WIP

Author: mohamed-essam

README.md

@@ -1,101 +1,49 @@
 # NetBird Kubernetes Operator
 For easily provisioning access to Kubernetes resources using NetBird.
 
+https://github.com/user-attachments/assets/5472a499-e63d-4301-a513-ad84cfe5ca7b
+
 ## Description
 
 This operator enables easily provisioning NetBird access on kubernetes clusters, allowing users to access internal resources directly.
 
 ## Getting Started
 
 ### Prerequisites
-- helm version 3+
+- (Recommended) helm version 3+
 - kubectl version v1.11.3+.
 - Access to a Kubernetes v1.11.3+ cluster.
-- (Optional for Helm chart installation) Cert Manager.
-
-### To Deploy on the cluster
+- (Recommended) Cert Manager.
 
-**Using the install.yaml**
 
-```sh
-kubectl create namespace netbird
-kubectl apply -n netbird -f https://github.com/netbirdio/kubernetes-operator/releases/latest/manifests/install.yaml
-```
+### Deployment
+> [!NOTE]
+> Helm Installation method is recommended due to automation of multiple settings within the deployment.
 
-**Using the Helm Chart**
+#### Using Helm
 
+1. Add helm repository.
 ```sh
 helm repo add netbirdio https://netbirdio.github.io/kubernetes-operator
-helm install -n netbird netbird-operator netbirdio/netbird-operator
 ```
+2. (Recommended) Install [cert-manager](https://cert-manager.io/docs/installation/#default-static-install).
+1. (Recommended) Create a values.yaml file, check `helm show values netbirdio/kubernetes-operator` for more info.
+1. Install using `helm install --create-namespace -f values.yaml -n netbird netbird-operator netbirdio/kubernetes-operator`.
 
-For more options, check the default values by running
-```sh
-helm show values netbirdio/netbird-operator
-```
+#### Using install.yaml
 
-### To Uninstall
-**Using install.yaml**
+> [!IMPORTANT]
+> install.yaml only includes a very basic template for deploying a stripped down version of kubernetes-operator.
+> This excludes any and all configuration for ingress capabilities, and requires cert-manager to be installed.
 
 ```sh
-kubectl delete -n netbird -f https://github.com/netbirdio/kubernetes-operator/releases/latest/manifests/install.yaml
-kubectl delete namespace netbird
-```
-
-**Using helm**
-
-```sh
-helm uninstall -n netbird netbird-operator
+kubectl create namespace netbird
+kubectl apply -n netbird -f https://raw.githubusercontent.com/netbirdio/kubernetes-operator/refs/heads/main/manifests/install.yaml
 ```
 
-### Provision pods with NetBird access
-
-1. Create a Setup Key in your [NetBird console](https://docs.netbird.io/how-to/register-machines-using-setup-keys#using-setup-keys).
-1. Create a Secret object in the namespace where you need to provision NetBird access (secret name and field can be anything).
-```yaml
-apiVersion: v1
-stringData:
-  setupkey: EEEEEEEE-EEEE-EEEE-EEEE-EEEEEEEEEEEE
-kind: Secret
-metadata:
-  name: test
-```
-1. Create an NBSetupKey object referring to your secret.
-```yaml
-apiVersion: netbird.io/v1
-kind: NBSetupKey
-metadata:
-  name: test
-spec:
-  # Optional, overrides management URL for this setupkey only
-  # defaults to https://api.netbird.io
-  managementURL: https://netbird.example.com 
-  secretKeyRef:
-    name: test # Required
-    key: setupkey # Required
-```
-1. Annotate the pods you need to inject NetBird into with `netbird.io/setup-key`.
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: deployment
-spec:
-  selector:
-    matchLabels:
-      app: myapp
-  template:
-    metadata:
-      labels:
-        app: myapp
-      annotations:
-        netbird.io/setup-key: test # Must match the name of an NBSetupKey object in the same namespace
-    spec:
-      containers:
-      - image: yourimage
-        name: container
+### Usage
 
-```
+Checks [usage.md](docs/usage.md).
 
 ## Contributing
 

docs/usage.md

@@ -0,0 +1,94 @@
+# Usage
+
+## Provision pods with NetBird access
+
+1. Create a Setup Key in your [NetBird console](https://docs.netbird.io/how-to/register-machines-using-setup-keys#using-setup-keys).
+1. Create a Secret object in the namespace where you need to provision NetBird access (secret name and field can be anything).
+```yaml
+apiVersion: v1
+stringData:
+  setupkey: EEEEEEEE-EEEE-EEEE-EEEE-EEEEEEEEEEEE
+kind: Secret
+metadata:
+  name: test
+```
+1. Create an NBSetupKey object referring to your secret.
+```yaml
+apiVersion: netbird.io/v1
+kind: NBSetupKey
+metadata:
+  name: test
+spec:
+  # Optional, overrides management URL for this setupkey only
+  # defaults to https://api.netbird.io
+  managementURL: https://netbird.example.com 
+  secretKeyRef:
+    name: test # Required
+    key: setupkey # Required
+```
+1. Annotate the pods you need to inject NetBird into with `netbird.io/setup-key`.
+```yaml
+kind: Deployment
+...
+spec:
+...
+  template:
+    metadata:
+      annotations:
+        netbird.io/setup-key: test # Must match the name of an NBSetupKey object in the same namespace
+...
+    spec:
+      containers:
+...
+```
+
+## Provisioning Networks (Ingress Functionality)
+
+### Granting controller access to NetBird Management
+
+> [!IMPORTANT]
+> NetBird kubernetes operator generates configurations using NetBird API, editing or deleting these configurations in the NetBird console may cause temporary network disconnection until the operator reconciles the configuration.
+
+1. Create a Service User on your NetBird dashboard (Must be Admin). [Doc](https://docs.netbird.io/how-to/access-netbird-public-api#creating-a-service-user).
+1. Create access token for the Service User (Must be Admin). [Doc](https://docs.netbird.io/how-to/access-netbird-public-api#creating-a-service-user).
+1. Add access token to your helm values file under `netbirdAPI.key`.
+    1. Alternatively, provision secret in the same namespace as the operator and set the key `NB_API_KEY` to the access token generated.
+    1. Set `netbirdAPI.keyFromSecret` to the name of the secret created.
+1. Set `ingress.enabled` to `true`.
+    1. Optionally, to provision network immediately, set `ingress.router.enabled` to `true`.
+    1. Optionally, to provision 1 network per kubernetes namespace, set `ingress.namespacedNetworks` to `true`.
+1. Run `helm install` or `helm upgrade`.
+
+### Exposing a Service
+
+> [!IMPORTANT]  
+> Ingress DNS Resolution requires DNS Wildcard Routing to be enabled, and at least one DNS Nameserver configured for clients.
+
+|Annotation|Description|Default|
+|---|---|---|
+|`netbird.io/expose`|Expose service using NetBird Network Resource||
+|`netbird.io/groups`|Comma-separated list of group names to assign to Network Resource|`{ClusterName}-{Namespace}-{Service}`|
+|`netbird.io/resource-name`|Network Resource name|`{Namespace}-{Service}`|
+|`netbird.io/policy`|Name of NBPolicy to propagate service ports as destination.||
+|`netbird.io/policy-ports`|Narrow down exposed ports in policy, leave empty for all ports.||
+|`netbird.io/policy-protocol`|Narrow down protocol for use in policy, leave empty for all protocols.||
+
+### Managing Policies
+
+1. Simply add policies under `ingress.policies`, for example.
+```yaml
+ingress:
+  policies:
+    default:
+      name: Kubernetes Default Policy # Required
+      description: Default # Optional
+      sourceGroups: # Required
+      - All
+      ports: # Optional, resources annotated 'netbird.io/policy=default' will append to this
+      - 443
+      protocols: # Optional, restricts protocols allowed to resources, defaults to ['tcp', 'udp']
+      - tcp
+      - udp
+      bidirectional: true # Optional, defaults to true
+```
+2. Reference policy in Services using `netbird.io/policy=default`, this will add relevant ports and destination groups to Policy.

examples/ingress/exposed-nginx.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test
+  name: test
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: test
+    spec:
+      containers:
+      - image: nginx
+        imagePullPolicy: Always
+        name: nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    netbird.io/expose: "true"
+    netbird.io/policy: default
+    netbird.io/resource-name: nginx
+  labels:
+    app: test
+  name: test
+  namespace: default
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: test
+  type: ClusterIP

examples/ingress/values.yaml

@@ -0,0 +1,12 @@
+ingress:
+  enabled: true
+  router:
+    enabled: true
+  policies:
+    default:
+      name: Kubernetes Default Policy
+      sourceGroups:
+      - All
+
+netbirdAPI:
+  key: "nbp_m0LM9ZZvDUzFO0pY50iChDOTxJgKFM3DIqmZ" # Replace with valid NetBird Service Account token

examples/setup-keys/example.yaml

@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test
+  namespace: default
+stringData:
+  SETUP_KEY: 50445ABC-8901-4050-8047-0A390658A79B # Replace with valid setup key
+---
+apiVersion: netbird.io/v1
+kind: NBSetupKey
+metadata:
+  name: test
+  namespace: default
+spec:
+  secretKeyRef:
+    name: test
+    key: SETUP_KEY
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test
+  name: test
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: test
+      annotations:
+        netbird.io/setup-key: test
+    spec:
+      containers:
+        - image: ubuntu
+          imagePullPolicy: Always
+          name: ubuntu
+          command:
+            - sleep
+            - inf

helm/netbird-operator/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: netbird-operator
 description: A Helm chart for Kubernetes
 type: application
-version: 0.1.1
+version: 0.1.2
 appVersion: "v0.1.0-rc.3"

helm/netbird-operator/templates/_helpers.tpl

@@ -92,7 +92,7 @@ caCert: {{ index $secret.data "ca.crt" }}
 clientCert: {{ index $secret.data "tls.crt" }}
 clientKey: {{ index $secret.data "tls.key" }}
 {{- else -}}
-{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.%s" $serviceName .Release.Namespace .Values.webhook.cluster.dnsDomain) -}}
+{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.%s" $serviceName .Release.Namespace .Values.cluster.dns) -}}
 {{- $ca := genCA "netbird-operator-ca" 3650 -}}
 {{- $cert := genSignedCert (include "netbird-operator.fullname" .) nil $altNames 3650 $ca -}}
 caCert: {{ $ca.Cert | b64enc }}

helm/netbird-operator/templates/webhook.yaml

@@ -235,7 +235,7 @@ metadata:
 spec:
   dnsNames:
   - {{ template "netbird-operator.webhookService" . }}.{{ .Release.Namespace }}.svc
-  - {{ template "netbird-operator.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.webhook.cluster.dnsDomain }}
+  - {{ template "netbird-operator.webhookService" . }}.{{ .Release.Namespace }}.{{ .Values.cluster.dns }}
   issuerRef:
     kind: Issuer
     name: {{ template "netbird-operator.fullname" . }}-selfsigned-issuer