refactor!: Modernize NetBird helm chart

charts/netbird/Chart.yaml

@@ -3,6 +3,6 @@ apiVersion: v2
 name: netbird
 description: NetBird VPN management platform
 type: application
-version: 1.9.0
-appVersion: "0.46.0"
+version: 2.0.0
+appVersion: "0.67.1"
 icon: https://images.crunchbase.com/image/upload/c_pad,h_256,w_256,f_auto,q_auto:eco,dpr_1/kuu5tm1wt09ztp6ctlag

charts/netbird/README.md

@@ -55,7 +55,7 @@ The following table lists the configurable parameters of the NetBird Helm chart
 | dashboard.envRaw | list | `[]` |  |
 | dashboard.image.pullPolicy | string | `"IfNotPresent"` |  |
 | dashboard.image.repository | string | `"netbirdio/dashboard"` |  |
-| dashboard.image.tag | string | `"v2.13.1"` |  |
+| dashboard.image.tag | string | `"v2.36.0"` |  |
 | dashboard.imagePullSecrets | list | `[]` |  |
 | dashboard.ingress.annotations | object | `{}` |  |
 | dashboard.ingress.className | string | `""` |  |
@@ -94,31 +94,41 @@ The following table lists the configurable parameters of the NetBird Helm chart
 | management.volumeMounts | list | `[]` |  |
 | management.volumes | list | `[]` |  |
 | management.affinity | object | `{}` |  |
-| management.configmap | string | `""` |  |
+| management.configYaml | string | `""` |  |
+| management.envsubst.enabled | bool | `false` |  |
+| management.envsubst.allowedPrefix | string | `"NETBIRD_"` |  |
+| management.envsubst.env | object | `{}` |  |
+| management.envsubst.envFromSecret | object | `{}` |  |
+| management.envsubst.envRaw | list | `[]` |  |
+| management.initContainers | list | `[]` |  |
 | management.containerPort | int | `80` |  |
 | management.deploymentAnnotations | object | `{}` |  |
 | management.enabled | bool | `true` |  |
 | management.env | object | `{}` |  |
 | management.envFromSecret | object | `{}` |  |
 | management.envRaw | list | `[]` |  |
-| management.grpcContainerPort | int | `33073` |  |
+| management.grpcContainerPort | int | `80` |  |
+| management.stunContainerPort | int | `3478` |  |
 | management.image.pullPolicy | string | `"IfNotPresent"` |  |
-| management.image.repository | string | `"netbirdio/management"` |  |
+| management.image.repository | string | `"netbirdio/netbird-server"` |  |
 | management.image.tag | string | `""` |  |
 | management.imagePullSecrets | list | `[]` |  |
 | management.ingress.annotations | object | `{}` |  |
 | management.ingress.className | string | `""` |  |
 | management.ingress.enabled | bool | `false` |  |
 | management.ingress.hosts[0].host | string | `"example.com"` |  |
-| management.ingress.hosts[0].paths[0].path | string | `"/"` |  |
+| management.ingress.hosts[0].paths[0].path | string | `"/api"` |  |
 | management.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
+| management.ingress.hosts[0].paths[1].path | string | `"/ws-proxy"` |  |
+| management.ingress.hosts[0].paths[1].pathType | string | `"ImplementationSpecific"` |  |
+| management.ingress.hosts[0].paths[2].path | string | `"/oauth2"` |  |
+| management.ingress.hosts[0].paths[2].pathType | string | `"ImplementationSpecific"` |  |
 | management.ingress.tls | list | `[]` |  |
 | management.ingressGrpc.annotations | object | `{}` |  |
 | management.ingressGrpc.className | string | `""` |  |
 | management.ingressGrpc.enabled | bool | `false` |  |
 | management.ingressGrpc.hosts[0].host | string | `"example.com"` |  |
-| management.ingressGrpc.hosts[0].paths[0].path | string | `"/"` |  |
-| management.ingressGrpc.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
+| management.ingressGrpc.hosts[0].paths[0].path | string | `"/management.ManagementService"` |  |
 | management.ingressGrpc.tls | list | `[]` |  |
 | management.lifecycle | object | `{}` |  |
 | management.livenessProbe.failureThreshold | int | `3` |  |
@@ -159,7 +169,7 @@ The following table lists the configurable parameters of the NetBird Helm chart
 | management.serviceAccount.create | bool | `true` |  |
 | management.serviceAccount.name | string | `""` |  |
 | management.serviceGrpc.name | string | `"grpc"` |  |
-| management.serviceGrpc.port | int | `33073` |  |
+| management.serviceGrpc.port | int | `80` |  |
 | management.serviceGrpc.type | string | `"ClusterIP"` |  |
 | management.serviceGrpc.externalIPs | list | `[]` |  |
 | management.serviceGrpc.annotations | object | `{}` |  |
@@ -183,6 +193,7 @@ The following table lists the configurable parameters of the NetBird Helm chart
 | relay.containerPort | int | `33080` |  |
 | relay.deploymentAnnotations | object | `{}` |  |
 | relay.enabled | bool | `true` |  |
+| relay.standalone | bool | `false` |  |
 | relay.env | object | `{}` |  |
 | relay.envFromSecret | object | `{}` |  |
 | relay.envRaw | list | `[]` |  |
@@ -213,7 +224,7 @@ The following table lists the configurable parameters of the NetBird Helm chart
 | relay.resources | object | `{}` |  |
 | relay.securityContext | object | `{}` |  |
 | relay.service.name | string | `"http"` |  |
-| relay.service.port | int | `33080` |  |
+| relay.service.port | int | `80` |  |
 | relay.service.type | string | `"ClusterIP"` |  |
 | relay.service.externalIPs | list | `[]` |  |
 | relay.service.annotations | object | `{}` |  |
@@ -227,6 +238,7 @@ The following table lists the configurable parameters of the NetBird Helm chart
 | signal.containerPort | int | `80` |  |
 | signal.deploymentAnnotations | object | `{}` |  |
 | signal.enabled | bool | `true` |  |
+| signal.standalone | bool | `false` |  |
 | signal.image.pullPolicy | string | `"IfNotPresent"` |  |
 | signal.image.repository | string | `"netbirdio/signal"` |  |
 | signal.image.tag | string | `""` |  |

charts/netbird/examples/aws-eks-alb-nlb/README.md

@@ -0,0 +1,31 @@
+# Netbird Self-Hosted Setup
+
+This example provides a fully configured and tested setup for deploying Netbird using the following components:
+
+- **Ingress Controller**: AWS ALB (HTTP) and NLB (STUN)
+- **Database Storage**: PostgreSQL
+- **Identity Provider**: Embedded (Dex)
+
+## Prerequisites
+
+This setup assumes you have an existing AWS EKS cluster (with the AWS Load Balancer Controller installed) and a PostgreSQL database installed and configured.
+
+## Kubernetes Secret Configuration
+
+This setup requires Kubernetes secrets to store sensitive data. You'll need to create a secret named `netbird` in your Kubernetes cluster, containing the following key-value pairs:
+
+- `relayAuthSecret`: `xxxxxx` # Password used to secure communication between peers in the relay service.
+- `datastoreDsnPassword`: `xxxxxx` # Password for the PostgreSQL database connection.
+- `datastoreEncryptionKey`: `xxxxxxx` # A random encryption key for the datastore, e.g., generated via `openssl rand -base64 32`.
+
+> **Note:** The `datastoreEncryptionKey` must also be provided in a ConfigMap for the Netbird setup.
+
+## Deployment
+
+Once the required secrets and configuration are in place, this setup will deploy all necessary services for running Netbird, including the following exposed endpoints:
+
+- `netbird.example.com` - The main Netbird services (dashboard|server).
+
+## Additional info
+
+While this setup also deploys the embedded STUN server, you will likely need to use a separate hostname for the ELB (since STUN cannot be served by ALB). It does not seem like NetBird allows configuring a separate hostname for the STUN server; it may be easier to simply use a public STUN server and configure it under `stuns` in the `config.yaml`.

charts/netbird/examples/aws-eks-alb-nlb/values.yaml

@@ -0,0 +1,158 @@
+management:
+  configYaml: |-
+    server:
+      listenAddress: :80
+      exposedAddress: https://netbird.example.com:443
+      stunPorts: [3478]
+      metricsPort: 9090
+      healthcheckAddress: :9000
+      logLevel: info
+      logFile: console
+      authSecret: "${NETBIRD_RELAY_AUTH_SECRET}"
+      dataDir: /var/lib/netbird
+      auth:
+        issuer: https://netbird.example.com/oauth2
+        signKeyRefreshEnabled: true
+        dashboardRedirectURIs:
+          - https://netbird.example.com/nb-auth
+          - https://netbird.example.com/nb-silent-auth
+        cliRedirectURIs:
+          - http://localhost:53000/
+      reverseProxy:
+        trustedHTTPProxies:
+          - 172.30.0.10/32
+      store:
+        engine: postgres
+        dsn: >-
+          host=database.local
+          port=5432
+          dbname=store_db
+          user=store_user
+          password=${NETBIRD_STORE_DSN_PASSWORD}
+        encryptionKey: "${NETBIRD_DATASTORE_ENC_KEY}"
+      activityStore:
+        engine: postgres
+        dsn: >-
+          host=database.local
+          port=5432
+          dbname=events_db
+          user=events_user
+          password=${NETBIRD_STORE_DSN_PASSWORD}
+      authStore:
+        engine: postgres
+        dsn: >-
+          host=database.local
+          port=5432
+          sslmode=require
+          dbname=idp_db
+          user=idp_user
+          password=${NETBIRD_STORE_DSN_PASSWORD}
+  envsubst:
+    enabled: true
+    envFromSecret:
+      NETBIRD_RELAY_AUTH_SECRET: netbird/relayAuthSecret
+      NETBIRD_STORE_DSN_PASSWORD: netbird/datastoreDsnPassword
+      NETBIRD_DATASTORE_ENC_KEY: netbird/datastoreEncryptionKey
+  ingress:
+    enabled: true
+    className: alb
+    annotations:
+      alb.ingress.kubernetes.io/target-type: ip
+      alb.ingress.kubernetes.io/group.name: netbird
+      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
+      alb.ingress.kubernetes.io/load-balancer-name: netbird-alb
+      alb.ingress.kubernetes.io/scheme: internet-facing
+      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:{region}:{account}:certificate/{id}
+      alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=3600
+    hosts:
+      - host: netbird.example.com
+        paths:
+          - path: /api
+            pathType: Prefix
+          - path: /ws-proxy
+            pathType: Prefix
+          - path: /oauth2
+            pathType: Prefix
+          - path: /relay
+            pathType: Prefix
+  ingressGrpc:
+    enabled: true
+    className: alb
+    annotations:
+      alb.ingress.kubernetes.io/target-type: ip
+      alb.ingress.kubernetes.io/group.name: netbird
+      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
+      alb.ingress.kubernetes.io/backend-protocol-version: GRPC
+      alb.ingress.kubernetes.io/healthcheck-path: /management.ManagementService/isHealthy
+      alb.ingress.kubernetes.io/success-codes: "0"
+    hosts:
+      - host: netbird.example.com
+        paths:
+          - path: /management.ManagementService
+            pathType: Prefix
+          - path: /signalexchange.SignalExchange
+            pathType: Prefix
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+  persistentVolume:
+    enabled: false
+dashboard:
+  ingress:
+    enabled: true
+    className: alb
+    annotations:
+      alb.ingress.kubernetes.io/target-type: ip
+      alb.ingress.kubernetes.io/group.name: netbird
+      alb.ingress.kubernetes.io/group.order: "10"
+      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
+    hosts:
+      - host: netbird.example.com
+        paths:
+          - path: /
+            pathType: Prefix
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+  env:
+    NETBIRD_MGMT_API_ENDPOINT: https://netbird.example.com
+    NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.example.com
+    AUTH_AUDIENCE: netbird-dashboard
+    AUTH_CLIENT_ID: netbird-dashboard
+    AUTH_CLIENT_SECRET: ""
+    AUTH_AUTHORITY: https://netbird.example.com/oauth2
+    USE_AUTH0: false
+    AUTH_SUPPORTED_SCOPES: openid profile email groups
+    AUTH_REDIRECT_URI: /nb-auth
+    AUTH_SILENT_REDIRECT_URI: /nb-silent-auth
+    LETSENCRYPT_DOMAIN: none
+extraManifests:
+  - apiVersion: networking.k8s.io/v1
+    kind: IngressClass
+    metadata:
+      name: alb
+    spec:
+      controller: ingress.k8s.aws/alb
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: netbird-stun
+      namespace: netbird
+    spec:
+      type: LoadBalancer
+      loadBalancerClass: service.k8s.aws/nlb
+      selector:
+        app.kubernetes.io/instance: netbird
+        app.kubernetes.io/name: netbird-management
+      ports:
+        - protocol: UDP
+          port: 3478
+          targetPort: stun

charts/netbird/templates/_helpers.tpl

@@ -95,19 +95,33 @@ app.kubernetes.io/name: {{ include "netbird.name" . }}-management
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Signal target service
+*/}}
+{{- define "netbird.signal.targetService" -}}
+{{ include "netbird.fullname" . }}-{{ .Values.signal.standalone | ternary "signal" "management" }}
+{{- end }}
+
 {{/*
 Signal selector labels
 */}}
 {{- define "netbird.signal.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "netbird.name" . }}-signal
+app.kubernetes.io/name: {{ include "netbird.signal.targetService" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Relay target service
+*/}}
+{{- define "netbird.relay.targetService" -}}
+{{ include "netbird.fullname" . }}-{{ .Values.relay.standalone | ternary "relay" "management" }}
+{{- end }}
+
 {{/*
 Relay selector labels
 */}}
 {{- define "netbird.relay.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "netbird.name" . }}-relay
+app.kubernetes.io/name: {{ include "netbird.relay.targetService" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 

charts/netbird/templates/management-cm.yaml

@@ -7,6 +7,6 @@ metadata:
   labels:
     {{- include "netbird.management.labels" . | nindent 4 }}
 data:
-  management.json: |-
-    {{- .Values.management.configmap | nindent 4 }}
+  config.yaml: |-
+    {{- .Values.management.configYaml | nindent 4 }}
 {{- end -}}