Add hostNetwork, geolocation, custom ports, require-subdomain and extra ports support

Author: lixmal

charts/netbird-proxy/templates/deployment.yaml

@@ -35,6 +35,10 @@ spec:
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- with .Values.initContainers }}
@@ -69,6 +73,11 @@ spec:
               containerPort: {{ .Values.wireguard.port }}
               protocol: UDP
             {{- end }}
+            {{- range .Values.extraPorts }}
+            - name: {{ .name }}
+              containerPort: {{ .port }}
+              protocol: {{ .protocol }}
+            {{- end }}
           env:
             - name: USER
               value: "netbird"
@@ -149,6 +158,21 @@ spec:
             - name: NB_PROXY_WG_PORT
               value: {{ .Values.wireguard.port | quote }}
             {{- end }}
+            {{- if .Values.supportsCustomPorts }}
+            - name: NB_PROXY_SUPPORTS_CUSTOM_PORTS
+              value: "true"
+            {{- end }}
+            {{- if .Values.requireSubdomain }}
+            - name: NB_PROXY_REQUIRE_SUBDOMAIN
+              value: "true"
+            {{- end }}
+            {{- if .Values.geolocation.enabled }}
+            - name: NB_PROXY_GEO_DATA_DIR
+              value: {{ .Values.geolocation.dataDir | quote }}
+            {{- else }}
+            - name: NB_PROXY_DISABLE_GEOLOCATION
+              value: "true"
+            {{- end }}
             {{- if .Values.debug.enabled }}
             - name: NB_PROXY_DEBUG_ENDPOINT
               value: "true"
@@ -163,6 +187,8 @@ spec:
               mountPath: {{ .Values.certDir }}
             - name: tmp
               mountPath: /tmp
+            - name: data
+              mountPath: /var/lib/netbird
             {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -209,6 +235,16 @@ spec:
           {{- end }}
         - name: tmp
           emptyDir: {}
+        - name: data
+          {{- if and .Values.geolocation.enabled .Values.geolocation.volume.existingClaim }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.geolocation.volume.existingClaim }}
+          {{- else if and .Values.geolocation.enabled .Values.geolocation.volume.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "netbird-proxy.fullname" . }}-geodata
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
         {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

charts/netbird-proxy/templates/pvc.yaml

@@ -15,3 +15,21 @@ spec:
     requests:
       storage: {{ .Values.certVolume.size | default "256Mi" }}
 {{- end }}
+---
+{{- if and .Values.geolocation.enabled .Values.geolocation.volume.enabled (not .Values.geolocation.volume.existingClaim) }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "netbird-proxy.fullname" . }}-geodata
+  labels:
+    {{- include "netbird-proxy.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.geolocation.volume.accessMode | default "ReadWriteMany" }}
+  {{- if .Values.geolocation.volume.storageClass }}
+  storageClassName: {{ .Values.geolocation.volume.storageClass }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.geolocation.volume.size | default "128Mi" }}
+{{- end }}

charts/netbird-proxy/templates/service.yaml

@@ -56,3 +56,9 @@ spec:
       targetPort: wireguard
       protocol: UDP
     {{- end }}
+    {{- range .Values.extraPorts }}
+    - name: {{ .name }}
+      port: {{ .port }}
+      targetPort: {{ .port }}
+      protocol: {{ .protocol }}
+    {{- end }}

charts/netbird-proxy/values.yaml

@@ -37,6 +37,23 @@ proxy:
   # that use PROXY protocol to forward real client IPs.
   proxyProtocol: false
 
+# -- Allow users to choose a specific listen port for TCP/UDP services.
+# When false, ports are auto-assigned by management. When true, users
+# can specify a custom port number via the API or dashboard.
+supportsCustomPorts: true
+
+# -- Require a subdomain label in front of the cluster domain. When true,
+# accounts cannot create services on the bare cluster domain. Enable this
+# on shared proxy deployments to prevent a single account from claiming
+# the cluster domain.
+requireSubdomain: false
+
+# -- Use host networking. Required for TCP/UDP service passthrough in
+# Kubernetes, since dynamically bound ports cannot be declared in the
+# Service manifest. When enabled, the container shares the host's
+# network namespace and all listen ports are directly reachable.
+hostNetwork: false
+
 wireguard:
   # -- Enable WireGuard UDP port exposure for P2P connectivity.
   # Only works with single-account deployments; multiple accounts
@@ -72,6 +89,23 @@ oidc:
   endpoint: "https://api.netbird.io/oauth2"
   scopes: "openid,profile,email"
 
+geolocation:
+  # -- Enable geolocation lookups for country-based access restrictions.
+  enabled: true
+  # -- Directory for the geolocation database inside the container.
+  dataDir: "/var/lib/netbird/geolocation"
+  volume:
+    # -- Enable persistent storage for the geolocation database.
+    # When false, an emptyDir is used and the database re-downloads on every pod restart.
+    enabled: true
+    # -- Use an existing PVC instead of creating one.
+    existingClaim: ""
+    # -- PVC access mode.
+    accessMode: "ReadWriteOnce"
+    # -- Storage class. Leave empty for the cluster default.
+    storageClass: ""
+    size: "128Mi"
+
 debug:
   # -- Enable the debug HTTP endpoint.
   enabled: false
@@ -251,5 +285,11 @@ extraVolumeMounts: []
 #    mountPath: /pebble-ca
 #    readOnly: true
 
+# -- Extra ports to expose on the Service and container.
+extraPorts: []
+#  - name: tcp-10000
+#    port: 10000
+#    protocol: TCP
+
 # -- Init containers to add to the pod.
 initContainers: []