WIP

Author: mohamed-essam

README.md

@@ -1,52 +1,46 @@
 # NetBird Kubernetes Operator
 For easily provisioning access to Kubernetes resources using NetBird.
 
+https://github.com/user-attachments/assets/5472a499-e63d-4301-a513-ad84cfe5ca7b
+
 ## Description
 
 This operator enables easily provisioning NetBird access on kubernetes clusters, allowing users to access internal resources directly.
 
 ## Getting Started
 
 ### Prerequisites
-- helm version 3+
+- (Recommended) helm version 3+
 - kubectl version v1.11.3+.
 - Access to a Kubernetes v1.11.3+ cluster.
-- (Optional for Helm chart installation) Cert Manager.
-
-### To Deploy on the cluster
+- (Recommended) Cert Manager.
 
-**Using the install.yaml**
 
-```sh
-kubectl create namespace netbird
-kubectl apply -n netbird -f https://github.com/netbirdio/kubernetes-operator/releases/latest/manifests/install.yaml
-```
+### Deployment
+> [!NOTE]
+> Helm Installation method is recommended due to automation of multiple settings within the deployment.
 
-**Using the Helm Chart**
+#### Using Helm
 
+1. Add helm repository.
 ```sh
 helm repo add netbirdio https://netbirdio.github.io/kubernetes-operator
-helm install -n netbird netbird-operator netbirdio/netbird-operator
 ```
+2. (Recommended) Install [cert-manager](https://cert-manager.io/docs/installation/#default-static-install).
+1. (Recommended) Create a values.yaml file, check `helm show values netbirdio/kubernetes-operator` for more info.
+1. Install using `helm install --create-namespace -f values.yaml -n netbird netbird-operator netbirdio/kubernetes-operator`.
 
-For more options, check the default values by running
-```sh
-helm show values netbirdio/netbird-operator
-```
+#### Using install.yaml
 
-### To Uninstall
-**Using install.yaml**
+> [!IMPORTANT]
+> install.yaml only includes a very basic template for deploying a stripped down version of kubernetes-operator.
+> This excludes any and all configuration for ingress capabilities, and requires cert-manager to be installed.
 
 ```sh
-kubectl delete -n netbird -f https://github.com/netbirdio/kubernetes-operator/releases/latest/manifests/install.yaml
-kubectl delete namespace netbird
+kubectl create namespace netbird
+kubectl apply -n netbird -f https://raw.githubusercontent.com/netbirdio/kubernetes-operator/refs/heads/main/manifests/install.yaml
 ```
 
-**Using helm**
-
-```sh
-helm uninstall -n netbird netbird-operator
-```
 
 ### Provision pods with NetBird access
 
@@ -94,8 +88,58 @@ spec:
       containers:
       - image: yourimage
         name: container
+```
+
+## Provisioning Networks (Ingress Functionality)
+
+### Granting controller access to NetBird Management
+
+> [!IMPORTANT]
+> NetBird kubernetes operator generates configurations using NetBird API, editing or deleting these configurations in the NetBird console may cause temporary network disconnection until the operator reconciles the configuration.
+
+1. Create a Service User on your NetBird dashboard (Must be Admin). [Doc](https://docs.netbird.io/how-to/access-netbird-public-api#creating-a-service-user).
+1. Create access token for the Service User (Must be Admin). [Doc](https://docs.netbird.io/how-to/access-netbird-public-api#creating-a-service-user).
+1. Add access token to your helm values file under `netbirdAPI.key`.
+    1. Alternatively, provision secret in the same namespace as the operator and set the key `NB_API_KEY` to the access token generated.
+    1. Set `netbirdAPI.keyFromSecret` to the name of the secret created.
+1. Set `ingress.enabled` to `true`.
+    1. Optionally, to provision network immediately, set `ingress.router.enabled` to `true`.
+    1. Optionally, to provision 1 network per kubernetes namespace, set `ingress.namespacedNetworks` to `true`.
+1. Run `helm install` or `helm upgrade`.
 
+### Exposing a Service
+
+> [!IMPORTANT]  
+> Ingress DNS Resolution requires DNS Wildcard Routing to be enabled, and at least one DNS Nameserver configured for clients.
+
+|Annotation|Description|Default|
+|---|---|---|
+|`netbird.io/expose`|Expose service using NetBird Network Resource||
+|`netbird.io/groups`|Comma-separated list of group names to assign to Network Resource|`{ClusterName}-{Namespace}-{Service}`|
+|`netbird.io/resource-name`|Network Resource name|`{Namespace}-{Service}`|
+|`netbird.io/policy`|Name of NBPolicy to propagate service ports as destination.||
+|`netbird.io/policy-ports`|Narrow down exposed ports in policy, leave empty for all ports.||
+|`netbird.io/policy-protocol`|Narrow down protocol for use in policy, leave empty for all protocols.||
+
+### Managing Policies
+
+1. Simply add policies under `ingress.policies`, for example.
+```yaml
+ingress:
+  policies:
+    default:
+      name: Kubernetes Default Policy # Required
+      description: Default # Optional
+      sourceGroups: # Required
+      - All
+      ports: # Optional, resources annotated 'netbird.io/policy=default' will append to this
+      - 443
+      protocols: # Optional, restricts protocols allowed to resources, defaults to ['tcp', 'udp']
+      - tcp
+      - udp
+      bidirectional: true # Optional, defaults to true
 ```
+2. Reference policy in Services using `netbird.io/policy=default`, this will add relevant ports and destination groups to Policy.
 
 ## Contributing
 

examples/ingress/exposed-nginx.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test
+  name: test
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: test
+    spec:
+      containers:
+      - image: nginx
+        imagePullPolicy: Always
+        name: nginx
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    netbird.io/expose: "true"
+    netbird.io/policy: default
+    netbird.io/resource-name: nginx
+  labels:
+    app: test
+  name: test
+  namespace: default
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: test
+  type: ClusterIP

examples/ingress/values.yaml

@@ -0,0 +1,12 @@
+ingress:
+  enabled: true
+  router:
+    enabled: true
+  policies:
+    default:
+      name: Kubernetes Default Policy
+      sourceGroups:
+      - All
+
+netbirdAPI:
+  key: "nbp_m0LM9ZZvDUzFO0pY50iChDOTxJgKFM3DIqmZ" # Replace with valid NetBird Service Account token

examples/setup-keys/example.yaml

@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test
+  namespace: default
+stringData:
+  SETUP_KEY: 50445ABC-8901-4050-8047-0A390658A79B # Replace with valid setup key
+---
+apiVersion: netbird.io/v1
+kind: NBSetupKey
+metadata:
+  name: test
+  namespace: default
+spec:
+  secretKeyRef:
+    name: test
+    key: SETUP_KEY
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test
+  name: test
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: test
+      annotations:
+        netbird.io/setup-key: test
+    spec:
+      containers:
+        - image: ubuntu
+          imagePullPolicy: Always
+          name: ubuntu
+          command:
+            - sleep
+            - inf

helm/netbird-operator/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: netbird-operator
 description: A Helm chart for Kubernetes
 type: application
-version: 0.1.1
+version: 0.1.2
 appVersion: "v0.1.0-rc.3"

helm/netbird-operator/templates/_helpers.tpl

@@ -92,7 +92,7 @@ caCert: {{ index $secret.data "ca.crt" }}
 clientCert: {{ index $secret.data "tls.crt" }}
 clientKey: {{ index $secret.data "tls.key" }}
 {{- else -}}
-{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.%s" $serviceName .Release.Namespace .Values.webhook.cluster.dnsDomain) -}}
+{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.%s" $serviceName .Release.Namespace .Values.cluster.dns) -}}
 {{- $ca := genCA "netbird-operator-ca" 3650 -}}
 {{- $cert := genSignedCert (include "netbird-operator.fullname" .) nil $altNames 3650 $ca -}}
 caCert: {{ $ca.Cert | b64enc }}

helm/netbird-operator/templates/webhook.yaml

@@ -235,7 +235,7 @@ metadata:
 spec:
   dnsNames:
   - {{ template "netbird-operator.webhookService" . }}.{{ .Release.Namespace }}.svc
-  - {{ template "netbird-operator.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.webhook.cluster.dnsDomain }}
+  - {{ template "netbird-operator.webhookService" . }}.{{ .Release.Namespace }}.{{ .Values.cluster.dns }}
   issuerRef:
     kind: Issuer
     name: {{ template "netbird-operator.fullname" . }}-selfsigned-issuer

helm/netbird-operator/values.yaml

@@ -1,4 +1,6 @@
 clusterSecretsPermissions:
+  # Required for NBSetupKey validation
+  # Required for Ingress functionality to create and validate secrets for routing peers
   allowAllSecrets: true
 
 webhook:
@@ -7,22 +9,21 @@ webhook:
     port: 443
     targetPort: 9443
 
-  cluster:
-    # Cluster DNS domain (required for requesting TLS certificates)
-    dnsDomain: cluster.local
-
   # TLS configuration for webhook
+  # Optional, unused if webhook.enableCertManager is set to true
   tls: {}
 
-  # Use cert-manager to provision webhook certificates
+  # Use cert-manager to provision webhook certificates (recommended)
   enableCertManager: true
 
+  # Narrow down validation and mutation webhooks namespaces
   namespaceSelectors: []
     # - key: foo
     #   operator: In
     #   values:
     #   - bar
 
+  # Narrow down validation and mutation webhooks objects
   objectSelector:
     matchExpressions: []
       # - key: app.kubernetes.io/name
@@ -130,9 +131,12 @@ operator:
   affinity: {}
 
 ingress:
+  # Enable ingress capabilities to expose services
   enabled: false
+  # Create router per namespace, useful for strict networking requirements
   namespacedNetworks: false
   router:
+    # Deploy routing peer(s)
     enabled: false
     # replicas: 3
     # resources:
@@ -146,8 +150,8 @@ ingress:
     # annotations: {}
     # nodeSelector: {}
     # tolerations: []
-    # Only needed for namespacedNetworks
-    # namespaces:
+    # Only needed if namespacedNetworks is set to true
+    namespaces: {}
       # default:
         # replicas: 3
         # resources:
@@ -161,16 +165,20 @@ ingress:
         # annotations: {}
         # nodeSelector: {}
         # tolerations: []
+  # NetBird Policies for use with exposed services
   policies: {}
     # default:
     #   name: Kubernetes Default Policy
     #   sourceGroups:
     #   - All
 
-cluster: {}
+cluster:
+  # Cluster DNS name (used for webhooks certificates and for network resource DNS names)
+  dns: svc.cluster.local
+  # Cluster name (used for generating network and network resource names in NetBird)
   # name: kubernetes
-  # dns: svc.cluster.local
 
 netbirdAPI: {}
+  # NetBird Service Account Token
   # key: "nbp_m0LM9ZZvDUzFO0pY50iChDOTxJgKFM3DIqmZ"
   # keyFromSecret: "Secret name with NB_API_KEY=Service Account Token"

internal/controller/nbgroup_controller.go

@@ -28,6 +28,11 @@ type NBGroupReconciler struct {
 }
 
 const (
+	// defaultRequeueAfter default requeue duration
+	// due to controller-runtime limitations, sync periods may reach up to 10 hours if no changes are detected
+	// in watched resources.
+	// This may cause issues when NetBird-side resources are out-of-sync and need to be reconciled, this is a temporary
+	// fix to this issue by syncing with NetBird more frequently.
 	defaultRequeueAfter = 15 * time.Minute
 )
 
@@ -69,7 +74,9 @@ func (r *NBGroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (re
 	return r.syncNetBirdGroup(ctx, &nbGroup, logger)
 }
 
+// syncNetBirdGroup reconcilation logic for non-deleted objects.
 func (r *NBGroupReconciler) syncNetBirdGroup(ctx context.Context, nbGroup *netbirdiov1.NBGroup, logger logr.Logger) (ctrl.Result, error) {
+	// Get all NetBird groups to ensure no group duplication
 	groups, err := r.netbird.Groups.List(ctx)
 	if err != nil {
 		logger.Error(errNetBirdAPI, "error listing groups", "err", err)
@@ -81,6 +88,8 @@ func (r *NBGroupReconciler) syncNetBirdGroup(ctx context.Context, nbGroup *netbi
 			group = &g
 		}
 	}
+
+	// Create group if not exists, and update status.groupId
 	if nbGroup.Status.GroupID == nil && group == nil {
 		logger.Info("NBGroup: Creating group on NetBird", "name", nbGroup.Spec.Name)
 		group, err := r.netbird.Groups.Create(ctx, api.GroupRequest{
@@ -118,6 +127,7 @@ func (r *NBGroupReconciler) syncNetBirdGroup(ctx context.Context, nbGroup *netbi
 }
 
 func (r *NBGroupReconciler) handleDelete(ctx context.Context, nbGroup netbirdiov1.NBGroup, logger logr.Logger) error {
+	// Group doesn't exist on NetBird, no need for cleanup
 	if nbGroup.Status.GroupID == nil {
 		nbGroup.Finalizers = util.Without(nbGroup.Finalizers, "netbird.io/group-cleanup")
 		err := r.Client.Update(ctx, &nbGroup)
@@ -160,6 +170,9 @@ func (r *NBGroupReconciler) handleDelete(ctx context.Context, nbGroup netbirdiov
 				return nil
 			}
 		}
+
+		// No other NBGroup with same name on the cluster
+		// This could be a group created by user elsewhere or some resources belonging to the group are still deleting.
 		return err
 	}