Skip to content

Instantly share code, notes, and snippets.

@identw

identw/netbird.yaml

Created July 29, 2024 12:52
Show Gist options
  • Save identw/b1cff7048d6b8f263cac1a751f6af381 to your computer and use it in GitHub Desktop.
Save identw/b1cff7048d6b8f263cac1a751f6af381 to your computer and use it in GitHub Desktop.
Download ZIP
netbird
Raw
netbird.yaml
# dex config:
# ...
# staticClients:
# - id: netbird-backend
# name: netbird-backend
# redirectURIs:
# - https://netbird.example.com
# - https://netbird.example.com/#callback
# secret: <DEX_NETBIRD_BACKEND_SECRET>
# - id: netbird-client
# name: netbird-client
# public: true
# redirectURIs:
# - https://netbird.example.com
# - https://netbird.example.com/#callback
# - http://localhost:53000
# - /device/callback
# ...
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: netbird-tls
spec:
dnsNames:
- netbird.example.com
issuerRef:
group: cert-manager.io
kind: Issuer
name: letsencrypt-dns
secretName: tls
---
apiVersion: v1
kind: Secret
metadata:
name: netbird-dashboards-envs
type: Opaque
stringData:
AUTH_AUDIENCE: netbird-client
AUTH_AUTHORITY: https://dex.example.com
AUTH_CLIENT_ID: netbird-client
AUTH_CLIENT_SECRET: ""
AUTH_REDIRECT_URI: ""
AUTH_SILENT_REDIRECT_URI: ""
AUTH_SUPPORTED_SCOPES: openid email groups profile offline_access
LETSENCRYPT_DOMAIN: ""
LETSENCRYPT_EMAIL: ""
NETBIRD_TOKEN_SOURCE: accessToken
NGINX_SSL_PORT: '443'
USE_AUTH0: 'false'
---
apiVersion: v1
kind: Secret
metadata:
name: netbird-management-config
type: Opaque
stringData:
# DataStoreEncryptionKey: openssl rand -base64 32
# turnServer password: random 44 symbols
management.json: |
{
"DataStoreEncryptionKey": "iSgwx24GoqCnQIjqwVpkWmSVTdN7i177nZiRHmp5ppA=",
"Datadir": "/var/lib/netbird/",
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"Audience": "netbird-client",
"AuthorizationEndpoint": "",
"ClientID": "netbird-client",
"ClientSecret": "",
"DeviceAuthEndpoint": "https://dex.example.com/device/code",
"Domain": "dex.example.com",
"RedirectURLs": null,
"Scope": "openid",
"TokenEndpoint": "https://dex.example.com/token",
"UseIDToken": false
}
},
"HttpConfig": {
"Address": "0.0.0.0:3000",
"AuthAudience": "netbird-client",
"AuthIssuer": "https://dex.example.com",
"AuthKeysLocation": "https://dex.example.com/keys",
"AuthUserIDClaim": "email",
"CertFile": "",
"CertKey": "",
"IdpSignKeyRefreshEnabled": false,
"OIDCConfigEndpoint": "https://dex.example.com/.well-known/openid-configuration"
},
"IdpManagerConfig": {
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"ClientConfig": {
"ClientID": "netbird-backend",
"ClientSecret": "<DEX_NETBIRD_BACKEND_SECRET>",
"GrantType": "client_credentials",
"Issuer": "https://dex.example.com",
"TokenEndpoint": "https://dex.example.com/token"
},
"ExtraConfig": {
},
"KeycloakClientCredentials": null,
"ManagerType": "none",
"ZitadelClientCredentials": null
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"Audience": "netbird-client",
"AuthorizationEndpoint": "https://dex.example.com/auth",
"ClientID": "netbird-client",
"ClientSecret": "",
"DeviceAuthEndpoint": "",
"Domain": "",
"RedirectURLs": [
"http://localhost:53000"
],
"Scope": "openid email groups profile offline_access",
"TokenEndpoint": "https://dex.example.com/token",
"UseIDToken": false
}
},
"ReverseProxy": {
"TrustedHTTPProxies": [
],
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": [
"0.0.0.0/0"
]
},
"Signal": {
"Password": "",
"Proto": "https",
"URI": "netbird.example.com:443",
"Username": ""
},
"StoreConfig": {
"Engine": "postgres"
},
"Stuns": [
{
"Password": "",
"Proto": "udp",
"URI": "stun:netbird-turn.example.com:3478",
"Username": ""
}
],
"TURNConfig": {
"CredentialsTTL": "12h",
"Secret": "secret",
"TimeBasedCredentials": false,
"Turns": [
{
"Password": "TXUlFyblz15UE1La8VF9Gkhvok8yC5SvL6wbSINSZaEK",
"Proto": "udp",
"URI": "turn:netbird-turn.example.com:3478",
"Username": "self"
}
]
}
}
---
apiVersion: v1
kind: Secret
metadata:
name: netbird-postrges
type: Opaque
stringData:
NETBIRD_STORE_ENGINE_POSTGRES_DSN: host=netbird-postgres user=netbird password=EOT8S3J4BY7zUUygUGnAgBWN dbname=netbird port=5432
POSTGRES_DB: netbird
POSTGRES_PASSWORD: EOT8S3J4BY7zUUygUGnAgBWN
POSTGRES_USER: netbird
---
apiVersion: v1
kind: Secret
metadata:
name: netbird-router
type: Opaque
stringData:
NB_HOSTNAME: k8s-router
NB_SETUP_KEY: <NETBIRD_KEY>
---
apiVersion: v1
kind: Secret
metadata:
name: netbird-turnserver-config
namespace: vpn
type: Opaque
stringData:
turnserver.conf: |
listening-port=3478
tls-listening-port=5349
external-ip=<EXTERNAL_IP_ADDRESS_OF_WORKER_NODE>
min-port=49152
max-port=65535
fingerprint
lt-cred-mech
user=self:TXUlFyblz15UE1La8VF9Gkhvok8yC5SvL6wbSINSZaEK
realm=wiretrustee.com
cert=/etc/turnserver/tls.crt
pkey=/etc/turnserver/tls.key
log-file=stdout
no-software-attribute
pidfile="/var/tmp/turnserver.pid"
no-cli
---
# Source: netbird/charts/netbird/templates/configmap-dashboard-nginx.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: netbird-dashboard-nginx
labels:
app.kubernetes.io/component: dashboard
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
data:
default.conf: |
server {
listen 3000 default_server;
listen [::]:3000 default_server;
root /var/www;
location / {
try_files $uri $uri.html $uri/ =404;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
expires off;
}
error_page 404 /404.html;
location = /404.html {
internal;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
expires off;
}
}
---
# Source: netbird/charts/netbird/templates/service-dashboard.yaml
apiVersion: v1
kind: Service
metadata:
name: netbird-dashboard
labels:
app.kubernetes.io/component: dashboard
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
spec:
type: ClusterIP
ports:
- port: 3000
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
app.kubernetes.io/component: dashboard
---
# Source: netbird/charts/netbird/templates/service-management.yaml
apiVersion: v1
kind: Service
metadata:
name: netbird-management
labels:
app.kubernetes.io/component: management
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
spec:
type: ClusterIP
ports:
- port: 3000
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
app.kubernetes.io/component: management
---
# Source: netbird/charts/netbird/templates/service-signal.yaml
apiVersion: v1
kind: Service
metadata:
name: netbird-signal
labels:
app.kubernetes.io/component: signal
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
spec:
type: ClusterIP
ports:
- port: 3000
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
app.kubernetes.io/component: signal
---
# Source: netbird/charts/netbird/templates/deployment-dashboard.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: netbird-dashboard
labels:
app.kubernetes.io/component: dashboard
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
annotations:
reloader.stakater.com/auto: 'true'
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
template:
metadata:
labels:
app.kubernetes.io/component: dashboard
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
spec:
automountServiceAccountToken: false
enableServiceLinks: false
securityContext:
{}
priorityClassName: default
initContainers:
- name: config
securityContext:
{}
image: "docker.io/netbirdio/dashboard:v2.4.1"
command:
- /bin/sh
- -c
- |
cp -r /usr/share/nginx/html/* /var/www/
cat /usr/local/init_react_envs.sh | sed 's@/usr/share/nginx/html@/var/www@g' > init_react_envs_new.sh
chmod +x ./init_react_envs_new.sh
./init_react_envs_new.sh
rm -fv ./init_react_envs_new.sh
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
cpu: "100m"
memory: "64Mi"
env:
- name: NETBIRD_MGMT_API_ENDPOINT
value: https://netbird.example.com
- name: NETBIRD_MGMT_GRPC_API_ENDPOINT
value: https://netbird.example.com
envFrom:
- secretRef:
name: netbird-dashboards-envs
workingDir: /var/www
volumeMounts:
- name: static
mountPath: /var/www
containers:
- name: dashboard
image: "docker.io/netbirdio/dashboard:v2.4.1"
imagePullPolicy: IfNotPresent
# daemon off; is enabled in the config
command: ["nginx"]
ports:
- name: http
containerPort: 3000
protocol: TCP
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 100m
memory: 64Mi
lifecycle:
preStop:
exec:
command:
- sh
- -c
- >
sleep 15;
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/http.d/default.conf
subPath: default.conf
- name: static
mountPath: /var/www
- name: tmp
mountPath: /run/nginx
- name: tmp
mountPath: /var/lib/nginx
- name: tmp
mountPath: /var/lib/nginx/tmp
- name: tmp
mountPath: /var/lib/nginx/logs
securityContext:
{}
volumes:
- name: nginx-config
configMap:
name: netbird-dashboard-nginx
- name: static
emptyDir:
medium: Memory
sizeLimit: 32Mi
- name: tmp
emptyDir:
medium: Memory
sizeLimit: 2Mi
---
# Source: netbird/charts/netbird/templates/deployment-management.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: netbird-management
labels:
app.kubernetes.io/component: management
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
annotations:
reloader.stakater.com/auto: 'true'
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
template:
metadata:
labels:
app.kubernetes.io/component: management
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
spec:
automountServiceAccountToken: false
enableServiceLinks: false
securityContext:
{}
priorityClassName: default
containers:
- name: management
securityContext:
{}
image: "docker.io/netbirdio/management:0.28.4"
imagePullPolicy: IfNotPresent
args:
- --port
- '3000'
- --log-file
- console
- --log-level
- info
- --disable-anonymous-metrics=false
- --single-account-mode-domain=netbird.example.com
- --dns-domain=netbird.local
- --idp-sign-key-refresh-enabled
ports:
- name: http
containerPort: 3000
protocol: TCP
envFrom:
- secretRef:
name: netbird-postrges
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 512Mi
lifecycle:
preStop:
exec:
command:
- sh
- -c
- >
sleep 15;
volumeMounts:
- name: config
mountPath: /etc/netbird/management.json
subPath: management.json
- name: data
mountPath: /var/lib/netbird
- name: tmp
mountPath: /tmp
volumes:
- name: data
emptyDir:
sizeLimit: 128Mi
- name: tmp
emptyDir:
sizeLimit: 128Mi
- name: config
secret:
secretName: netbird-management-config
---
# Source: netbird/charts/netbird/templates/deployment-router.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: netbird-router
labels:
app.kubernetes.io/component: router
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/part-of: netbird
annotations:
reloader.stakater.com/auto: 'true'
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
template:
metadata:
labels:
app.kubernetes.io/component: router
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
spec:
automountServiceAccountToken: false
enableServiceLinks: false
securityContext:
runAsNonRoot: false
runAsUser: 0
priorityClassName: default
containers:
- name: router
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_RESOURCE
- SYS_ADMIN
- NET_BIND_SERVICE
- NET_RAW
drop:
- ALL
runAsNonRoot: false
runAsUser: 0
image: "docker.io/netbirdio/netbird:0.28.4"
imagePullPolicy: IfNotPresent
env:
- name: NB_LOG_LEVEL
value: "info"
- name: NB_MANAGEMENT_URL
value: http://netbird-management:3000
- name: USER
value: 'root'
envFrom:
- secretRef:
name: netbird-router
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- name: tmp
mountPath: /etc/netbird
volumes:
- name: tmp
emptyDir:
sizeLimit: 10Mi
---
# Source: netbird/charts/netbird/templates/deployment-signal.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: netbird-signal
labels:
app.kubernetes.io/component: signal
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
annotations:
reloader.stakater.com/auto: 'true'
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
template:
metadata:
labels:
app.kubernetes.io/component: signal
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
spec:
automountServiceAccountToken: false
enableServiceLinks: false
securityContext:
{}
priorityClassName: default
containers:
- name: signal
securityContext:
{}
image: "docker.io/netbirdio/signal:0.28.4"
imagePullPolicy: IfNotPresent
args:
- --log-file
- console
- --port
- '3000'
ports:
- name: http
containerPort: 3000
protocol: TCP
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
lifecycle:
preStop:
exec:
command:
- sh
- -c
- >
sleep 15;
---
# Source: netbird/charts/netbird/templates/deployment-turn.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: netbird-turn
labels:
app.kubernetes.io/component: turn
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
annotations:
reloader.stakater.com/auto: 'true'
spec:
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/component: turn
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
spec:
automountServiceAccountToken: false
hostNetwork: true
enableServiceLinks: false
priorityClassName: default
nodeSelector:
group: turn
volumes:
- name: config
secret:
secretName: netbird-turnserver-config
- name: tls
secret:
secretName: tls
- name: tmp
emptyDir:
medium: Memory
sizeLimit: 8Mi
containers:
- name: turn
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
image: "docker.io/coturn/coturn:4.6.2-r10"
imagePullPolicy: IfNotPresent
args:
- -c
- /etc/turnserver.conf
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- name: config
mountPath: /etc/turnserver.conf
subPath: turnserver.conf
- name: tmp
mountPath: /var/tmp
- name: tls
mountPath: /etc/turnserver/tls
---
# Source: netbird/charts/netbird/templates/ingress-grpc.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: netbird-grpc
labels:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
nginx.ingress.kubernetes.io/server-snippet: |
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}
spec:
ingressClassName: nginx
tls:
- hosts:
- netbird.example.com
secretName: tls
rules:
- host: "netbird.example.com"
http:
paths:
- path: /signalexchange.SignalExchange/
pathType: ImplementationSpecific
backend:
service:
name: netbird-signal
port:
name: http
- path: /management.ManagementService/
pathType: ImplementationSpecific
backend:
service:
name: netbird-management
port:
name: http
---
# Source: netbird/charts/netbird/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: netbird
labels:
app.kubernetes.io/name: netbird
app.kubernetes.io/instance: netbird
name: netbird
app: netbird
release: netbird
instance: netbird
part-of: netbird
app.kubernetes.io/version: '0.28.4'
app.kubernetes.io/part-of: netbird
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}
spec:
ingressClassName: nginx
tls:
- hosts:
- netbird.example.com
secretName: tls
rules:
- host: "netbird.example.com"
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: netbird-management
port:
name: http
- path: /
pathType: Prefix
backend:
service:
name: netbird-dashboard
port:
name: http
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment