 198 | namespace: netbird 199 | spec: 200 | gateways: 201 | - istio-gw/ext-gw 202 | hosts: 203 | - "netbird-dashboard.example.com" 204 | http: 205 | - match: 206 | - uri: 207 | prefix: / 208 | route: 209 | - destination: 210 | host: netbird-dashboard 211 | port: 212 | number: 80 213 | -------------------------------------------------------------------------------- /charts/netbird/examples/nginx-ingress/auth0/README.md: -------------------------------------------------------------------------------- 1 | # Netbird Self-Hosted Setup 2 | 3 | This example provides a fully configured and tested setup for deploying Netbird using the following components: 4 | 5 | - **Ingress Controller**: Nginx 6 | - **Database Storage**: SQLite 7 | - **Identity Provider**: Auth0 8 | 9 | ## Prerequisites 10 | 11 | Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#auth0) to configure your Auth0 Identity Provider and generate the necessary parameters: 12 | 13 | - `idpClientID` 14 | - `idpClientSecret` 15 | - `idpInteractiveClientID` 16 | - `idpDashboardClientID` 17 | 18 | ## Kubernetes Secret Configuration 19 | 20 | This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs: 21 | 22 | - `idpClientID`: `xxxxxx` # The `clientId` from the Auth0 netbird application. 23 | - `idpClientSecret`: `xxxxxx` # The `clientSecret` from the Auth0 netbird application. 24 | - `idpInteractiveClientID`: `xxxxxx` # The `clientId` from the Auth0 netbird interactive application. 25 | - `idpDashboardClientID`: `xxxxxx` # The `clientId` from the Auth0 netbird dashboard application. 26 | - `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service. 27 | - `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`. 28 | - `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`. 29 | - `turnServerUser`: `xxxxxx` # TURN server username. 30 | - `turnServerPassword`: `xxxxxx` # TURN server password. 31 | - `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`. 32 | 33 | > **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup. 34 | 35 | ## Deployment 36 | 37 | Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints: 38 | 39 | - `netbird-dashboard.example.com` - The Netbird dashboard. 40 | - `netbird.example.com` - The main Netbird services (management|relay|signal). 41 | 42 | ## Additional info 43 | 44 | Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`. 45 | -------------------------------------------------------------------------------- /charts/netbird/examples/nginx-ingress/auth0/values.yaml: -------------------------------------------------------------------------------- 1 | fullnameOverride: netbird 2 | management: 3 | configmap: |- 4 | { 5 | "Stuns": [ 6 | { 7 | "Proto": "udp", 8 | "URI": "{{ .STUN_SERVER }}", 9 | "Username": "", 10 | "Password": null 11 | } 12 | ], 13 | "Relay": { 14 | "Addresses": ["rels://netbird.example.com:443/relay"], 15 | "CredentialsTTL": "24h", 16 | "Secret": "{{ .RELAY_PASSWORD }}" 17 | }, 18 | "TURNConfig": { 19 | "Turns": [ 20 | { 21 | "Proto": "udp", 22 | "URI": "{{ .TURN_SERVER }}", 23 | "Username": "{{ .TURN_SERVER_USER }}", 24 | "Password": "{{ .TURN_SERVER_PASSWORD }}" 25 | } 26 | ], 27 | "CredentialsTTL": "12h", 28 | "Secret": "secret", 29 | "TimeBasedCredentials": false 30 | }, 31 | "Signal": { 32 | "Proto": "https", 33 | "URI": "netbird.example.com:443", 34 | "Username": "", 35 | "Password": null 36 | }, 37 | "ReverseProxy": { 38 | "TrustedHTTPProxies": [], 39 | "TrustedHTTPProxiesCount": 0, 40 | "TrustedPeers": ["0.0.0.0/0"] 41 | }, 42 | "Datadir": "/var/lib/netbird/", 43 | "DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}", 44 | "StoreConfig": { 45 | "Engine": "sqlite" 46 | }, 47 | "HttpConfig": { 48 | "Address": "0.0.0.0:33073", 49 | "AuthIssuer": "https://example.eu.auth0.com/", 50 | "AuthAudience": "netbird-banking", 51 | "AuthKeysLocation": "https://example.eu.auth0.com/.well-known/jwks.json", 52 | "AuthUserIDClaim": "", 53 | "CertFile": "", 54 | "CertKey": "", 55 | "IdpSignKeyRefreshEnabled": false, 56 | "OIDCConfigEndpoint": "https://example.eu.auth0.com/.well-known/openid-configuration" 57 | }, 58 | "IdpManagerConfig": { 59 | "ManagerType": "auth0", 60 | "ClientConfig": { 61 | "Issuer": "https://example.eu.auth0.com/", 62 | "TokenEndpoint": "https://example.eu.auth0.com/oauth/token", 63 | "ClientID": "{{ .IDP_CLIENT_ID }}", 64 | "ClientSecret": "{{ .IDP_CLIENT_SECRET }}", 65 | "GrantType": "client_credentials" 66 | }, 67 | "ExtraConfig": { 68 | "Audience": "https://example.eu.auth0.com/api/v2/" 69 | }, 70 | "Auth0ClientCredentials": null, 71 | "AzureClientCredentials": null, 72 | "KeycloakClientCredentials": null, 73 | "ZitadelClientCredentials": null 74 | }, 75 | "DeviceAuthorizationFlow": { 76 | "Provider": "hosted", 77 | "ProviderConfig": { 78 | "Audience": "netbird-banking", 79 | "AuthorizationEndpoint": "", 80 | "Domain": "", 81 | "ClientID": "{{ .IDP_INTERACTIVE_CLIENT_ID }}", 82 | "ClientSecret": "", 83 | "TokenEndpoint": "https://example.eu.auth0.com/oauth/token", 84 | "DeviceAuthEndpoint": "https://example.eu.auth0.com/oauth/device/code", 85 | "Scope": "openid", 86 | "UseIDToken": false, 87 | "RedirectURLs": null 88 | } 89 | }, 90 | "PKCEAuthorizationFlow": { 91 | "ProviderConfig": { 92 | "Audience": "netbird-banking", 93 | "ClientID": "{{ .IDP_DASHBOARD_CLIENT_ID }}", 94 | "ClientSecret": "", 95 | "Domain": "", 96 | "AuthorizationEndpoint": "https://example.eu.auth0.com/authorize", 97 | "TokenEndpoint": "https://example.eu.auth0.com/oauth/token", 98 | "Scope": "openid groups profile email offline_access api email_verified groups", 99 | "RedirectURLs": ["http://localhost:53000"], 100 | "UseIDToken": false 101 | } 102 | } 103 | } 104 | 105 | 106 | envFromSecret: 107 | STUN_SERVER: netbird/stunServer 108 | TURN_SERVER: netbird/turnServer 109 | TURN_SERVER_USER: netbird/turnServerUser 110 | TURN_SERVER_PASSWORD: netbird/turnServerPassword 111 | RELAY_PASSWORD: netbird/relayPassword 112 | IDP_CLIENT_ID: netbird/idpClientID 113 | IDP_CLIENT_SECRET: netbird/idpClientSecret 114 | IDP_INTERACTIVE_CLIENT_ID: netbird/idpInteractiveClientID 115 | IDP_DASHBOARD_CLIENT_ID: netbird/idpDashboardClientID 116 | DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey 117 | 118 | podCommand: 119 | args: 120 | - --port=80 121 | - --log-file=console 122 | - --log-level=error 123 | - --disable-anonymous-metrics=false 124 | - --dns-domain=netbird.selfhosted" 125 | 126 | image: 127 | tag: 0.32.0 128 | 129 | ingress: 130 | enabled: true 131 | className: nginx 132 | annotations: 133 | cert-manager.io/cluster-issuer: letsencrypt-prod 134 | hosts: 135 | - host: netbird.example.com 136 | paths: 137 | - path: /api 138 | pathType: ImplementationSpecific 139 | tls: 140 | - secretName: netbird-api-tls 141 | hosts: 142 | - netbird.example.com 143 | ingressGrpc: 144 | enabled: true 145 | className: nginx 146 | annotations: 147 | cert-manager.io/cluster-issuer: letsencrypt-prod 148 | nginx.ingress.kubernetes.io/backend-protocol: GRPC 149 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 150 | nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" 151 | nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" 152 | hosts: 153 | - host: netbird.example.com 154 | paths: 155 | - path: /management.ManagementService 156 | pathType: ImplementationSpecific 157 | tls: 158 | - secretName: netbird-grpc-tls 159 | hosts: 160 | - netbird.example.com 161 | persistentVolume: 162 | enabled: true 163 | useBackwardsGrpcService: true 164 | signal: 165 | image: 166 | tag: 0.32.0 167 | ingress: 168 | enabled: true 169 | className: nginx 170 | annotations: 171 | cert-manager.io/cluster-issuer: letsencrypt-prod 172 | nginx.ingress.kubernetes.io/backend-protocol: GRPC 173 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 174 | nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" 175 | nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" 176 | hosts: 177 | - host: netbird.example.com 178 | paths: 179 | - path: /signalexchange.SignalExchange 180 | pathType: ImplementationSpecific 181 | tls: 182 | - secretName: netbird-signal-tls 183 | hosts: 184 | - netbird.example.com 185 | relay: 186 | resources: 187 | requests: 188 | cpu: 300m 189 | memory: 128Mi 190 | limits: 191 | cpu: 1000m 192 | memory: 256Mi 193 | image: 194 | tag: 0.32.0 195 | ingress: 196 | enabled: true 197 | className: nginx 198 | annotations: 199 | cert-manager.io/cluster-issuer: letsencrypt-prod 200 | hosts: 201 | - host: netbird.example.com 202 | paths: 203 | - path: /relay 204 | pathType: ImplementationSpecific 205 | tls: 206 | - secretName: netbird-relay-tls 207 | hosts: 208 | - netbird.example.com 209 | 210 | envFromSecret: 211 | NB_AUTH_SECRET: netbird/relayPassword 212 | 213 | env: 214 | NB_LOG_LEVEL: info 215 | NB_LISTEN_ADDRESS: ":33080" 216 | NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay 217 | 218 | dashboard: 219 | enabled: true 220 | ingress: 221 | enabled: true 222 | className: nginx 223 | annotations: 224 | cert-manager.io/cluster-issuer: letsencrypt-prod 225 | hosts: 226 | - host: netbird-dashboard.example.com 227 | paths: 228 | - path: / 229 | pathType: ImplementationSpecific 230 | tls: 231 | - secretName: netbird-dashboard-tls 232 | hosts: 233 | - netbird-dashboard.example.com 234 | image: 235 | tag: v2.9.0 236 | env: 237 | # Endpoints 238 | NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443 239 | NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443 240 | # OIDC 241 | AUTH_CLIENT_SECRET: 242 | AUTH_AUTHORITY: https://example.eu.auth0.com/ 243 | AUTH_AUDIENCE: netbird-banking 244 | USE_AUTH0: "true" 245 | AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified" 246 | AUTH_REDIRECT_URI: 247 | AUTH_SILENT_REDIRECT_URI: 248 | NETBIRD_TOKEN_SOURCE: accessToken 249 | NGINX_SSL_PORT: 250 | LETSENCRYPT_DOMAIN: 251 | LETSENCRYPT_EMAIL: 252 | envFromSecret: 253 | AUTH_CLIENT_ID: netbird/idpDashboardClientID 254 | -------------------------------------------------------------------------------- /charts/netbird/examples/nginx-ingress/authentik/README.md: -------------------------------------------------------------------------------- 1 | # Netbird Self-Hosted Setup 2 | 3 | This example provides a fully configured and tested setup for deploying Netbird using the following components: 4 | 5 | - **Ingress Controller**: Nginx Ingress 6 | - **Database Storage**: External PostgreSQL 7 | - **Identity Provider**: Authentik 8 | 9 | ## Prerequisites 10 | 11 | Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#authentik) to configure your Authentik Identity Provider and generate the necessary parameters: 12 | 13 | - `idpClientID` 14 | - `idpServiceAccountUser` 15 | - `idpServiceAccountPassword` 16 | 17 | ## Kubernetes Secret Configuration 18 | 19 | This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs: 20 | 21 | - `idpClientID`: `xxxxxx` # The `clientId` from the Authentik application. 22 | - `idpServiceAccountPassword`: `xxxxxx` # Service account password from Authentik. 23 | - `idpServiceAccountUser`: `xxxxxx` # Service account user from Authentik. 24 | - `postgresDSN`: `xxxxxx` # PostgreSQL DSN, e.g., `postgresql://netbird:xxx0@192.168.1.20:5432/netbird`. 25 | - `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service. 26 | - `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`. 27 | - `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`. 28 | - `turnServerUser`: `xxxxxx` # TURN server username. 29 | - `turnServerPassword`: `xxxxxx` # TURN server password. 30 | - `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`. 31 | 32 | > **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup. 33 | 34 | ## Deployment 35 | 36 | Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints: 37 | 38 | - `netbird-dashboard.example.com` - The Netbird dashboard. 39 | - `netbird.example.com` - The main Netbird services (management|relay|signal). 40 | 41 | ## Additional info 42 | 43 | Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`. 44 | -------------------------------------------------------------------------------- /charts/netbird/examples/nginx-ingress/authentik/values.yaml: -------------------------------------------------------------------------------- 1 | fullnameOverride: netbird 2 | management: 3 | configmap: |- 4 | { 5 | "Stuns": [ 6 | { 7 | "Proto": "udp", 8 | "URI": "{{ .STUN_SERVER }}", 9 | "Username": "", 10 | "Password": "" 11 | } 12 | ], 13 | "TURNConfig": { 14 | "TimeBasedCredentials": false, 15 | "CredentialsTTL": "12h0m0s", 16 | "Secret": "secret", 17 | "Turns": [ 18 | { 19 | "Proto": "udp", 20 | "URI": "{{ .TURN_SERVER }}", 21 | "Username": "{{ .TURN_SERVER_USER }}", 22 | "Password": "{{ .TURN_SERVER_PASSWORD }}" 23 | } 24 | ] 25 | }, 26 | "Relay": { 27 | "Addresses": ["rels://netbird.example.com:443/relay"], 28 | "CredentialsTTL": "24h", 29 | "Secret": "{{ .RELAY_PASSWORD }}" 30 | }, 31 | "Signal": { 32 | "Proto": "https", 33 | "URI": "netbird.example.com:443", 34 | "Username": "", 35 | "Password": "" 36 | }, 37 | "Datadir": "/var/lib/netbird/", 38 | "DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}", 39 | "HttpConfig": { 40 | "LetsEncryptDomain": "", 41 | "CertFile": "", 42 | "CertKey": "", 43 | "AuthAudience": "{{ .IDP_CLIENT_ID }}", 44 | "AuthIssuer": "https://idp.example.com/application/o/example-netbird/", 45 | "AuthUserIDClaim": "", 46 | "AuthKeysLocation": "https://idp.example.com/application/o/example-netbird/jwks/", 47 | "OIDCConfigEndpoint": "https://idp.example.com/application/o/example-netbird/.well-known/openid-configuration", 48 | "IdpSignKeyRefreshEnabled": false 49 | }, 50 | "IdpManagerConfig": { 51 | "ManagerType": "authentik", 52 | "ClientConfig": { 53 | "Issuer": "https://idp.example.com/application/o/example-netbird", 54 | "TokenEndpoint": "https://idp.example.com/application/o/token/", 55 | "ClientID": "{{ .IDP_CLIENT_ID }}", 56 | "ClientSecret": "", 57 | "GrantType": "client_credentials" 58 | }, 59 | "ExtraConfig": { 60 | "Password": "{{ .IDP_SERVICE_ACCOUNT_PASSWORD }}", 61 | "Username": "{{ .IDP_SERVICE_ACCOUNT_USER }}" 62 | }, 63 | "Auth0ClientCredentials": null, 64 | "AzureClientCredentials": null, 65 | "KeycloakClientCredentials": null, 66 | "ZitadelClientCredentials": null 67 | }, 68 | "DeviceAuthorizationFlow": { 69 | "Provider": "hosted", 70 | "ProviderConfig": { 71 | "ClientID": "{{ .IDP_CLIENT_ID }}", 72 | "ClientSecret": "", 73 | "Domain": "idp.example.com", 74 | "Audience": "{{ .IDP_CLIENT_ID }}", 75 | "TokenEndpoint": "https://idp.example.com/application/o/token/", 76 | "DeviceAuthEndpoint": "https://idp.example.com/application/o/device/", 77 | "AuthorizationEndpoint": "", 78 | "Scope": "openid", 79 | "UseIDToken": false, 80 | "RedirectURLs": null 81 | } 82 | }, 83 | "PKCEAuthorizationFlow": { 84 | "ProviderConfig": { 85 | "ClientID": "{{ .IDP_CLIENT_ID }}", 86 | "ClientSecret": "", 87 | "Domain": "", 88 | "Audience": "{{ .IDP_CLIENT_ID }}", 89 | "TokenEndpoint": "https://idp.example.com/application/o/token/", 90 | "DeviceAuthEndpoint": "", 91 | "AuthorizationEndpoint": "https://idp.example.com/application/o/authorize/", 92 | "Scope": "openid profile email offline_access api", 93 | "UseIDToken": false, 94 | "DisablePromptLogin": true, 95 | "RedirectURLs": ["http://localhost:53000"] 96 | } 97 | }, 98 | "StoreConfig": { 99 | "Engine": "postgres" 100 | }, 101 | "ReverseProxy": { 102 | "TrustedHTTPProxies": null, 103 | "TrustedHTTPProxiesCount": 0, 104 | "TrustedPeers": null 105 | } 106 | } 107 | 108 | ingress: 109 | enabled: true 110 | className: public 111 | annotations: 112 | cert-manager.io/cluster-issuer: example-issuer 113 | hosts: 114 | - host: netbird.example.com 115 | paths: 116 | - path: /api 117 | pathType: ImplementationSpecific 118 | tls: 119 | - secretName: netbird-api-tls 120 | hosts: 121 | - netbird.example.com 122 | ingressGrpc: 123 | enabled: true 124 | className: public 125 | annotations: 126 | cert-manager.io/cluster-issuer: example-issuer 127 | nginx.ingress.kubernetes.io/backend-protocol: GRPC 128 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 129 | nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" 130 | nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" 131 | hosts: 132 | - host: netbird.example.com 133 | paths: 134 | - path: /management.ManagementService 135 | pathType: ImplementationSpecific 136 | tls: 137 | - secretName: netbird-grpc-tls 138 | hosts: 139 | - netbird.example.com 140 | 141 | persistentVolume: 142 | enabled: false 143 | 144 | envFromSecret: 145 | NETBIRD_STORE_ENGINE_POSTGRES_DSN: netbird/postgresDSN 146 | STUN_SERVER: netbird/stunServer 147 | TURN_SERVER: netbird/turnServer 148 | TURN_SERVER_USER: netbird/turnServerUser 149 | TURN_SERVER_PASSWORD: netbird/turnServerPassword 150 | RELAY_PASSWORD: netbird/relayPassword 151 | DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey 152 | IDP_CLIENT_ID: netbird/idpClientID 153 | IDP_SERVICE_ACCOUNT_USER: netbird/idpServiceAccountUser 154 | IDP_SERVICE_ACCOUNT_PASSWORD: netbird/idpServiceAccountPassword 155 | useBackwardsGrpcService: true 156 | signal: 157 | ingress: 158 | enabled: true 159 | className: public 160 | annotations: 161 | cert-manager.io/cluster-issuer: example-issuer 162 | nginx.ingress.kubernetes.io/backend-protocol: GRPC 163 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 164 | nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" 165 | nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" 166 | hosts: 167 | - host: netbird.example.com 168 | paths: 169 | - path: /signalexchange.SignalExchange 170 | pathType: ImplementationSpecific 171 | tls: 172 | - secretName: netbird-signal-tls 173 | hosts: 174 | - netbird.example.com 175 | 176 | relay: 177 | ingress: 178 | enabled: true 179 | className: public 180 | annotations: 181 | cert-manager.io/cluster-issuer: example-issuer 182 | hosts: 183 | - host: netbird.example.com 184 | paths: 185 | - path: /relay 186 | pathType: ImplementationSpecific 187 | tls: 188 | - secretName: netbird-relay-tls 189 | hosts: 190 | - netbird.example.com 191 | 192 | envFromSecret: 193 | NB_AUTH_SECRET: netbird/relayPassword 194 | 195 | env: 196 | NB_LOG_LEVEL: info 197 | NB_LISTEN_ADDRESS: ":33080" 198 | NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay 199 | 200 | dashboard: 201 | enabled: true 202 | ingress: 203 | enabled: true 204 | className: public 205 | annotations: 206 | cert-manager.io/cluster-issuer: example-issuer 207 | hosts: 208 | - host: netbird-dashboard.example.com 209 | paths: 210 | - path: / 211 | pathType: ImplementationSpecific 212 | tls: 213 | - secretName: netbird-dashboard-tls 214 | hosts: 215 | - netbird-dashboard.example.com 216 | env: 217 | # Endpoints 218 | NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443 219 | NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443 220 | # OIDC 221 | AUTH_CLIENT_SECRET: 222 | AUTH_AUTHORITY: https://idp.example.com/application/o/example-netbird/ 223 | USE_AUTH0: false 224 | AUTH_SUPPORTED_SCOPES: openid profile email offline_access api 225 | AUTH_REDIRECT_URI: 226 | AUTH_SILENT_REDIRECT_URI: 227 | NETBIRD_TOKEN_SOURCE: accessToken 228 | NGINX_SSL_PORT: 229 | LETSENCRYPT_DOMAIN: 230 | LETSENCRYPT_EMAIL: 231 | 232 | envFromSecret: 233 | AUTH_CLIENT_ID: netbird/idpClientID 234 | AUTH_AUDIENCE: netbird/idpClientID 235 | -------------------------------------------------------------------------------- /charts/netbird/examples/nginx-ingress/google/README.md: -------------------------------------------------------------------------------- 1 | # Netbird Self-Hosted Setup 2 | 3 | This example provides a fully configured and tested setup for deploying Netbird using the following components: 4 | 5 | - **Ingress Controller**: Nginx 6 | - **Database Storage**: SQLite 7 | - **Identity Provider**: Google 8 | 9 | ## Prerequisites 10 | 11 | Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#google-workspace) to configure your Google Identity Provider and generate the necessary parameters: 12 | 13 | - `idpClientID` 14 | - `idpClientSecret` 15 | - `CustomerId` 16 | 17 | Additionally, you will need the service account key downloaded as part of the documented steps for setting up the Google IDP. 18 | 19 | ## Kubernetes Secret Configuration 20 | 21 | This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs: 22 | 23 | - `idpClientID`: `xxxxxx` # The `clientId` from the Auth0 netbird application. 24 | - `idpClientSecret`: `xxxxxx` # The `clientSecret` from the Auth0 netbird application. 25 | - `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service. 26 | - `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`. 27 | - `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`. 28 | - `turnServerUser`: `xxxxxx` # TURN server username. 29 | - `turnServerPassword`: `xxxxxx` # TURN server password. 30 | - `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`. 31 | - `customerID`: `xxxxxxx` # The Google Workspace Customer ID belong to the directory of users that will be enumerated for access to Netbird. Found [here](https://support.google.com/a/answer/10070793?hl=en). 32 | 33 | You will also be required to set up a kubernetes secret for `netbird-gcp-service-account` which contains the `sa.json` belong to the service account generated in the prerequisites. 34 | 35 | > **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup. 36 | 37 | ## Deployment 38 | 39 | Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints: 40 | 41 | - `netbird-dashboard.example.com` - The Netbird dashboard. 42 | - `netbird.example.com` - The main Netbird services (management|relay|signal). 43 | 44 | ## Additional info 45 | 46 | Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`. 47 | -------------------------------------------------------------------------------- /charts/netbird/examples/nginx-ingress/google/values.yaml: -------------------------------------------------------------------------------- 1 | fullnameOverride: netbird 2 | management: 3 | configmap: |- 4 | { 5 | "Stuns": [ 6 | { 7 | "Proto": "udp", 8 | "URI": "{{ .STUN_SERVER }}", 9 | "Username": "", 10 | "Password": null 11 | } 12 | ], 13 | "Relay": { 14 | "Addresses": ["rels://netbird.example.com:443/relay"], 15 | "CredentialsTTL": "24h", 16 | "Secret": "{{ .RELAY_PASSWORD }}" 17 | }, 18 | "TURNConfig": { 19 | "Turns": [ 20 | { 21 | "Proto": "udp", 22 | "URI": "{{ .TURN_SERVER }}", 23 | "Username": "{{ .TURN_SERVER_USER }}", 24 | "Password": "{{ .TURN_SERVER_PASSWORD }}" 25 | } 26 | ], 27 | "CredentialsTTL": "12h", 28 | "Secret": "secret", 29 | "TimeBasedCredentials": false 30 | }, 31 | "Signal": { 32 | "Proto": "https", 33 | "URI": "netbird.example.com:443", 34 | "Username": "", 35 | "Password": null 36 | }, 37 | "ReverseProxy": { 38 | "TrustedHTTPProxies": [], 39 | "TrustedHTTPProxiesCount": 0, 40 | "TrustedPeers": ["0.0.0.0/0"] 41 | }, 42 | "Datadir": "/var/lib/netbird/", 43 | "DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}", 44 | "StoreConfig": { 45 | "Engine": "sqlite" 46 | }, 47 | "HttpConfig": { 48 | "Address": "0.0.0.0:33073", 49 | "AuthIssuer": "https://accounts.google.com", 50 | "AuthAudience": "{{ .IDP_CLIENT_ID }}", 51 | "AuthKeysLocation": "https://www.googleapis.com/oauth2/v3/certs", 52 | "AuthUserIDClaim": "", 53 | "CertFile": "", 54 | "CertKey": "", 55 | "IdpSignKeyRefreshEnabled": true, 56 | "OIDCConfigEndpoint": "https://accounts.google.com/.well-known/openid-configuration" 57 | }, 58 | "IdpManagerConfig": { 59 | "ManagerType": "google", 60 | "ClientConfig": { 61 | "Issuer": "https://accounts.google.com", 62 | "TokenEndpoint": "https://oauth2.googleapis.com/token", 63 | "ClientID": "", 64 | "ClientSecret": "", 65 | "GrantType": "client_credentials" 66 | }, 67 | "ExtraConfig": { 68 | "CustomerId": "{{ .CUSTOMER_ID }}", 69 | "ServiceAccountKey": "{{ .SERVICE_ACCOUNT_KEY }}" 70 | }, 71 | "Auth0ClientCredentials": null, 72 | "AzureClientCredentials": null, 73 | "KeycloakClientCredentials": null, 74 | "ZitadelClientCredentials": null 75 | }, 76 | "DeviceAuthorizationFlow": { 77 | "Provider": "hosted", 78 | "ProviderConfig": { 79 | "Audience": "{{ .IDP_CLIENT_ID }}", 80 | "AuthorizationEndpoint": "", 81 | "Domain": "", 82 | "ClientID": "", 83 | "ClientSecret": "", 84 | "TokenEndpoint": "https://oauth2.googleapis.com/token", 85 | "DeviceAuthEndpoint": "https://oauth2.googleapis.com/device/code", 86 | "Scope": "openid", 87 | "UseIDToken": true, 88 | "RedirectURLs": null 89 | } 90 | }, 91 | "PKCEAuthorizationFlow": { 92 | "ProviderConfig": { 93 | "Audience": "{{ .IDP_CLIENT_ID }}", 94 | "ClientID": "{{ .IDP_CLIENT_ID }}", 95 | "ClientSecret": "{{ .IDP_CLIENT_SECRET }}", 96 | "Domain": "", 97 | "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth", 98 | "TokenEndpoint": "https://oauth2.googleapis.com/token", 99 | "Scope": "openid profile email", 100 | "RedirectURLs": ["http://localhost:53000"], 101 | "UseIDToken": true 102 | } 103 | } 104 | } 105 | 106 | 107 | envFromSecret: 108 | STUN_SERVER: netbird/stunServer 109 | TURN_SERVER: netbird/turnServer 110 | TURN_SERVER_USER: netbird/turnServerUser 111 | TURN_SERVER_PASSWORD: netbird/turnServerPassword 112 | RELAY_PASSWORD: netbird/relayPassword 113 | IDP_CLIENT_ID: netbird/idpClientID 114 | IDP_CLIENT_SECRET: netbird/idpClientSecret 115 | DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey 116 | SERVICE_ACCOUNT_KEY: netbird-gcp-service-account/sa.json 117 | CUSTOMER_ID: netbird/customerID 118 | 119 | podCommand: 120 | args: 121 | - --port=80 122 | - --log-file=console 123 | - --log-level=error 124 | - --disable-anonymous-metrics=false 125 | - --dns-domain=netbird.selfhosted" 126 | 127 | image: 128 | tag: 0.36.5 129 | 130 | ingress: 131 | enabled: true 132 | className: nginx 133 | annotations: 134 | cert-manager.io/cluster-issuer: letsencrypt-prod 135 | hosts: 136 | - host: netbird.example.com 137 | paths: 138 | - path: /api 139 | pathType: ImplementationSpecific 140 | tls: 141 | - secretName: netbird-api-tls 142 | hosts: 143 | - netbird.example.com 144 | ingressGrpc: 145 | enabled: true 146 | className: nginx 147 | annotations: 148 | cert-manager.io/cluster-issuer: letsencrypt-prod 149 | nginx.ingress.kubernetes.io/backend-protocol: GRPC 150 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 151 | nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" 152 | nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" 153 | hosts: 154 | - host: netbird.example.com 155 | paths: 156 | - path: /management.ManagementService 157 | pathType: ImplementationSpecific 158 | tls: 159 | - secretName: netbird-grpc-tls 160 | hosts: 161 | - netbird.example.com 162 | persistentVolume: 163 | enabled: true 164 | useBackwardsGrpcService: true 165 | signal: 166 | image: 167 | tag: 0.36.5 168 | ingress: 169 | enabled: true 170 | className: nginx 171 | annotations: 172 | cert-manager.io/cluster-issuer: letsencrypt-prod 173 | nginx.ingress.kubernetes.io/backend-protocol: GRPC 174 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 175 | nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" 176 | nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" 177 | hosts: 178 | - host: netbird.example.com 179 | paths: 180 | - path: /signalexchange.SignalExchange 181 | pathType: ImplementationSpecific 182 | tls: 183 | - secretName: netbird-signal-tls 184 | hosts: 185 | - netbird.example.com 186 | relay: 187 | resources: 188 | requests: 189 | cpu: 300m 190 | memory: 128Mi 191 | limits: 192 | cpu: 1000m 193 | memory: 256Mi 194 | image: 195 | tag: 0.36.5 196 | ingress: 197 | enabled: true 198 | className: nginx 199 | annotations: 200 | cert-manager.io/cluster-issuer: letsencrypt-prod 201 | hosts: 202 | - host: netbird.example.com 203 | paths: 204 | - path: /relay 205 | pathType: ImplementationSpecific 206 | tls: 207 | - secretName: netbird-relay-tls 208 | hosts: 209 | - netbird.example.com 210 | 211 | envFromSecret: 212 | NB_AUTH_SECRET: netbird/relayPassword 213 | 214 | env: 215 | NB_LOG_LEVEL: info 216 | NB_LISTEN_ADDRESS: ":33080" 217 | NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay 218 | 219 | dashboard: 220 | enabled: true 221 | ingress: 222 | enabled: true 223 | className: nginx 224 | annotations: 225 | cert-manager.io/cluster-issuer: letsencrypt-prod 226 | hosts: 227 | - host: netbird-dashboard.example.com 228 | paths: 229 | - path: / 230 | pathType: ImplementationSpecific 231 | tls: 232 | - secretName: netbird-dashboard-tls 233 | hosts: 234 | - netbird-dashboard.example.com 235 | image: 236 | tag: v2.9.0 237 | env: 238 | # Endpoints 239 | NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443 240 | NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443 241 | # OIDC 242 | AUTH_AUTHORITY: https://accounts.google.com 243 | USE_AUTH0: "false" 244 | AUTH_SUPPORTED_SCOPES: "openid profile email" 245 | AUTH_REDIRECT_URI: /auth 246 | AUTH_SILENT_REDIRECT_URI: /silent-auth 247 | NETBIRD_TOKEN_SOURCE: idToken 248 | NGINX_SSL_PORT: "443" 249 | LETSENCRYPT_DOMAIN: 250 | LETSENCRYPT_EMAIL: 251 | envFromSecret: 252 | AUTH_AUDIENCE: netbird/idpClientID 253 | AUTH_CLIENT_ID: netbird/idpClientID 254 | AUTH_CLIENT_SECRET: netbird/idpClientSecret 255 | -------------------------------------------------------------------------------- /charts/netbird/examples/nginx-ingress/okta/README.md: -------------------------------------------------------------------------------- 1 | # Netbird Self-Hosted Setup 2 | 3 | This example provides a fully configured and tested setup for deploying Netbird using the following components: 4 | 5 | - **Ingress Controller**: Nginx 6 | - **Database Storage**: SQLite 7 | - **Identity Provider**: Okta 8 | 9 | ## Prerequisites 10 | 11 | Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#okta) to configure your Okta Identity Provider and generate the necessary parameters: 12 | 13 | - `idpClientID` 14 | - `oktaApiToken` 15 | - `idpNativeAppClientID` 16 | 17 | ## Kubernetes Secret Configuration 18 | 19 | This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs: 20 | 21 | - `idpClientID`: `xxxxxx` # The `clientId` from the Okta netbird application. 22 | - `oktaApiToken`: `xxxxxx`# The Okta API Token with permissions to read okta directory. 23 | - `idpNativeAppClientID`: `xxxxxx` # The `clientId` from the Okta netbird nativeapp application. 24 | - `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service. 25 | - `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`. 26 | - `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`. 27 | - `turnServerUser`: `xxxxxx` # TURN server username. 28 | - `turnServerPassword`: `xxxxxx` # TURN server password. 29 | - `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`. 30 | 31 | > **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup. 32 | 33 | ## Deployment 34 | 35 | Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints: 36 | 37 | - `netbird-dashboard.example.com` - The Netbird dashboard. 38 | - `netbird.example.com` - The main Netbird services (management|relay|signal). 39 | 40 | ## Additional info 41 | 42 | Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`. 43 | -------------------------------------------------------------------------------- /charts/netbird/examples/nginx-ingress/okta/values.yaml: -------------------------------------------------------------------------------- 1 | fullnameOverride: netbird 2 | management: 3 | configmap: |- 4 | { 5 | "Stuns": [ 6 | { 7 | "Proto": "udp", 8 | "URI": "{{ .STUN_SERVER }}", 9 | "Username": "", 10 | "Password": null 11 | } 12 | ], 13 | "TURNConfig": { 14 | "Turns": [ 15 | { 16 | "Proto": "udp", 17 | "URI": "{{ .TURN_SERVER }}", 18 | "Username": "{{ .TURN_SERVER_USER }}", 19 | "Password": "{{ .TURN_SERVER_PASSWORD }}" 20 | } 21 | ], 22 | "CredentialsTTL": "12h", 23 | "Secret": "secret", 24 | "TimeBasedCredentials": false 25 | }, 26 | "Relay": { 27 | "Addresses": [ 28 | "rels://netbird.example.com:443/relay" 29 | ], 30 | "CredentialsTTL": "24h", 31 | "Secret": "{{ .RELAY_PASSWORD }}" 32 | }, 33 | "Signal": { 34 | "Proto": "https", 35 | "URI": "netbird.example.com:443", 36 | "Username": "", 37 | "Password": null 38 | }, 39 | "ReverseProxy": { 40 | "TrustedHTTPProxies": [], 41 | "TrustedHTTPProxiesCount": 0, 42 | "TrustedPeers": [ 43 | "0.0.0.0/0" 44 | ] 45 | }, 46 | "Datadir": "", 47 | "DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}", 48 | "StoreConfig": { 49 | "Engine": "sqlite" 50 | }, 51 | "HttpConfig": { 52 | "Address": "0.0.0.0:33073", 53 | "AuthIssuer": "https://example.okta.com", 54 | "AuthAudience": "{{ .IDP_CLIENT_ID }}", 55 | "AuthKeysLocation": "https://example.okta.com/oauth2/v1/keys", 56 | "AuthUserIDClaim": "", 57 | "IdpSignKeyRefreshEnabled": false, 58 | "OIDCConfigEndpoint": "https://example.okta.com/.well-known/openid-configuration" 59 | }, 60 | "IdpManagerConfig": { 61 | "ManagerType": "okta", 62 | "ClientConfig": { 63 | "Issuer": "https://example.okta.com", 64 | "TokenEndpoint": "https://example.okta.com/oauth2/v1/token", 65 | "ClientID": "{{ .IDP_CLIENT_ID }}", 66 | "ClientSecret": "", 67 | "GrantType": "client_credentials" 68 | }, 69 | "ExtraConfig": { 70 | "ApiToken": "{{ .OKTA_API_TOKEN }}" 71 | }, 72 | "Auth0ClientCredentials": null, 73 | "AzureClientCredentials": null, 74 | "KeycloakClientCredentials": null, 75 | "ZitadelClientCredentials": null 76 | }, 77 | "DeviceAuthorizationFlow": { 78 | "Provider": "hosted", 79 | "ProviderConfig": { 80 | "Audience": "{{ .IDP_NATIVEAPP_CLIENT_ID }}", 81 | "AuthorizationEndpoint": "", 82 | "Domain": "", 83 | "ClientID": "nativeclientid", 84 | "ClientSecret": "", 85 | "TokenEndpoint": "https://example.okta.com/oauth2/v1/token", 86 | "DeviceAuthEndpoint": "https://example.okta.com/oauth2/v1/device/authorize", 87 | "Scope": "openid email groups", 88 | "UseIDToken": true, 89 | "RedirectURLs": null 90 | } 91 | }, 92 | "PKCEAuthorizationFlow": { 93 | "ProviderConfig": { 94 | "Audience": "{{ .IDP_CLIENT_ID }}", 95 | "ClientID": "{{ .IDP_CLIENT_ID }}", 96 | "ClientSecret": "", 97 | "Domain": "", 98 | "AuthorizationEndpoint": "https://example.okta.com/oauth2/v1/authorize", 99 | "TokenEndpoint": "https://example.okta.com/oauth2/v1/token", 100 | "Scope": "openid profile email groups", 101 | "RedirectURLs": [ 102 | "http://localhost:53000" 103 | ], 104 | "UseIDToken": true 105 | } 106 | } 107 | } 108 | 109 | envFromSecret: 110 | STUN_SERVER: netbird/stunServer 111 | TURN_SERVER: netbird/turnServer 112 | TURN_SERVER_USER: netbird/turnServerUser 113 | TURN_SERVER_PASSWORD: netbird/turnServerPassword 114 | RELAY_PASSWORD: netbird/relayPassword 115 | DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey 116 | IDP_CLIENT_ID: netbird/idpClientID 117 | OKTA_API_TOKEN: netbird/oktaApiToken 118 | IDP_NATIVEAPP_CLIENT_ID: netbird/idpNativeAppClientID` 119 | 120 | podCommand: 121 | args: 122 | - --port=80 123 | - --log-file=console 124 | - --log-level=info 125 | - --disable-anonymous-metrics=false 126 | - --dns-domain=netbird.selfhosted" 127 | 128 | image: 129 | tag: 0.32.0 130 | 131 | ingress: 132 | enabled: true 133 | className: nginx 134 | annotations: 135 | cert-manager.io/cluster-issuer: letsencrypt-prod 136 | hosts: 137 | - host: netbird.example.com 138 | paths: 139 | - path: /api 140 | pathType: ImplementationSpecific 141 | tls: 142 | - secretName: netbird-api-tls 143 | hosts: 144 | - netbird.example.com 145 | ingressGrpc: 146 | enabled: true 147 | className: nginx 148 | annotations: 149 | cert-manager.io/cluster-issuer: letsencrypt-prod 150 | nginx.ingress.kubernetes.io/backend-protocol: GRPC 151 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 152 | nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" 153 | nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" 154 | hosts: 155 | - host: netbird.example.com 156 | paths: 157 | - path: /management.ManagementService 158 | pathType: ImplementationSpecific 159 | tls: 160 | - secretName: netbird-grpc-tls 161 | hosts: 162 | - netbird.example.com 163 | persistentVolume: 164 | enabled: true 165 | useBackwardsGrpcService: true 166 | signal: 167 | image: 168 | tag: 0.32.0 169 | ingress: 170 | enabled: true 171 | className: nginx 172 | annotations: 173 | cert-manager.io/cluster-issuer: letsencrypt-prod 174 | nginx.ingress.kubernetes.io/backend-protocol: GRPC 175 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 176 | nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" 177 | nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" 178 | hosts: 179 | - host: netbird.example.com 180 | paths: 181 | - path: /signalexchange.SignalExchange 182 | pathType: ImplementationSpecific 183 | tls: 184 | - secretName: netbird-signal-tls 185 | hosts: 186 | - netbird.example.com 187 | relay: 188 | resources: 189 | requests: 190 | cpu: 300m 191 | memory: 128Mi 192 | limits: 193 | cpu: 1000m 194 | memory: 128Mi 195 | image: 196 | tag: 0.32.0 197 | ingress: 198 | enabled: true 199 | className: nginx 200 | annotations: 201 | cert-manager.io/cluster-issuer: letsencrypt-prod 202 | hosts: 203 | - host: netbird.example.com 204 | paths: 205 | - path: /relay 206 | pathType: ImplementationSpecific 207 | tls: 208 | - secretName: netbird-relay-tls 209 | hosts: 210 | - netbird.example.com 211 | 212 | envFromSecret: 213 | NB_AUTH_SECRET: netbird/relayPassword 214 | 215 | env: 216 | NB_LOG_LEVEL: info 217 | NB_LISTEN_ADDRESS: ":33080" 218 | NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay 219 | 220 | dashboard: 221 | enabled: true 222 | ingress: 223 | enabled: true 224 | className: nginx 225 | annotations: 226 | cert-manager.io/cluster-issuer: letsencrypt-prod 227 | hosts: 228 | - host: netbird-dashboard.example.com 229 | paths: 230 | - path: / 231 | pathType: ImplementationSpecific 232 | tls: 233 | - secretName: netbird-dashboard-tls 234 | hosts: 235 | - netbird-dashboard.example.com 236 | image: 237 | tag: v2.9.0 238 | env: 239 | # Endpoints 240 | NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443 241 | NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443 242 | # OIDC 243 | AUTH_CLIENT_SECRET: 244 | AUTH_AUTHORITY: https://example.okta.com 245 | USE_AUTH0: "false" 246 | AUTH_SUPPORTED_SCOPES: openid profile email groups 247 | AUTH_REDIRECT_URI: /auth 248 | AUTH_SILENT_REDIRECT_URI: /silent-auth 249 | NETBIRD_TOKEN_SOURCE: idToken 250 | # SSL 251 | NGINX_SSL_PORT: 252 | #Letsencrypt 253 | LETSENCRYPT_DOMAIN: 254 | LETSENCRYPT_EMAIL: 255 | 256 | envFromSecret: 257 | AUTH_CLIENT_ID: netbird/idpClientID 258 | AUTH_AUDIENCE: netbird/idpNativeAppClientID` 259 | -------------------------------------------------------------------------------- /charts/netbird/examples/traefik-ingress/authentik/README.md: -------------------------------------------------------------------------------- 1 | # Netbird Self-Hosted Setup 2 | 3 | This example provides a fully configured and tested setup for deploying Netbird using the following components: 4 | 5 | - **Ingress Controller**: Traefik 6 | - **Database Storage**: External PostgreSQL 7 | - **Identity Provider**: Authentik 8 | 9 | ## Prerequisites 10 | 11 | Before starting the setup, refer to the [Netbird documentation](https://docs.netbird.io/selfhosted/identity-providers#authentik) to configure your Authentik Identity Provider and generate the necessary parameters: 12 | 13 | - `idpClientID` 14 | - `idpServiceAccountUser` 15 | - `idpServiceAccountPassword` 16 | 17 | ## Kubernetes Secret Configuration 18 | 19 | This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs: 20 | 21 | - `idpClientID`: `xxxxxx` # The `clientId` from the Authentik application. 22 | - `idpServiceAccountPassword`: `xxxxxx` # Service account password from Authentik. 23 | - `idpServiceAccountUser`: `xxxxxx` # Service account user from Authentik. 24 | - `postgresDSN`: `xxxxxx` # PostgreSQL DSN, e.g., `postgresql://netbird:xxx0@192.168.1.20:5432/netbird`. 25 | - `relayPassword`: `xxxxxx` # Password used to secure communication between peers in the relay service. 26 | - `stunServer`: `xxxxxx` # STUN server URL, e.g., `stun:stun.myexample.com:3478`. 27 | - `turnServer`: `xxxxxx` # TURN server URL, e.g., `turn:turn.myexample.com:3478`. 28 | - `turnServerUser`: `xxxxxx` # TURN server username. 29 | - `turnServerPassword`: `xxxxxx` # TURN server password. 30 | - `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`. 31 | 32 | > **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup. 33 | 34 | ## Deployment 35 | 36 | Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints: 37 | 38 | - `netbird.example.com` - The main Netbird services (dashboard|management|relay|signal). 39 | 40 | ## Additional info 41 | 42 | Starting with Netbird v0.30.1, the platform supports reading environment variables directly within the `management.json` file. In this example, we leverage this feature by defining environment variables in the following format: `{{ .EnvVarName }}`. 43 | -------------------------------------------------------------------------------- /charts/netbird/examples/traefik-ingress/authentik/values.yaml: -------------------------------------------------------------------------------- 1 | fullnameOverride: netbird 2 | management: 3 | configmap: |- 4 | { 5 | "Stuns": [ 6 | { 7 | "Proto": "udp", 8 | "URI": "{{ .STUN_SERVER }}", 9 | "Username": "", 10 | "Password": "" 11 | } 12 | ], 13 | "TURNConfig": { 14 | "TimeBasedCredentials": false, 15 | "CredentialsTTL": "12h0m0s", 16 | "Secret": "secret", 17 | "Turns": [ 18 | { 19 | "Proto": "udp", 20 | "URI": "{{ .TURN_SERVER }}", 21 | "Username": "{{ .TURN_SERVER_USER }}", 22 | "Password": "{{ .TURN_SERVER_PASSWORD }}" 23 | } 24 | ] 25 | }, 26 | "Relay": { 27 | "Addresses": ["rels://netbird.example.com:443/relay"], 28 | "CredentialsTTL": "24h", 29 | "Secret": "{{ .RELAY_PASSWORD }}" 30 | }, 31 | "Signal": { 32 | "Proto": "https", 33 | "URI": "netbird.example.com:443", 34 | "Username": "", 35 | "Password": "" 36 | }, 37 | "Datadir": "/var/lib/netbird/", 38 | "DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}", 39 | "HttpConfig": { 40 | "LetsEncryptDomain": "", 41 | "CertFile": "", 42 | "CertKey": "", 43 | "AuthAudience": "{{ .IDP_CLIENT_ID }}", 44 | "AuthIssuer": "https://idp.example.com/application/o/netbird/", 45 | "AuthUserIDClaim": "", 46 | "AuthKeysLocation": "https://idp.example.com/application/o/netbird/jwks/", 47 | "OIDCConfigEndpoint": "https://idp.example.com/application/o/netbird/.well-known/openid-configuration", 48 | "IdpSignKeyRefreshEnabled": false 49 | }, 50 | "IdpManagerConfig": { 51 | "ManagerType": "authentik", 52 | "ClientConfig": { 53 | "Issuer": "https://idp.example.com/application/o/totmicro-traefik-netbird", 54 | "TokenEndpoint": "https://idp.example.com/application/o/token/", 55 | "ClientID": "{{ .IDP_CLIENT_ID }}", 56 | "ClientSecret": "", 57 | "GrantType": "client_credentials" 58 | }, 59 | "ExtraConfig": { 60 | "Password": "{{ .IDP_SERVICE_ACCOUNT_PASSWORD }}", 61 | "Username": "{{ .IDP_SERVICE_ACCOUNT_USER }}" 62 | }, 63 | "Auth0ClientCredentials": null, 64 | "AzureClientCredentials": null, 65 | "KeycloakClientCredentials": null, 66 | "ZitadelClientCredentials": null 67 | }, 68 | "DeviceAuthorizationFlow": { 69 | "Provider": "hosted", 70 | "ProviderConfig": { 71 | "ClientID": "{{ .IDP_CLIENT_ID }}", 72 | "ClientSecret": "", 73 | "Domain": "idp.example.com", 74 | "Audience": "{{ .IDP_CLIENT_ID }}", 75 | "TokenEndpoint": "https://idp.example.com/application/o/token/", 76 | "DeviceAuthEndpoint": "https://idp.example.com/application/o/device/", 77 | "AuthorizationEndpoint": "", 78 | "Scope": "openid", 79 | "UseIDToken": false, 80 | "RedirectURLs": null 81 | } 82 | }, 83 | "PKCEAuthorizationFlow": { 84 | "ProviderConfig": { 85 | "ClientID": "{{ .IDP_CLIENT_ID }}", 86 | "ClientSecret": "", 87 | "Domain": "", 88 | "Audience": "{{ .IDP_CLIENT_ID }}", 89 | "TokenEndpoint": "https://idp.example.com/application/o/token/", 90 | "DeviceAuthEndpoint": "", 91 | "AuthorizationEndpoint": "https://idp.example.com/application/o/authorize/", 92 | "Scope": "openid profile email offline_access api", 93 | "UseIDToken": false, 94 | "RedirectURLs": ["http://localhost:53000"] 95 | } 96 | }, 97 | "StoreConfig": { 98 | "Engine": "postgres" 99 | }, 100 | "ReverseProxy": { 101 | "TrustedHTTPProxies": null, 102 | "TrustedHTTPProxiesCount": 0, 103 | "TrustedPeers": null 104 | } 105 | } 106 | 107 | image: 108 | tag: 0.32.0 109 | persistentVolume: 110 | enabled: false 111 | envFromSecret: 112 | NETBIRD_STORE_ENGINE_POSTGRES_DSN: netbird/postgresDSN 113 | STUN_SERVER: netbird/stunServer 114 | TURN_SERVER: netbird/turnServer 115 | TURN_SERVER_USER: netbird/turnServerUser 116 | TURN_SERVER_PASSWORD: netbird/turnServerPassword 117 | RELAY_PASSWORD: netbird/relayPassword 118 | IDP_CLIENT_ID: netbird/idpClientID 119 | IDP_SERVICE_ACCOUNT_USER: netbird/idpServiceAccountUser 120 | IDP_SERVICE_ACCOUNT_PASSWORD: netbird/idpServiceAccountPassword 121 | DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey 122 | 123 | signal: 124 | image: 125 | tag: 0.32.0 126 | 127 | relay: 128 | image: 129 | tag: 0.32.0 130 | envFromSecret: 131 | NB_AUTH_SECRET: netbird/relayPassword 132 | env: 133 | NB_LOG_LEVEL: info 134 | NB_LISTEN_ADDRESS: ":33080" 135 | NB_EXPOSED_ADDRESS: rels://netbird.example.com:443/relay 136 | 137 | dashboard: 138 | enabled: true 139 | image: 140 | tag: v2.9.0 141 | env: 142 | # Endpoints 143 | NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com:443 144 | NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com:443 145 | # OIDC 146 | AUTH_CLIENT_SECRET: 147 | AUTH_AUTHORITY: https://idp.example.com/application/o/netbird/ 148 | USE_AUTH0: false 149 | AUTH_SUPPORTED_SCOPES: openid profile email offline_access api 150 | AUTH_REDIRECT_URI: 151 | AUTH_SILENT_REDIRECT_URI: 152 | NETBIRD_TOKEN_SOURCE: accessToken 153 | NGINX_SSL_PORT: 154 | LETSENCRYPT_DOMAIN: 155 | LETSENCRYPT_EMAIL: 156 | envFromSecret: 157 | AUTH_CLIENT_ID: netbird/idpClientID 158 | AUTH_AUDIENCE: netbird/idpClientID 159 | 160 | extraManifests: 161 | - apiVersion: traefik.io/v1alpha1 162 | kind: IngressRoute 163 | metadata: 164 | name: netbird-traefik 165 | labels: 166 | argocd.argoproj.io/instance: netbird-traefik 167 | spec: 168 | entryPoints: 169 | - websecure 170 | routes: 171 | - kind: Rule 172 | match: Host(`netbird.example.com`) && !PathPrefix(`/api`) && !PathPrefix(`/management`) && !PathPrefix(`/signalexchange`) && !PathPrefix(`/relay`) 173 | services: 174 | - name: netbird-traefik-dashboard 175 | namespace: netbird-traefik 176 | passHostHeader: true 177 | port: 80 178 | - kind: Rule 179 | match: Host(`netbird.example.com`) && PathPrefix(`/api`) 180 | services: 181 | - name: netbird-traefik-management 182 | namespace: netbird-traefik 183 | passHostHeader: true 184 | port: 80 185 | - kind: Rule 186 | match: Host(`netbird.example.com`) && PathPrefix(`/relay`) 187 | services: 188 | - name: netbird-traefik-relay 189 | namespace: netbird-traefik 190 | passHostHeader: true 191 | port: 33080 192 | - kind: Rule 193 | match: Host(`netbird.example.com`) && PathPrefix(`/management`) 194 | services: 195 | - name: netbird-traefik-management 196 | namespace: netbird-traefik 197 | passHostHeader: true 198 | port: 80 199 | scheme: h2c 200 | - kind: Rule 201 | match: Host(`netbird.example.com`) && PathPrefix(`/signalexchange`) 202 | services: 203 | - name: netbird-traefik-signal 204 | namespace: netbird-traefik 205 | passHostHeader: true 206 | port: 80 207 | scheme: h2c 208 | tls: 209 | secretName: netbird-tls 210 | -------------------------------------------------------------------------------- /charts/netbird/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "netbird.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "netbird.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "netbird.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "netbird.common.labels" -}} 37 | helm.sh/chart: {{ include "netbird.chart" . }} 38 | {{- if .Chart.AppVersion }} 39 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 40 | {{- end }} 41 | app.kubernetes.io/managed-by: {{ .Release.Service }} 42 | {{- end }} 43 | 44 | 45 | {{/* 46 | Common management labels 47 | */}} 48 | {{- define "netbird.management.labels" -}} 49 | helm.sh/chart: {{ include "netbird.chart" . }} 50 | {{ include "netbird.management.selectorLabels" . }} 51 | {{- if .Chart.AppVersion }} 52 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 53 | {{- end }} 54 | app.kubernetes.io/managed-by: {{ .Release.Service }} 55 | {{- end }} 56 | 57 | {{/* 58 | Common signal labels 59 | */}} 60 | {{- define "netbird.signal.labels" -}} 61 | helm.sh/chart: {{ include "netbird.chart" . }} 62 | {{ include "netbird.signal.selectorLabels" . }} 63 | {{- if .Chart.AppVersion }} 64 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 65 | {{- end }} 66 | app.kubernetes.io/managed-by: {{ .Release.Service }} 67 | {{- end }} 68 | 69 | {{/* 70 | Common relay labels 71 | */}} 72 | {{- define "netbird.relay.labels" -}} 73 | helm.sh/chart: {{ include "netbird.chart" . }} 74 | {{ include "netbird.relay.selectorLabels" . }} 75 | {{- if .Chart.AppVersion }} 76 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 77 | {{- end }} 78 | app.kubernetes.io/managed-by: {{ .Release.Service }} 79 | {{- end }} 80 | 81 | {{/* 82 | Common dashboard labels 83 | */}} 84 | {{- define "netbird.dashboard.labels" -}} 85 | helm.sh/chart: {{ include "netbird.chart" . }} 86 | {{ include "netbird.dashboard.selectorLabels" . }} 87 | app.kubernetes.io/managed-by: {{ .Release.Service }} 88 | {{- end }} 89 | 90 | {{/* 91 | Management selector labels 92 | */}} 93 | {{- define "netbird.management.selectorLabels" -}} 94 | app.kubernetes.io/name: {{ include "netbird.name" . }}-management 95 | app.kubernetes.io/instance: {{ .Release.Name }} 96 | {{- end }} 97 | 98 | {{/* 99 | Signal selector labels 100 | */}} 101 | {{- define "netbird.signal.selectorLabels" -}} 102 | app.kubernetes.io/name: {{ include "netbird.name" . }}-signal 103 | app.kubernetes.io/instance: {{ .Release.Name }} 104 | {{- end }} 105 | 106 | {{/* 107 | Relay selector labels 108 | */}} 109 | {{- define "netbird.relay.selectorLabels" -}} 110 | app.kubernetes.io/name: {{ include "netbird.name" . }}-relay 111 | app.kubernetes.io/instance: {{ .Release.Name }} 112 | {{- end }} 113 | 114 | {{/* 115 | Dashboard selector labels 116 | */}} 117 | {{- define "netbird.dashboard.selectorLabels" -}} 118 | app.kubernetes.io/name: {{ include "netbird.name" . }}-dashboard 119 | app.kubernetes.io/instance: {{ .Release.Name }} 120 | {{- end }} 121 | 122 | 123 | {{/* 124 | Create the name of the management service account to use 125 | */}} 126 | {{- define "netbird.management.serviceAccountName" -}} 127 | {{- if .Values.management.serviceAccount.create }} 128 | {{- default (printf "%s-management" (include "netbird.fullname" .)) .Values.management.serviceAccount.name }} 129 | {{- else }} 130 | {{- default "default" .Values.management.serviceAccount.name }} 131 | {{- end }} 132 | {{- end }} 133 | 134 | {{/* 135 | Create the name of the signal service account to use 136 | */}} 137 | {{- define "netbird.signal.serviceAccountName" -}} 138 | {{- if .Values.signal.serviceAccount.create }} 139 | {{- default (printf "%s-signal" (include "netbird.fullname" .)) .Values.signal.serviceAccount.name }} 140 | {{- else }} 141 | {{- default "default" .Values.signal.serviceAccount.name }} 142 | {{- end }} 143 | {{- end }} 144 | 145 | {{/* 146 | Create the name of the relay service account to use 147 | */}} 148 | {{- define "netbird.relay.serviceAccountName" -}} 149 | {{- if .Values.relay.serviceAccount.create }} 150 | {{- default (printf "%s-relay" (include "netbird.fullname" .)) .Values.relay.serviceAccount.name }} 151 | {{- else }} 152 | {{- default "default" .Values.relay.serviceAccount.name }} 153 | {{- end }} 154 | {{- end }} 155 | 156 | {{/* 157 | Create the name of the dashboard service account to use 158 | */}} 159 | {{- define "netbird.dashboard.serviceAccountName" -}} 160 | {{- if .Values.dashboard.serviceAccount.create }} 161 | {{- default (printf "%s-dashboard" (include "netbird.fullname" .)) .Values.dashboard.serviceAccount.name }} 162 | {{- else }} 163 | {{- default "default" .Values.dashboard.serviceAccount.name }} 164 | {{- end }} 165 | {{- end }} 166 | 167 | {{/* 168 | Allow the release namespace to be overridden 169 | */}} 170 | {{- define "netbird.namespace" -}} 171 | {{- default .Release.Namespace .Values.global.namespace -}} 172 | {{- end -}} 173 | 174 | -------------------------------------------------------------------------------- /charts/netbird/templates/dashboard-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.dashboard.enabled -}} 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "netbird.fullname" . }}-dashboard 7 | namespace: {{ include "netbird.namespace" . }} 8 | labels: 9 | {{- include "netbird.dashboard.labels" . | nindent 4 }} 10 | spec: 11 | replicas: {{ .Values.dashboard.replicaCount }} 12 | selector: 13 | matchLabels: 14 | {{- include "netbird.dashboard.selectorLabels" . | nindent 6 }} 15 | template: 16 | metadata: 17 | {{- with .Values.dashboard.podAnnotations }} 18 | annotations: 19 | {{- toYaml . | nindent 8 }} 20 | {{- end }} 21 | labels: 22 | {{- include "netbird.dashboard.selectorLabels" . | nindent 8 }} 23 | spec: 24 | {{- with .Values.dashboard.imagePullSecrets }} 25 | imagePullSecrets: 26 | {{- toYaml . | nindent 8 }} 27 | {{- end }} 28 | serviceAccountName: {{ include "netbird.dashboard.serviceAccountName" . }} 29 | securityContext: 30 | {{- toYaml .Values.dashboard.podSecurityContext | nindent 8 }} 31 | containers: 32 | - name: {{ .Chart.Name }} 33 | {{- if .Values.dashboard.podCommand.args }} 34 | command: ["/bin/sh", "-c"] 35 | args: 36 | {{- range .Values.dashboard.podCommand.args }} 37 | - {{ . }} 38 | {{- end }} 39 | {{- end }} 40 | securityContext: 41 | {{- toYaml .Values.dashboard.securityContext | nindent 12 }} 42 | image: "{{ .Values.dashboard.image.repository }}:{{ .Values.dashboard.image.tag }}" 43 | imagePullPolicy: {{ .Values.dashboard.image.pullPolicy }} 44 | {{- if or (.Values.dashboard.env) (.Values.dashboard.envRaw) (.Values.dashboard.envFromSecret) }} 45 | env: 46 | {{- range $key, $val := .Values.dashboard.env }} 47 | - name: {{ $key }} 48 | value: {{ $val | quote }} 49 | {{- end }} 50 | {{- if .Values.dashboard.envRaw }} 51 | {{- with .Values.dashboard.envRaw }} 52 | {{- toYaml . | nindent 12 }} 53 | {{- end }} 54 | {{- end }} 55 | {{- range $key, $val := .Values.dashboard.envFromSecret }} 56 | - name: {{ $key }} 57 | valueFrom: 58 | secretKeyRef: 59 | name: {{ (split "/" $val)._0 }} 60 | key: {{ (split "/" $val)._1 }} 61 | {{- end }} 62 | {{- end }} 63 | {{- with .Values.dashboard.lifecycle }} 64 | lifecycle: {{ toYaml . | nindent 12 }} 65 | {{- end }} 66 | ports: 67 | - name: http 68 | containerPort: {{ .Values.dashboard.containerPort }} 69 | protocol: TCP 70 | {{- if .Values.dashboard.livenessProbe }} 71 | {{- with .Values.dashboard.livenessProbe }} 72 | livenessProbe: 73 | {{- toYaml . | nindent 12 }} 74 | {{- end }} 75 | {{- end }} 76 | {{- if .Values.dashboard.readinessProbe }} 77 | {{- with .Values.dashboard.readinessProbe }} 78 | readinessProbe: 79 | {{- toYaml . | nindent 12 }} 80 | {{- end }} 81 | {{- end }} 82 | resources: 83 | {{- toYaml .Values.dashboard.resources | nindent 12 }} 84 | {{- if .Values.dashboard.volumeMounts }} 85 | volumeMounts: 86 | {{- .Values.dashboard.volumeMounts | toYaml | nindent 12 }} 87 | {{- end }} 88 | {{- if .Values.dashboard.volumes }} 89 | volumes: 90 | {{- .Values.dashboard.volumes | toYaml | nindent 8 }} 91 | {{- end }} 92 | {{- with .Values.dashboard.nodeSelector }} 93 | nodeSelector: 94 | {{- toYaml . | nindent 8 }} 95 | {{- end }} 96 | {{- with .Values.dashboard.affinity }} 97 | affinity: 98 | {{- toYaml . | nindent 8 }} 99 | {{- end }} 100 | {{- with .Values.dashboard.tolerations }} 101 | tolerations: 102 | {{- toYaml . | nindent 8 }} 103 | {{- end }} 104 | {{- end }} 105 | -------------------------------------------------------------------------------- /charts/netbird/templates/dashboard-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.dashboard.enabled -}} 2 | {{- if .Values.dashboard.ingress.enabled -}} 3 | {{- $fullName := printf "%s-dashboard" (include "netbird.fullname" .) -}} 4 | {{- $svcPort := .Values.dashboard.service.port -}} 5 | 6 | apiVersion: networking.k8s.io/v1 7 | kind: Ingress 8 | metadata: 9 | name: {{ $fullName }} 10 | namespace: {{ include "netbird.namespace" . }} 11 | labels: 12 | {{- include "netbird.dashboard.labels" . | nindent 4 }} 13 | {{- with .Values.dashboard.ingress.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | ingressClassName: {{ .Values.dashboard.ingress.className }} 19 | {{- if .Values.dashboard.ingress.tls }} 20 | tls: 21 | {{- range .Values.dashboard.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.dashboard.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ .path }} 36 | pathType: {{ .pathType }} 37 | backend: 38 | service: 39 | name: {{ $fullName }} 40 | port: 41 | number: {{ $svcPort }} 42 | {{- end }} 43 | {{- end }} 44 | {{- end }} 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /charts/netbird/templates/dashboard-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.dashboard.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "netbird.fullname" . }}-dashboard 6 | namespace: {{ include "netbird.namespace" . }} 7 | labels: 8 | {{- include "netbird.dashboard.labels" . | nindent 4 }} 9 | spec: 10 | type: {{ .Values.dashboard.service.type }} 11 | ports: 12 | - port: {{ .Values.dashboard.service.port }} 13 | targetPort: http 14 | protocol: TCP 15 | name: http 16 | selector: 17 | {{- include "netbird.dashboard.selectorLabels" . | nindent 4 }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/netbird/templates/dashboard-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.dashboard.enabled -}} 2 | {{- if .Values.dashboard.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "netbird.dashboard.serviceAccountName" . }} 7 | namespace: {{ include "netbird.namespace" . }} 8 | labels: 9 | {{- include "netbird.dashboard.labels" . | nindent 4 }} 10 | {{- with .Values.dashboard.serviceAccount.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/netbird/templates/management-cm.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.management.enabled -}} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "netbird.fullname" . }}-management 6 | namespace: {{ include "netbird.namespace" . }} 7 | labels: 8 | {{- include "netbird.management.labels" . | nindent 4 }} 9 | data: 10 | management.json: |- 11 | {{- .Values.management.configmap | nindent 4 }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /charts/netbird/templates/management-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.management.enabled -}} 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "netbird.fullname" . }}-management 7 | namespace: {{ include "netbird.namespace" . }} 8 | {{- with .Values.management.deploymentAnnotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | labels: 13 | {{- include "netbird.management.labels" . | nindent 4 }} 14 | spec: 15 | replicas: {{ .Values.management.replicaCount }} 16 | selector: 17 | matchLabels: 18 | {{- include "netbird.management.selectorLabels" . | nindent 6 }} 19 | template: 20 | metadata: 21 | annotations: 22 | checksum/config: {{ include (print .Template.BasePath "/management-cm.yaml") . | sha256sum }} 23 | {{- with .Values.management.podAnnotations }} 24 | {{- toYaml . | nindent 8 }} 25 | {{- end }} 26 | labels: 27 | {{- include "netbird.management.selectorLabels" . | nindent 8 }} 28 | spec: 29 | {{- with .Values.management.imagePullSecrets }} 30 | imagePullSecrets: 31 | {{- toYaml . | nindent 8 }} 32 | {{- end }} 33 | serviceAccountName: {{ include "netbird.management.serviceAccountName" . }} 34 | securityContext: 35 | {{- toYaml .Values.management.podSecurityContext | nindent 8 }} 36 | containers: 37 | - name: {{ .Chart.Name }}-management 38 | securityContext: 39 | {{- toYaml .Values.management.securityContext | nindent 12 }} 40 | image: "{{ .Values.management.image.repository }}:{{ .Values.management.image.tag | default .Chart.AppVersion }}" 41 | imagePullPolicy: {{ .Values.management.image.pullPolicy }} 42 | {{- if hasKey .Values.management.podCommand "args" }} 43 | args: 44 | {{- range .Values.management.podCommand.args }} 45 | - {{ . }} 46 | {{- end }} 47 | {{- end }} 48 | {{- if or (.Values.management.env) (.Values.management.envRaw) (.Values.management.envFromSecret) }} 49 | env: 50 | {{- range $key, $val := .Values.management.env }} 51 | - name: {{ $key }} 52 | value: {{ $val | quote }} 53 | {{- end }} 54 | {{- if .Values.management.envRaw }} 55 | {{- with .Values.management.envRaw }} 56 | {{- toYaml . | nindent 12 }} 57 | {{- end }} 58 | {{- end }} 59 | {{- range $key, $val := .Values.management.envFromSecret }} 60 | - name: {{ $key }} 61 | valueFrom: 62 | secretKeyRef: 63 | name: {{ (split "/" $val)._0 }} 64 | key: {{ (split "/" $val)._1 }} 65 | {{- end }} 66 | {{- end }} 67 | {{- with .Values.management.lifecycle }} 68 | lifecycle: {{ toYaml . | nindent 12 }} 69 | {{- end }} 70 | ports: 71 | - name: http 72 | containerPort: {{ .Values.management.containerPort }} 73 | protocol: TCP 74 | - name: grpc 75 | containerPort: {{ .Values.management.grpcContainerPort }} 76 | protocol: TCP 77 | - name: metrics 78 | containerPort: {{ .Values.management.metrics.port }} 79 | protocol: TCP 80 | {{- if .Values.management.livenessProbe }} 81 | {{- with .Values.management.livenessProbe }} 82 | livenessProbe: 83 | {{- toYaml . | nindent 12 }} 84 | {{- end }} 85 | {{- end }} 86 | {{- if .Values.management.readinessProbe }} 87 | {{- with .Values.management.readinessProbe }} 88 | readinessProbe: 89 | {{- toYaml . | nindent 12 }} 90 | {{- end }} 91 | {{- end }} 92 | resources: 93 | {{- toYaml .Values.management.resources | nindent 12 }} 94 | volumeMounts: 95 | - mountPath: /etc/netbird 96 | name: config 97 | - mountPath: /var/lib/netbird 98 | name: management 99 | {{- if .Values.management.volumeMounts }} 100 | {{- .Values.management.volumeMounts | toYaml | nindent 12 }} 101 | {{- end }} 102 | {{- with .Values.management.nodeSelector }} 103 | nodeSelector: 104 | {{- toYaml . | nindent 8 }} 105 | {{- end }} 106 | {{- with .Values.management.affinity }} 107 | affinity: 108 | {{- toYaml . | nindent 8 }} 109 | {{- end }} 110 | {{- with .Values.management.tolerations }} 111 | tolerations: 112 | {{- toYaml . | nindent 8 }} 113 | {{- end }} 114 | volumes: 115 | - name: config 116 | configMap: 117 | name: {{ include "netbird.fullname" . }}-management 118 | - name: management 119 | {{- if .Values.management.persistentVolume.enabled }} 120 | persistentVolumeClaim: 121 | claimName: {{ include "netbird.fullname" . }}-management 122 | {{- else }} 123 | emptyDir: {} 124 | {{- end }} 125 | {{- if .Values.management.volumes }} 126 | {{- .Values.management.volumes | toYaml | nindent 8 }} 127 | {{- end }} 128 | {{- end -}} 129 | -------------------------------------------------------------------------------- /charts/netbird/templates/management-ingress-grpc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.management.enabled -}} 2 | {{- if .Values.management.ingressGrpc.enabled -}} 3 | {{- $fullName := printf "%s-management-grpc" (include "netbird.fullname" .) -}} 4 | {{- $useBackwardsGrpcService := .Values.management.useBackwardsGrpcService -}} 5 | {{- $svcNameGrpc := printf "%s-management-grpc" (include "netbird.fullname" .) -}} 6 | {{- $svcPortGrpc := .Values.management.serviceGrpc.port -}} 7 | {{- $svcName := printf "%s-management" (include "netbird.fullname" .) -}} 8 | {{- $svcPort := .Values.management.service.port -}} 9 | apiVersion: networking.k8s.io/v1 10 | kind: Ingress 11 | metadata: 12 | name: {{ $fullName }} 13 | namespace: {{ include "netbird.namespace" . }} 14 | labels: 15 | {{- include "netbird.management.labels" . | nindent 4 }} 16 | {{- with .Values.management.ingressGrpc.annotations }} 17 | annotations: 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | spec: 21 | ingressClassName: {{ .Values.management.ingressGrpc.className }} 22 | {{- if .Values.management.ingressGrpc.tls }} 23 | tls: 24 | {{- range .Values.management.ingressGrpc.tls }} 25 | - hosts: 26 | {{- range .hosts }} 27 | - {{ . | quote }} 28 | {{- end }} 29 | secretName: {{ .secretName }} 30 | {{- end }} 31 | {{- end }} 32 | rules: 33 | {{- range .Values.management.ingressGrpc.hosts }} 34 | - host: {{ .host | quote }} 35 | http: 36 | paths: 37 | {{- range .paths }} 38 | - path: {{ .path }} 39 | pathType: {{ .pathType }} 40 | backend: 41 | service: 42 | name: {{ if $useBackwardsGrpcService }}{{ $svcNameGrpc }}{{ else }}{{ $svcName }}{{ end }} 43 | port: 44 | number: {{ if $useBackwardsGrpcService }}{{ $svcPortGrpc }}{{ else }}{{ $svcPort }}{{ end }} 45 | {{- end }} 46 | {{- end }} 47 | {{- end }} 48 | {{- end }} 49 | -------------------------------------------------------------------------------- /charts/netbird/templates/management-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.management.enabled -}} 2 | {{- if .Values.management.ingress.enabled -}} 3 | {{- $fullName := printf "%s-management" (include "netbird.fullname" .) -}} 4 | {{- $svcPort := .Values.management.service.port -}} 5 | apiVersion: networking.k8s.io/v1 6 | kind: Ingress 7 | metadata: 8 | name: {{ $fullName }} 9 | namespace: {{ include "netbird.namespace" . }} 10 | labels: 11 | {{- include "netbird.management.labels" . | nindent 4 }} 12 | {{- with .Values.management.ingress.annotations }} 13 | annotations: 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | spec: 17 | ingressClassName: {{ .Values.management.ingress.className }} 18 | {{- if .Values.management.ingress.tls }} 19 | tls: 20 | {{- range .Values.management.ingress.tls }} 21 | - hosts: 22 | {{- range .hosts }} 23 | - {{ . | quote }} 24 | {{- end }} 25 | secretName: {{ .secretName }} 26 | {{- end }} 27 | {{- end }} 28 | rules: 29 | {{- range .Values.management.ingress.hosts }} 30 | - host: {{ .host | quote }} 31 | http: 32 | paths: 33 | {{- range .paths }} 34 | - path: {{ .path }} 35 | pathType: {{ .pathType }} 36 | backend: 37 | service: 38 | name: {{ $fullName }} 39 | port: 40 | number: {{ $svcPort }} 41 | {{- end }} 42 | {{- end }} 43 | {{- end }} 44 | {{- end }} 45 | -------------------------------------------------------------------------------- /charts/netbird/templates/management-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.management.enabled -}} 2 | {{- if .Values.management.persistentVolume.enabled -}} 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: {{ include "netbird.fullname" . }}-management 7 | namespace: {{ include "netbird.namespace" . }} 8 | labels: 9 | {{- include "netbird.management.labels" . | nindent 4 }} 10 | spec: 11 | accessModes: 12 | {{ toYaml .Values.management.persistentVolume.accessModes }} 13 | {{- if or .Values.management.persistentVolume.storageClass (eq .Values.management.persistentVolume.storageClass "") }} 14 | storageClassName: "{{ .Values.management.persistentVolume.storageClass }}" 15 | {{- end }} 16 | {{- if .Values.management.persistentVolume.existingPVName }} 17 | volumeName: "{{ .Values.management.persistentVolume.existingPVName }}" 18 | {{- end }} 19 | resources: 20 | requests: 21 | storage: "{{ .Values.management.persistentVolume.size }}" 22 | {{- end -}} 23 | {{- end -}} 24 | -------------------------------------------------------------------------------- /charts/netbird/templates/management-service-grpc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.management.enabled .Values.management.useBackwardsGrpcService -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "netbird.fullname" . }}-management-grpc 6 | namespace: {{ include "netbird.namespace" . }} 7 | labels: 8 | {{- include "netbird.management.labels" . | nindent 4 }} 9 | spec: 10 | type: {{ .Values.management.serviceGrpc.type }} 11 | ports: 12 | - port: {{ .Values.management.serviceGrpc.port }} 13 | targetPort: {{ .Values.management.serviceGrpc.name }} 14 | protocol: TCP 15 | name: {{ .Values.management.serviceGrpc.name }} 16 | selector: 17 | {{- include "netbird.management.selectorLabels" . | nindent 4 }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/netbird/templates/management-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.management.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "netbird.fullname" . }}-management 6 | namespace: {{ include "netbird.namespace" . }} 7 | labels: 8 | {{- include "netbird.management.labels" . | nindent 4 }} 9 | spec: 10 | type: {{ .Values.management.service.type }} 11 | ports: 12 | - port: {{ .Values.management.service.port }} 13 | targetPort: {{ .Values.management.service.name }} 14 | protocol: TCP 15 | name: {{ .Values.management.service.name }} 16 | {{- if .Values.management.metrics.enabled }} 17 | - port: {{ .Values.management.metrics.port }} 18 | targetPort: metrics 19 | protocol: TCP 20 | name: metrics 21 | {{- end }} 22 | selector: 23 | {{- include "netbird.management.selectorLabels" . | nindent 4 }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/netbird/templates/management-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.management.enabled -}} 2 | {{- if .Values.management.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "netbird.management.serviceAccountName" . }} 7 | namespace: {{ include "netbird.namespace" . }} 8 | labels: 9 | {{- include "netbird.management.labels" . | nindent 4 }} 10 | {{- with .Values.management.serviceAccount.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/netbird/templates/relay-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.relay.enabled -}} 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "netbird.fullname" . }}-relay 7 | namespace: {{ include "netbird.namespace" . }} 8 | labels: 9 | {{- include "netbird.relay.labels" . | nindent 4 }} 10 | spec: 11 | replicas: {{ .Values.relay.replicaCount }} 12 | selector: 13 | matchLabels: 14 | {{- include "netbird.relay.selectorLabels" . | nindent 6 }} 15 | template: 16 | metadata: 17 | {{- with .Values.relay.podAnnotations }} 18 | annotations: 19 | {{- toYaml . | nindent 8 }} 20 | {{- end }} 21 | labels: 22 | {{- include "netbird.relay.selectorLabels" . | nindent 8 }} 23 | spec: 24 | {{- with .Values.relay.imagePullSecrets }} 25 | imagePullSecrets: 26 | {{- toYaml . | nindent 8 }} 27 | {{- end }} 28 | serviceAccountName: {{ include "netbird.relay.serviceAccountName" . }} 29 | securityContext: 30 | {{- toYaml .Values.relay.podSecurityContext | nindent 8 }} 31 | containers: 32 | - name: {{ .Chart.Name }}-relay 33 | securityContext: 34 | {{- toYaml .Values.relay.securityContext | nindent 12 }} 35 | image: "{{ .Values.relay.image.repository }}:{{ .Values.relay.image.tag | default .Chart.AppVersion }}" 36 | imagePullPolicy: {{ .Values.relay.image.pullPolicy }} 37 | ports: 38 | - name: http 39 | containerPort: {{ .Values.relay.containerPort }} 40 | protocol: TCP 41 | - name: metrics 42 | containerPort: {{ .Values.relay.metrics.port}} 43 | protocol: TCP 44 | {{- if .Values.relay.livenessProbe }} 45 | {{- with .Values.relay.livenessProbe }} 46 | livenessProbe: 47 | {{- toYaml . | nindent 12 }} 48 | {{- end }} 49 | {{- end }} 50 | {{- if .Values.relay.readinessProbe }} 51 | {{- with .Values.relay.readinessProbe }} 52 | readinessProbe: 53 | {{- toYaml . | nindent 12 }} 54 | {{- end }} 55 | {{- end }} 56 | resources: 57 | {{- toYaml .Values.relay.resources | nindent 12 }} 58 | {{- if or (.Values.relay.env) (.Values.relay.envRaw) (.Values.relay.envFromSecret) }} 59 | env: 60 | {{- range $key, $val := .Values.relay.env }} 61 | - name: {{ $key }} 62 | value: {{ $val | quote }} 63 | {{- end }} 64 | {{- if .Values.relay.envRaw }} 65 | {{- with .Values.relay.envRaw }} 66 | {{- toYaml . | nindent 12 }} 67 | {{- end }} 68 | {{- end }} 69 | {{- range $key, $val := .Values.relay.envFromSecret }} 70 | - name: {{ $key }} 71 | valueFrom: 72 | secretKeyRef: 73 | name: {{ (split "/" $val)._0 }} 74 | key: {{ (split "/" $val)._1 }} 75 | {{- end }} 76 | {{- end }} 77 | {{- if .Values.relay.volumeMounts }} 78 | volumeMounts: 79 | {{- .Values.relay.volumeMounts | toYaml | nindent 12 }} 80 | {{- end }} 81 | {{- if .Values.relay.volumes }} 82 | volumes: 83 | {{- .Values.relay.volumes | toYaml | nindent 8 }} 84 | {{- end }} 85 | {{- with .Values.relay.nodeSelector }} 86 | nodeSelector: 87 | {{- toYaml . | nindent 8 }} 88 | {{- end }} 89 | {{- with .Values.relay.affinity }} 90 | affinity: 91 | {{- toYaml . | nindent 8 }} 92 | {{- end }} 93 | {{- with .Values.relay.tolerations }} 94 | tolerations: 95 | {{- toYaml . | nindent 8 }} 96 | {{- end }} 97 | {{- end }} 98 | -------------------------------------------------------------------------------- /charts/netbird/templates/relay-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.relay.enabled -}} 2 | {{- if .Values.relay.ingress.enabled -}} 3 | {{- $fullName := printf "%s-relay" (include "netbird.fullname" .) -}} 4 | {{- $svcPort := .Values.relay.service.port -}} 5 | 6 | apiVersion: networking.k8s.io/v1 7 | kind: Ingress 8 | metadata: 9 | name: {{ $fullName }} 10 | namespace: {{ include "netbird.namespace" . }} 11 | labels: 12 | {{- include "netbird.relay.labels" . | nindent 4 }} 13 | {{- with .Values.relay.ingress.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | ingressClassName: {{ .Values.relay.ingress.className }} 19 | {{- if .Values.relay.ingress.tls }} 20 | tls: 21 | {{- range .Values.relay.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.relay.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ .path }} 36 | pathType: {{ .pathType }} 37 | backend: 38 | service: 39 | name: {{ $fullName }} 40 | port: 41 | number: {{ $svcPort }} 42 | {{- end }} 43 | {{- end }} 44 | {{- end }} 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /charts/netbird/templates/relay-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.relay.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "netbird.fullname" . }}-relay 6 | namespace: {{ include "netbird.namespace" . }} 7 | labels: 8 | {{- include "netbird.relay.labels" . | nindent 4 }} 9 | spec: 10 | type: {{ .Values.relay.service.type }} 11 | ports: 12 | - port: {{ .Values.relay.service.port }} 13 | targetPort: {{ .Values.relay.service.name }} 14 | protocol: TCP 15 | name: {{ .Values.relay.service.name }} 16 | {{- if .Values.relay.metrics.enabled }} 17 | - port: {{ .Values.relay.metrics.port}} 18 | targetPort: metrics 19 | protocol: TCP 20 | name: metrics 21 | {{- end}} 22 | selector: 23 | {{- include "netbird.relay.selectorLabels" . | nindent 4 }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/netbird/templates/relay-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.relay.enabled -}} 2 | {{- if .Values.relay.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "netbird.relay.serviceAccountName" . }} 7 | namespace: {{ include "netbird.namespace" . }} 8 | labels: 9 | {{- include "netbird.relay.labels" . | nindent 4 }} 10 | {{- with .Values.relay.serviceAccount.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/netbird/templates/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.metrics.serviceMonitor.enabled}} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ include "netbird.name" . }} 6 | namespace: {{ default (include "netbird.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }} 7 | labels: 8 | {{- include "netbird.common.labels" . | nindent 4 }} 9 | {{- if .Values.metrics.serviceMonitor.labels }} 10 | {{- toYaml .Values.metrics.serviceMonitor.labels | nindent 4 }} 11 | {{- end }} 12 | app.kubernetes.io/name: {{ include "netbird.name" . }}-monitor 13 | app.kubernetes.io/instance: {{ .Release.Name }} 14 | {{- if .Values.metrics.serviceMonitor.annotations }} 15 | annotations: 16 | {{- toYaml .Values.metrics.serviceMonitor.annotations | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }} 20 | selector: 21 | matchLabels: 22 | app.kubernetes.io/instance: {{ .Release.Name }} 23 | {{- if .Values.metrics.serviceMonitor.selector }} 24 | {{- toYaml .Values.metrics.serviceMonitor.selector | nindent 6 }} 25 | {{- end }} 26 | namespaceSelector: 27 | matchNames: 28 | - {{ .Release.Namespace | quote}} 29 | endpoints: 30 | - port: metrics 31 | {{- if .Values.metrics.serviceMonitor.interval }} 32 | interval: {{ .Values.metrics.serviceMonitor.interval }} 33 | {{- end }} 34 | {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} 35 | scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} 36 | {{- end }} 37 | {{- if .Values.metrics.serviceMonitor.honorLabels }} 38 | honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} 39 | {{- end }} 40 | {{- if .Values.metrics.serviceMonitor.metricRelabelings }} 41 | metricRelabelings: 42 | {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} 43 | {{- end }} 44 | {{- if .Values.metrics.serviceMonitor.relabelings }} 45 | relabelings: 46 | {{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }} 47 | {{- end }} 48 | {{- end }} -------------------------------------------------------------------------------- /charts/netbird/templates/signal-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.signal.enabled -}} 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "netbird.fullname" . }}-signal 7 | namespace: {{ include "netbird.namespace" . }} 8 | labels: 9 | {{- include "netbird.signal.labels" . | nindent 4 }} 10 | spec: 11 | replicas: {{ .Values.signal.replicaCount }} 12 | selector: 13 | matchLabels: 14 | {{- include "netbird.signal.selectorLabels" . | nindent 6 }} 15 | template: 16 | metadata: 17 | {{- with .Values.signal.podAnnotations }} 18 | annotations: 19 | {{- toYaml . | nindent 8 }} 20 | {{- end }} 21 | labels: 22 | {{- include "netbird.signal.selectorLabels" . | nindent 8 }} 23 | spec: 24 | {{- with .Values.signal.imagePullSecrets }} 25 | imagePullSecrets: 26 | {{- toYaml . | nindent 8 }} 27 | {{- end }} 28 | serviceAccountName: {{ include "netbird.signal.serviceAccountName" . }} 29 | securityContext: 30 | {{- toYaml .Values.signal.podSecurityContext | nindent 8 }} 31 | containers: 32 | - name: {{ .Chart.Name }}-signal 33 | securityContext: 34 | {{- toYaml .Values.signal.securityContext | nindent 12 }} 35 | image: "{{ .Values.signal.image.repository }}:{{ .Values.signal.image.tag | default .Chart.AppVersion }}" 36 | imagePullPolicy: {{ .Values.signal.image.pullPolicy }} 37 | args: 38 | - "--port" 39 | - "{{ .Values.signal.service.port }}" 40 | - "--log-level" 41 | - "{{ .Values.signal.logLevel }}" 42 | - "--log-file" 43 | - "console" 44 | ports: 45 | - name: grpc 46 | containerPort: {{ .Values.signal.containerPort }} 47 | protocol: TCP 48 | - name: metrics 49 | containerPort: {{ .Values.signal.metrics.port }} 50 | protocol: TCP 51 | {{- if .Values.signal.livenessProbe }} 52 | {{- with .Values.signal.livenessProbe }} 53 | livenessProbe: 54 | {{- toYaml . | nindent 12 }} 55 | {{- end }} 56 | {{- end }} 57 | {{- if .Values.signal.readinessProbe }} 58 | {{- with .Values.signal.readinessProbe }} 59 | readinessProbe: 60 | {{- toYaml . | nindent 12 }} 61 | {{- end }} 62 | {{- end }} 63 | resources: 64 | {{- toYaml .Values.signal.resources | nindent 12 }} 65 | {{- if .Values.signal.volumeMounts }} 66 | volumeMounts: 67 | {{- .Values.signal.volumeMounts | toYaml | nindent 12 }} 68 | {{- end }} 69 | {{- if .Values.signal.volumes }} 70 | volumes: 71 | {{- .Values.signal.volumes | toYaml | nindent 8 }} 72 | {{- end }} 73 | {{- with .Values.signal.nodeSelector }} 74 | nodeSelector: 75 | {{- toYaml . | nindent 8 }} 76 | {{- end }} 77 | {{- with .Values.signal.affinity }} 78 | affinity: 79 | {{- toYaml . | nindent 8 }} 80 | {{- end }} 81 | {{- with .Values.signal.tolerations }} 82 | tolerations: 83 | {{- toYaml . | nindent 8 }} 84 | {{- end }} 85 | 86 | {{- end }} 87 | -------------------------------------------------------------------------------- /charts/netbird/templates/signal-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.signal.enabled -}} 2 | 3 | {{- if .Values.signal.ingress.enabled -}} 4 | {{- $fullName := printf "%s-signal" (include "netbird.fullname" .) -}} 5 | {{- $svcPort := .Values.signal.service.port -}} 6 | apiVersion: networking.k8s.io/v1 7 | kind: Ingress 8 | metadata: 9 | name: {{ $fullName }} 10 | namespace: {{ include "netbird.namespace" . }} 11 | labels: 12 | {{- include "netbird.signal.labels" . | nindent 4 }} 13 | {{- with .Values.signal.ingress.annotations }} 14 | annotations: 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | ingressClassName: {{ .Values.signal.ingress.className }} 19 | {{- if .Values.signal.ingress.tls }} 20 | tls: 21 | {{- range .Values.signal.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.signal.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ .path }} 36 | pathType: {{ .pathType }} 37 | backend: 38 | service: 39 | name: {{ $fullName }} 40 | port: 41 | number: {{ $svcPort }} 42 | {{- end }} 43 | {{- end }} 44 | {{- end }} 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /charts/netbird/templates/signal-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.signal.enabled -}} 2 | 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ include "netbird.fullname" . }}-signal 7 | namespace: {{ include "netbird.namespace" . }} 8 | labels: 9 | {{- include "netbird.signal.labels" . | nindent 4 }} 10 | spec: 11 | type: {{ .Values.signal.service.type }} 12 | ports: 13 | - port: {{ .Values.signal.service.port }} 14 | targetPort: {{ .Values.signal.service.name }} 15 | protocol: TCP 16 | name: {{ .Values.signal.service.name }} 17 | {{- if .Values.signal.metrics.enabled }} 18 | - port: {{ .Values.signal.metrics.port }} 19 | targetPort: metrics 20 | protocol: TCP 21 | name: metrics 22 | {{- end }} 23 | selector: 24 | {{- include "netbird.signal.selectorLabels" . | nindent 4 }} 25 | 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /charts/netbird/templates/signal-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.signal.enabled -}} 2 | 3 | {{- if .Values.signal.serviceAccount.create -}} 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: {{ include "netbird.signal.serviceAccountName" . }} 8 | namespace: {{ include "netbird.namespace" . }} 9 | labels: 10 | {{- include "netbird.signal.labels" . | nindent 4 }} 11 | {{- with .Values.signal.serviceAccount.annotations }} 12 | annotations: 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/netbird/templates/xtraManifests.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.extraManifests }} 2 | --- 3 | {{ tpl (toYaml .) $ }} 4 | {{- end }} 5 | -------------------------------------------------------------------------------- /charts/netbird/values.yaml: -------------------------------------------------------------------------------- 1 | ## @section NetBird Parameters 2 | 3 | ## @param global.namespace Kubernetes namespace for the NetBird components. 4 | ## 5 | global: 6 | namespace: "" 7 | 8 | ## @param nameOverride Override the name of the chart. 9 | ## 10 | nameOverride: "" 11 | 12 | ## @param fullnameOverride Override the full name of the chart. 13 | ## 14 | fullnameOverride: "" 15 | 16 | ## @section NetBird Management 17 | 18 | management: 19 | ## @param management.enabled Enable or disable NetBird management component. 20 | ## 21 | enabled: true 22 | 23 | ## @param management.podCommand Define the arguments for the management pod. 24 | ## 25 | podCommand: 26 | args: 27 | - --port=80 28 | - --log-file=console 29 | - --log-level=info 30 | - --disable-anonymous-metrics=false 31 | - --single-account-mode-domain=netbird.selfhosted 32 | - --dns-domain=netbird.selfhosted 33 | 34 | configmap: |- # Placeholder for ConfigMap data 35 | 36 | lifecycle: {} # Define lifecycle hooks (preStop, postStart) if needed. 37 | 38 | ## @param management.replicaCount Number of management pod replicas. 39 | ## 40 | replicaCount: 1 41 | 42 | ## @param management.env Environment variables for the management pod. 43 | ## 44 | env: {} 45 | 46 | ## @param management.envRaw Raw environment variables for the management pod. 47 | ## 48 | envRaw: [] 49 | #- name: NETBIRD_STORE_ENGINE_POSTGRES_DSN 50 | # valueFrom: 51 | # secretKeyRef: 52 | # name: netbird-management 53 | # key: postgresDSN 54 | 55 | ## @param management.envFromSecret Environment variables from secrets. 56 | ## 57 | envFromSecret: {} 58 | #ENV_VAR: secretName/secretKey 59 | 60 | image: 61 | ## @param management.image.repository Docker image repository for the management component. 62 | ## 63 | repository: netbirdio/management 64 | 65 | ## @param management.image.pullPolicy Docker image pull policy. 66 | ## 67 | pullPolicy: IfNotPresent 68 | 69 | ## @param management.image.tag Docker image tag. Overrides the default tag. 70 | ## 71 | tag: "" 72 | 73 | ## @param management.imagePullSecrets Docker registry credentials for pulling the management image. 74 | ## 75 | imagePullSecrets: [] 76 | 77 | serviceAccount: 78 | ## @param management.serviceAccount.create Whether to create a service account. 79 | ## 80 | create: true 81 | 82 | ## @param management.serviceAccount.annotations Annotations for the service account. 83 | ## 84 | annotations: {} 85 | 86 | ## @param management.serviceAccount.name Name of the service account to use. 87 | ## 88 | name: "" 89 | 90 | ## @param management.deploymentAnnotations Annotations for the management deployment. 91 | ## 92 | deploymentAnnotations: {} 93 | 94 | ## @param management.podAnnotations Annotations for the management pod(s). 95 | ## 96 | podAnnotations: {} 97 | 98 | ## @param management.podSecurityContext Security context for the management pod(s). 99 | ## 100 | podSecurityContext: {} 101 | # fsGroup: 2000 102 | 103 | ## @param management.securityContext Security context for the management container. 104 | ## 105 | securityContext: {} 106 | # capabilities: 107 | # drop: 108 | # - ALL 109 | # readOnlyRootFilesystem: true 110 | # runAsNonRoot: true 111 | # runAsUser: 1000 112 | 113 | ## @param management.useBackwardsGrpcService Use the backwards-compatible GRPC service. 114 | useBackwardsGrpcService: false 115 | 116 | metrics: 117 | ## @param signal.metrics.enabled enables/disables metrics 118 | ## 119 | enabled: false 120 | ## @param signal.metrics.port target metrics port 121 | ## 122 | port: 9090 123 | 124 | ## @param management.containerPort Container port for the management service. 125 | ## 126 | containerPort: 80 127 | 128 | service: 129 | ## @param management.service.type Service type for the management component. 130 | ## 131 | type: ClusterIP 132 | 133 | 134 | ## @param management.service.port Port for the management service. 135 | ## 136 | port: 80 137 | 138 | ## @param management.service.name Name for the management service. 139 | ## 140 | name: http 141 | 142 | ## @param management.grpcContainerPort Container port for the management service. 143 | ## 144 | grpcContainerPort: 33073 145 | 146 | serviceGrpc: 147 | ## @param management.serviceGrpc.type Service type for the management component. 148 | ## 149 | type: ClusterIP 150 | 151 | 152 | ## @param management.serviceGrpc.port Port for the management service. 153 | ## 154 | port: 33073 155 | 156 | ## @param management.serviceGrpc.name Name for the management service. 157 | ## 158 | name: grpc 159 | 160 | ingress: 161 | ## @param management.ingress.enabled Enable or disable ingress for the management component. 162 | ## 163 | enabled: false 164 | 165 | ## @param management.ingress.className Ingress class name. 166 | ## 167 | className: "" 168 | 169 | ## @param management.ingress.annotations Annotations for the ingress resource. 170 | ## 171 | annotations: {} 172 | 173 | hosts: 174 | ## @param management.ingress.hosts[0].host Host for the ingress. 175 | ## 176 | - host: example.com 177 | paths: 178 | ## @param management.ingress.hosts[0].paths[0].path Path for the ingress. 179 | ## 180 | - path: / 181 | ## @param management.ingress.hosts[0].paths[0].pathType Path type for the ingress. 182 | ## 183 | pathType: ImplementationSpecific 184 | 185 | ## @param management.ingress.tls TLS settings for the ingress. 186 | ## 187 | tls: [] 188 | # - secretName: chart-example-tls 189 | # hosts: 190 | # - chart-example.local 191 | 192 | ingressGrpc: 193 | ## @param management.ingressGrpc.enabled Enable or disable GRPC ingress. 194 | ## 195 | enabled: false 196 | 197 | ## @param management.ingressGrpc.className Ingress class name for GRPC. 198 | ## 199 | className: "" 200 | 201 | ## @param management.ingressGrpc.annotations Annotations for the GRPC ingress resource. 202 | ## 203 | annotations: {} 204 | 205 | hosts: 206 | ## @param management.ingressGrpc.hosts[0].host Host for GRPC ingress. 207 | ## 208 | - host: example.com 209 | paths: 210 | ## @param management.ingressGrpc.hosts[0].paths[0].path Path for GRPC ingress. 211 | ## 212 | - path: / 213 | ## @param management.ingressGrpc.hosts[0].paths[0].pathType Path type for GRPC ingress. 214 | ## 215 | pathType: ImplementationSpecific 216 | 217 | ## @param management.ingressGrpc.tls TLS settings for GRPC ingress. 218 | ## 219 | tls: [] 220 | 221 | ## @param management.resources Resource requests and limits for the management pod. 222 | ## 223 | resources: {} 224 | # limits: 225 | # cpu: 100m 226 | # memory: 128Mi 227 | # requests: 228 | # cpu: 100m 229 | # memory: 128Mi 230 | 231 | ## @param management.nodeSelector Node selector for scheduling the management pod. 232 | ## 233 | nodeSelector: {} 234 | 235 | ## @param management.tolerations Tolerations for scheduling the management pod. 236 | ## 237 | tolerations: [] 238 | 239 | ## @param management.affinity Affinity rules for scheduling the management pod. 240 | ## 241 | affinity: {} 242 | 243 | persistentVolume: 244 | ## @param management.persistentVolume.enabled Enable or disable persistent volume for the management pod. 245 | ## 246 | enabled: true 247 | 248 | ## @param management.persistentVolume.accessModes Access modes for the persistent volume. 249 | ## 250 | accessModes: 251 | - ReadWriteOnce 252 | 253 | ## @param management.persistentVolume.size Size of the persistent volume. 254 | ## 255 | size: 10Mi 256 | 257 | ## @param management.persistentVolume.storageClass Storage Class of the persistent volume. 258 | ## 259 | storageClass: null 260 | 261 | ## @param management.persistentVolume.existingPVName The name of an existing persistent volume which should be claimed and used for the management pod. 262 | ## 263 | existingPVName: "" 264 | 265 | ## @param management.livenessProbe for the management component. 266 | ## 267 | livenessProbe: 268 | failureThreshold: 3 269 | initialDelaySeconds: 15 270 | periodSeconds: 10 271 | timeoutSeconds: 3 272 | tcpSocket: 273 | port: http 274 | 275 | ## @param management.readinessProbe for the management component. 276 | ## 277 | readinessProbe: 278 | failureThreshold: 3 279 | initialDelaySeconds: 15 280 | periodSeconds: 10 281 | timeoutSeconds: 3 282 | tcpSocket: 283 | port: http 284 | 285 | ## @param management.volumeMounts Volume mounts for the management pod. 286 | volumeMounts: [] 287 | # - name: tmp 288 | # mountPath: /tmp 289 | 290 | ## @param management.volumes volumes for the management pod. 291 | volumes: [] 292 | # - name: tmp 293 | # emptyDir: {} 294 | 295 | ## @section NetBird Signal 296 | 297 | signal: 298 | enabled: true 299 | ## @param signal.logLevel Log level for the signal component. 300 | ## 301 | logLevel: info 302 | 303 | ## @param signal.replicaCount Number of signal pod replicas. 304 | ## 305 | replicaCount: 1 306 | 307 | image: 308 | ## @param signal.image.repository Docker image repository for the signal component. 309 | ## 310 | repository: netbirdio/signal 311 | 312 | ## @param signal.image.pullPolicy Docker image pull policy for the signal component. 313 | ## 314 | pullPolicy: IfNotPresent 315 | 316 | ## @param signal.image.tag Docker image tag for the signal component. 317 | ## 318 | tag: "" 319 | 320 | ## @param signal.imagePullSecrets Docker registry credentials for pulling the signal image. 321 | ## 322 | imagePullSecrets: [] 323 | 324 | serviceAccount: 325 | ## @param signal.serviceAccount.create Whether to create a service account for the signal component. 326 | ## 327 | create: true 328 | 329 | ## @param signal.serviceAccount.annotations Annotations for the signal service account. 330 | ## 331 | annotations: {} 332 | 333 | ## @param signal.serviceAccount.name Name of the signal service account. 334 | ## 335 | name: "" 336 | 337 | ## @param signal.deploymentAnnotations Annotations for the signal deployment. 338 | ## 339 | deploymentAnnotations: {} 340 | 341 | ## @param signal.podAnnotations Annotations for the signal pod(s). 342 | ## 343 | podAnnotations: {} 344 | 345 | ## @param signal.podSecurityContext Security context for the signal pod(s). 346 | ## 347 | podSecurityContext: {} 348 | # fsGroup: 2000 349 | 350 | ## @param signal.securityContext Security context for the signal container. 351 | ## 352 | securityContext: {} 353 | # capabilities: 354 | # drop: 355 | # - ALL 356 | # readOnlyRootFilesystem: true 357 | # runAsNonRoot: true 358 | # runAsUser: 1000 359 | 360 | metrics: 361 | ## @param signal.metrics.enabled enables/disables metrics 362 | ## 363 | enabled: false 364 | ## @param signal.metrics.port target metrics port 365 | ## 366 | port: 9090 367 | 368 | ## @param signal.containerPort Container port for the signal service. 369 | ## 370 | containerPort: 80 371 | 372 | service: 373 | ## @param signal.service.type Service type for the signal component. 374 | ## 375 | type: ClusterIP 376 | name: grpc 377 | ## @param signal.service.port Port for the signal service. 378 | ## 379 | port: 80 380 | 381 | ingress: 382 | ## @param signal.ingress.enabled Enable or disable ingress for the signal component. 383 | ## 384 | enabled: false 385 | 386 | ## @param signal.ingress.className Ingress class name for the signal component. 387 | ## 388 | className: "" 389 | 390 | ## @param signal.ingress.annotations Annotations for the signal ingress resource. 391 | ## 392 | annotations: {} 393 | 394 | hosts: 395 | ## @param signal.ingress.hosts[0].host Host for the signal ingress. 396 | ## 397 | - host: example.com 398 | paths: 399 | ## @param signal.ingress.hosts[0].paths[0].path Path for the signal ingress. 400 | ## 401 | - path: /signalexchange.SignalExchange 402 | ## @param signal.ingress.hosts[0].paths[0].pathType Path type for the signal ingress. 403 | ## 404 | pathType: ImplementationSpecific 405 | 406 | ## @param signal.ingress.tls TLS settings for the signal ingress. 407 | ## 408 | tls: [] 409 | 410 | ## @ 411 | 412 | ## param signal.resources Resource requests and limits for the signal pod. 413 | resources: {} 414 | # limits: 415 | # cpu: 100m 416 | # memory: 128Mi 417 | # requests: 418 | # cpu: 100m 419 | # memory: 128Mi 420 | 421 | ## @param signal.nodeSelector Node selector for scheduling the signal pod. 422 | ## 423 | nodeSelector: {} 424 | 425 | ## @param signal.tolerations Tolerations for scheduling the signal pod. 426 | ## 427 | tolerations: [] 428 | 429 | ## @param signal.affinity Affinity rules for scheduling the signal pod. 430 | ## 431 | affinity: {} 432 | 433 | ## @param signal.livenessProbe for the signal component. 434 | ## 435 | 436 | livenessProbe: 437 | initialDelaySeconds: 5 438 | periodSeconds: 5 439 | tcpSocket: 440 | port: grpc 441 | 442 | ## @param signal.readinessProbe for the signal component. 443 | ## 444 | readinessProbe: 445 | initialDelaySeconds: 5 446 | periodSeconds: 5 447 | tcpSocket: 448 | port: grpc 449 | 450 | ## @param signal.volumeMounts Volume mounts for the signal pod. 451 | volumeMounts: [] 452 | # - name: tmp 453 | # mountPath: /tmp 454 | 455 | ## @param signal.volumes volumes for the signal pod. 456 | volumes: [] 457 | # - name: tmp 458 | # emptyDir: {} 459 | 460 | ## @section NetBird Relay Parameters 461 | 462 | relay: 463 | ## @param relay.enabled Enable or disable the NetBird relay component. 464 | ## 465 | enabled: true 466 | 467 | ## @param relay.replicaCount Number of relay pod replicas. 468 | ## 469 | replicaCount: 1 470 | 471 | ## @param relay.logLevel Log level for the relay component. 472 | ## 473 | logLevel: info 474 | 475 | ## @param relay.env Environment variables for the management pod. 476 | ## 477 | env: {} 478 | 479 | ## @param relay.envRaw Raw environment variables for the management pod. 480 | ## 481 | envRaw: [] 482 | 483 | ## @param relay.envFromSecret Environment variables from secrets. 484 | ## 485 | envFromSecret: {} 486 | #ENV_VAR: secretName/secretKey 487 | 488 | image: 489 | ## @param relay.image.repository Docker image repository for the relay component. 490 | ## 491 | repository: netbirdio/relay 492 | 493 | ## @param relay.image.pullPolicy Docker image pull policy for the relay component. 494 | ## 495 | pullPolicy: IfNotPresent 496 | 497 | ## @param relay.image.tag Docker image tag for the relay component. 498 | ## 499 | tag: "" 500 | 501 | ## @param relay.imagePullSecrets Docker registry credentials for pulling the relay image. 502 | ## 503 | imagePullSecrets: [] 504 | 505 | serviceAccount: 506 | ## @param relay.serviceAccount.create Whether to create a service account for the relay component. 507 | ## 508 | create: true 509 | 510 | ## @param relay.serviceAccount.annotations Annotations for the relay service account. 511 | ## 512 | annotations: {} 513 | 514 | ## @param relay.serviceAccount.name Name of the relay service account. 515 | ## 516 | name: "" 517 | 518 | ## @param relay.deploymentAnnotations Annotations for the relay deployment. 519 | ## 520 | deploymentAnnotations: {} 521 | 522 | ## @param relay.podAnnotations Annotations for the relay pod(s). 523 | ## 524 | podAnnotations: {} 525 | 526 | ## @param relay.podSecurityContext Security context for the relay pod(s). 527 | ## 528 | podSecurityContext: {} 529 | # fsGroup: 2000 530 | 531 | ## @param relay.securityContext Security context for the relay container. 532 | ## 533 | securityContext: {} 534 | # capabilities: 535 | # drop: 536 | # - ALL 537 | # readOnlyRootFilesystem: true 538 | # runAsNonRoot: true 539 | # runAsUser: 1000 540 | 541 | metrics: 542 | ## @param signal.metrics.enabled enables/disables metrics 543 | ## 544 | enabled: false 545 | ## @param signal.metrics.port target metrics port 546 | ## 547 | port: 9090 548 | 549 | ## @param relay.containerPort Container port for the relay service. 550 | ## 551 | containerPort: 33080 552 | 553 | service: 554 | ## @param relay.service.type Service type for the relay component. 555 | ## 556 | type: ClusterIP 557 | 558 | 559 | ## @param relay.service.port Port for the relay service. 560 | ## 561 | port: 33080 562 | 563 | ## @param relay.service.name Name for the relay service. 564 | ## 565 | name: http 566 | 567 | ingress: 568 | ## @param relay.ingress.enabled Enable or disable ingress for the relay component. 569 | ## 570 | enabled: false 571 | 572 | ## @param relay.ingress.className Ingress class name for the relay component. 573 | ## 574 | className: "" 575 | 576 | ## @param relay.ingress.annotations Annotations for the relay ingress resource. 577 | ## 578 | annotations: {} 579 | 580 | hosts: 581 | ## @param relay.ingress.hosts[0].host Host for the relay ingress. 582 | ## 583 | - host: example.com 584 | paths: 585 | ## @param relay.ingress.hosts[0].paths[0].path Path for the relay ingress. 586 | ## 587 | - path: /relay 588 | ## @param relay.ingress.hosts[0].paths[0].pathType Path type for the relay ingress. 589 | ## 590 | pathType: ImplementationSpecific 591 | 592 | ## @param relay.ingress.tls TLS settings for the relay ingress. 593 | ## 594 | tls: [] 595 | 596 | ## @param relay.resources Resource requests and limits for the relay pod. 597 | ## 598 | resources: {} 599 | # limits: 600 | # cpu: 100m 601 | # memory: 128Mi 602 | # requests: 603 | # cpu: 100m 604 | # memory: 128Mi 605 | 606 | ## @param relay.nodeSelector Node selector for scheduling the relay pod. 607 | ## 608 | nodeSelector: {} 609 | 610 | ## @param relay.tolerations Tolerations for scheduling the relay pod. 611 | ## 612 | tolerations: [] 613 | 614 | ## @param relay.affinity Affinity rules for scheduling the relay pod. 615 | ## 616 | affinity: {} 617 | 618 | ## @param relay.livenessProbe for the relay component. 619 | ## 620 | livenessProbe: 621 | initialDelaySeconds: 5 622 | periodSeconds: 5 623 | tcpSocket: 624 | port: http 625 | 626 | ## @param relay.readinessProbe for the relay component. 627 | ## 628 | readinessProbe: 629 | initialDelaySeconds: 5 630 | periodSeconds: 5 631 | tcpSocket: 632 | port: http 633 | 634 | ## @param relay.volumeMounts Volume mounts for the relay pod. 635 | volumeMounts: [] 636 | # - name: tmp 637 | # mountPath: /tmp 638 | 639 | ## @param relay.volumes volumes for the relay pod. 640 | volumes: [] 641 | # - name: tmp 642 | # emptyDir: {} 643 | 644 | dashboard: 645 | ## @param dashboard.enabled Enable or disable the NetBird dashboard component. 646 | ## 647 | enabled: true 648 | 649 | ## @param management.podCommand Define the arguments for the management pod. 650 | ## 651 | podCommand: 652 | args: [] 653 | # - sed -i 's/listen \[\:\:\]\:80 default_server\;//g' /etc/nginx/http.d/default.conf && /usr/bin/supervisord -c /etc/supervisord.conf 654 | 655 | ## @param replicaCount Number of replicas to deploy 656 | replicaCount: 1 657 | 658 | image: 659 | ## @param image.repository image repository 660 | repository: netbirdio/dashboard 661 | 662 | ## @param image.pullPolicy image pull policy 663 | pullPolicy: IfNotPresent 664 | 665 | ## @param image.tag image tag (immutable tags are recommended) 666 | tag: "v2.12.0" 667 | 668 | ## @param imagePullSecrets image pull secrets 669 | imagePullSecrets: [] 670 | 671 | serviceAccount: 672 | ## @param dashboard.serviceAccount.create Specifies whether a service account should be 673 | ## created 674 | create: true 675 | 676 | ## @param dashboard.serviceAccount.annotations Annotations to add to the service account 677 | annotations: {} 678 | 679 | ## @param serviceAccount.name The name of the service account to use. 680 | # If not set and create is true, a name is generated using the fullname 681 | # template 682 | name: "" 683 | 684 | ## @param dashboard.podAnnotations Annotations for pods 685 | ## ref: 686 | ## https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ 687 | podAnnotations: {} 688 | 689 | ## Configure Pods Security Context 690 | ## ref: 691 | ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod 692 | ## @param podSecurityContext 693 | podSecurityContext: {} 694 | # fsGroup: 2000 695 | 696 | ## Configure Container Security Context 697 | ## ref: 698 | ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod 699 | ## @param dashboard.securityContext 700 | securityContext: {} 701 | # capabilities: 702 | # drop: 703 | # - ALL 704 | # readOnlyRootFilesystem: true 705 | # runAsNonRoot: true 706 | # runAsUser: 1000 707 | 708 | ## @param dashboard.containerPort 709 | containerPort: 80 710 | 711 | service: 712 | ## @param dashboard.service.type 713 | type: ClusterIP 714 | 715 | 716 | ## @param dashboard.service.port 717 | port: 80 718 | 719 | ## @param dashboard.service.name 720 | name: http 721 | 722 | ingress: 723 | ## @param dashboard.ingress.enabled 724 | enabled: false 725 | 726 | ## @param dashboard.ingress.className 727 | className: "" 728 | 729 | ## @param dashboard.ingress.annotations 730 | annotations: {} 731 | # kubernetes.io/tls-acme: "true" 732 | 733 | hosts: 734 | ## @param dashboard.ingress.hosts[0].host 735 | - host: chart-example.local 736 | ## @param dashboard.ingress.hosts[0].host 737 | paths: 738 | ## @param dashboard.ingress.hosts[0].paths[0].path 739 | - path: / 740 | ## @param dashboard.ingress.hosts[0].paths[0].pathType 741 | pathType: ImplementationSpecific 742 | 743 | ## @param dashboard.ingress.tls 744 | tls: [] 745 | # - secretName: chart-example-tls 746 | # hosts: 747 | # - chart-example.local 748 | 749 | ## @param dashboard.resources 750 | resources: {} 751 | # limits: 752 | # cpu: 100m 753 | # memory: 128Mi 754 | # requests: 755 | # cpu: 100m 756 | # memory: 128Mi 757 | 758 | ## @param dashboard.nodeSelector 759 | nodeSelector: {} 760 | 761 | ## @param dashboard.tolerations 762 | tolerations: [] 763 | 764 | ## @param dashboard.affinity 765 | affinity: {} 766 | 767 | ## @param dashboard.env 768 | ## 769 | env: {} 770 | 771 | ## @param dashboard.envRaw 772 | ## 773 | envRaw: [] 774 | 775 | ## @param dashboard.envFromSecret 776 | ## 777 | envFromSecret: {} 778 | #ENV_VAR: secretName/secretKey 779 | 780 | lifecycle: {} # Define lifecycle hooks (preStop, postStart) if needed. 781 | 782 | ## @param dashboard.livenessProbe for the dashboard component. 783 | ## 784 | livenessProbe: 785 | periodSeconds: 5 786 | httpGet: 787 | path: / 788 | port: http 789 | 790 | ## @param dashboard.readinessProbe for the dashboard component. 791 | ## 792 | readinessProbe: 793 | initialDelaySeconds: 5 794 | periodSeconds: 5 795 | httpGet: 796 | path: / 797 | port: http 798 | 799 | ## @param dashboard.volumeMounts Volume mounts for the dashboard pod. 800 | volumeMounts: [] 801 | # - name: tmp 802 | # mountPath: /tmp 803 | 804 | ## @param dashboard.volumes volumes for the dashboard pod. 805 | volumes: [] 806 | # - name: tmp 807 | # emptyDir: {} 808 | ## @section NetBird Extra Manifests to be included in the chart 809 | 810 | extraManifests: {} 811 | # - apiVersion: v1 812 | # kind: ServiceAccount 813 | # ..... 814 | 815 | ## @section Prometheus metrics 816 | 817 | metrics: 818 | ## Prometheus Operator ServiceMonitor configuration 819 | ## 820 | serviceMonitor: 821 | ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) 822 | ## 823 | enabled: false 824 | ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running 825 | ## 826 | namespace: "" 827 | ## @param metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor 828 | ## 829 | annotations: {} 830 | ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor 831 | ## 832 | labels: {} 833 | ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus 834 | ## 835 | jobLabel: "" 836 | ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels 837 | ## 838 | honorLabels: false 839 | ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. 840 | ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint 841 | ## e.g: 842 | ## interval: 10s 843 | ## 844 | interval: "" 845 | ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended 846 | ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint 847 | ## e.g: 848 | ## scrapeTimeout: 10s 849 | ## 850 | scrapeTimeout: "" 851 | ## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics 852 | ## 853 | metricRelabelings: [] 854 | ## @param metrics.serviceMonitor.relabelings Specify general relabeling 855 | ## 856 | relabelings: [] 857 | ## @param metrics.serviceMonitor.selector Prometheus instance selector labels 858 | ## selector: 859 | ## prometheus: my-prometheus 860 | ## 861 | selector: {} 862 | --------------------------------------------------------------------------------