netbirdio · vehagn · Mar 29, 2026
diff --git a/charts/netbird/templates/_helpers.tpl b/charts/netbird/templates/_helpers.tpl
@@ -164,6 +164,37 @@ Create the name of the dashboard service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Common agent labels
+*/}}
+{{- define "netbird.agent.labels" -}}
+helm.sh/chart: {{ include "netbird.chart" . }}
+{{ include "netbird.agent.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Agent selector labels
+*/}}
+{{- define "netbird.agent.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "netbird.name" . }}-agent
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the agent service account to use
+*/}}
+{{- define "netbird.agent.serviceAccountName" -}}
+{{- if .Values.agent.serviceAccount.create }}
+{{- default (printf "%s-agent" (include "netbird.fullname" .)) .Values.agent.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.agent.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
 {{/*
 Allow the release namespace to be overridden
 */}}

diff --git a/charts/netbird/templates/agent-deployment.yaml b/charts/netbird/templates/agent-deployment.yaml
@@ -0,0 +1,84 @@
+{{- if .Values.agent.enabled -}}
+
+apiVersion: apps/v1
+kind: {{ .Values.agent.kind }}
+metadata:
+  name: {{ include "netbird.fullname" . }}-agent
+  namespace: {{ include "netbird.namespace" . }}
+  labels:
+    {{- include "netbird.agent.labels" . | nindent 4 }}
+  {{- with .Values.agent.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if eq .Values.agent.kind "Deployment" }}
+  replicas: {{ .Values.agent.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "netbird.agent.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.agent.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "netbird.agent.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.agent.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "netbird.agent.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.agent.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}-agent
+          securityContext:
+            {{- toYaml .Values.agent.securityContext | nindent 12 }}
+          image: "{{ .Values.agent.image.repository }}:{{ .Values.agent.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
+          {{- if or (.Values.agent.env) (.Values.agent.envRaw) (.Values.agent.envFromSecret) }}
+          env:
+          {{- range $key, $val := .Values.agent.env }}
+            - name: {{ $key }}
+              value: {{ $val | quote }}
+          {{- end }}
+          {{- if .Values.agent.envRaw }}
+            {{- with .Values.agent.envRaw }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          {{- range $key, $val := .Values.agent.envFromSecret }}
+            - name: {{ $key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ (split "/" $val)._0 }}
+                  key: {{ (split "/" $val)._1 }}
+          {{- end }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.agent.resources | nindent 12 }}
+          {{- if .Values.agent.volumeMounts }}
+          volumeMounts:
+            {{- toYaml .Values.agent.volumeMounts | nindent 12 }}
+          {{- end }}
+      {{- if .Values.agent.volumes }}
+      volumes:
+        {{- toYaml .Values.agent.volumes | nindent 8 }}
+      {{- end }}
+      {{- with .Values.agent.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.agent.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.agent.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/charts/netbird/templates/agent-serviceaccount.yaml b/charts/netbird/templates/agent-serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.agent.enabled -}}
+{{- if .Values.agent.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "netbird.agent.serviceAccountName" . }}
+  namespace: {{ include "netbird.namespace" . }}
+  labels:
+    {{- include "netbird.agent.labels" . | nindent 4 }}
+  {{- with .Values.agent.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/netbird/values.yaml b/charts/netbird/values.yaml
@@ -849,6 +849,137 @@ dashboard:
   volumes: []
   # - name: tmp
   #   emptyDir: {}
+## @section NetBird Agent Parameters
+
+agent:
+  ## @param agent.enabled Enable or disable the NetBird agent component.
+  ##
+  enabled: false
+
+  ## @param agent.logLevel Log level for the agent component.
+  ##
+  logLevel: info
+
+  ## @param agent.kind Workload kind for the agent (Deployment or DaemonSet).
+  ##
+  kind: Deployment
+
+  ## @param agent.replicaCount Number of agent pod replicas (only used when kind is Deployment).
+  ##
+  replicaCount: 1
+
+  image:
+    ## @param agent.image.repository Docker image repository for the agent component.
+    ##
+    repository: ghcr.io/netbirdio/netbird
+
+    ## @param agent.image.pullPolicy Docker image pull policy for the agent component.
+    ##
+    pullPolicy: IfNotPresent
+
+    ## @param agent.image.tag Docker image tag for the agent component.
+    ##
+    tag: ""
+
+  ## @param agent.imagePullSecrets Docker registry credentials for pulling the agent image.
+  ##
+  imagePullSecrets: []
+
+  serviceAccount:
+    ## @param agent.serviceAccount.create Whether to create a service account for the agent component.
+    ##
+    create: true
+
+    ## @param agent.serviceAccount.annotations Annotations for the agent service account.
+    ##
+    annotations: {}
+
+    ## @param agent.serviceAccount.name Name of the agent service account.
+    ##
+    name: ""
+
+  ## @param agent.deploymentAnnotations Annotations for the agent deployment/daemonset.
+  ##
+  deploymentAnnotations: {}
+
+  ## @param agent.podAnnotations Annotations for the agent pod(s).
+  ##
+  podAnnotations: {}
+
+  ## @param agent.podSecurityContext Security context for the agent pod(s).
+  ##
+  podSecurityContext: {}
+  # seccompProfile:
+  #   type: RuntimeDefault
+  # sysctls:
+  #   - name: net.ipv4.conf.all.src_valid_mark
+  #     value: "1"
+
+  ## @param agent.securityContext Security context for the agent container.
+  ##
+  securityContext: {}
+  # allowPrivilegeEscalation: false
+  # readOnlyRootFilesystem: false
+  # runAsNonRoot: false
+  # capabilities:
+  #   drop:
+  #     - ALL
+  #   add:
+  #     - NET_ADMIN
+  #     - NET_RAW
+  #     - PERFMON
+  #     - BPF
+
+  ## @param agent.env Environment variables for the agent pod.
+  ##
+  env: {}
+  #NB_HOSTNAME: my-agent
+  #NB_MANAGEMENT_URL: https://netbird.example.com
+  #NB_ADMIN_URL: https://netbird.example.com
+
+  ## @param agent.envRaw Raw environment variables for the agent pod.
+  ##
+  envRaw: []
+
+  ## @param agent.envFromSecret Environment variables from secrets for the agent pod.
+  ## Use this to inject NB_SETUP_KEY from a secret, e.g.: NB_SETUP_KEY: my-secret/setupKey
+  ## The setup key has to be manually created in the NetBird UI.
+  ##
+  envFromSecret: {}
+  #NB_SETUP_KEY: agent-setup-key/NB_SETUP_KEY
+
+  ## @param agent.resources Resource requests and limits for the agent pod.
+  ##
+  resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+  ## @param agent.nodeSelector Node selector for scheduling the agent pod.
+  ##
+  nodeSelector: {}
+
+  ## @param agent.tolerations Tolerations for scheduling the agent pod.
+  ##
+  tolerations: []
+
+  ## @param agent.affinity Affinity rules for scheduling the agent pod.
+  ##
+  affinity: {}
+
+  ## @param agent.volumeMounts Volume mounts for the agent pod.
+  volumeMounts: []
+  # - name: netbird-data
+  #   mountPath: /var/lib/netbird
+
+  ## @param agent.volumes Volumes for the agent pod.
+  volumes: []
+  # - name: netbird-data
+  #   emptyDir: {}
+
 ## @section NetBird Extra Manifests to be included in the chart
 
 extraManifests: {}