Skip to content

sync operator charts from upstream #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
netbirddev merged 1 commit into from
Mar 20, 2026
Merged

sync operator charts from upstream #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/kubernetes-operator/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ apiVersion: v2
name: kubernetes-operator
description: NetBird Kubernetes Operator
type: application
version: 0.2.2
appVersion: "0.2.2"
version: 0.3.0-rc.1
appVersion: "0.3.0-rc.1"
151 changes: 136 additions & 15 deletions charts/kubernetes-operator/crds/netbird.io_nbroutingpeers.yaml
View file
Open in desktop

Large diffs are not rendered by default.

149 changes: 136 additions & 13 deletions charts/kubernetes-operator/crds/netbird.io_nbsetupkeys.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,11 @@ spec:
- key
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- fieldPath: .name
message: secret name needs to be set
reason: FieldValueRequired
rule: self.name.size() > 0
volumeMounts:
description: VolumeMounts optional, additional volumeMounts for NetBird
container
Expand Down Expand Up @@ -717,7 +722,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
Expand Down Expand Up @@ -805,15 +810,13 @@ spec:
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
will be set by the persistentvolume controller if it exists.
it can be changed after the claim is created. An empty string or nil value indicates that no
VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
this field can be reset to its previous value (including nil) to cancel the modification.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
(Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
Expand Down Expand Up @@ -995,12 +998,10 @@ spec:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
description: |-
endpoints is the endpoint name that details Glusterfs topology.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
description: endpoints is the endpoint name that details
Glusterfs topology.
type: string
path:
description: |-
Expand Down Expand Up @@ -1054,7 +1055,7 @@ spec:
The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
The volume will be mounted read-only (ro) and non-executable files (noexec).
Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
properties:
pullPolicy:
Expand All @@ -1079,7 +1080,7 @@ spec:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
More info: https://examples.k8s.io/volumes/iscsi/README.md
More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether support iSCSI
Expand Down Expand Up @@ -1499,6 +1500,129 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
podCertificate:
description: |-
Projects an auto-rotating credential bundle (private key and certificate
chain) that the pod can use either as a TLS client or server.

Kubelet generates a private key and uses it to send a
PodCertificateRequest to the named signer. Once the signer approves the
request and issues a certificate chain, Kubelet writes the key and
certificate chain to the pod filesystem. The pod does not start until
certificates have been issued for each podCertificate projected volume
source in its spec.

Kubelet will begin trying to rotate the certificate at the time indicated
by the signer using the PodCertificateRequest.Status.BeginRefreshAt
timestamp.

Kubelet can write a single file, indicated by the credentialBundlePath
field, or separate files, indicated by the keyPath and
certificateChainPath fields.

The credential bundle is a single file in PEM format. The first PEM
entry is the private key (in PKCS#8 format), and the remaining PEM
entries are the certificate chain issued by the signer (typically,
signers will return their certificate chain in leaf-to-root order).

Prefer using the credential bundle format, since your application code
can read it atomically. If you use keyPath and certificateChainPath,
your application must make two separate file reads. If these coincide
with a certificate rotation, it is possible that the private key and leaf
certificate you read may not correspond to each other. Your application
will need to check for this condition, and re-read until they are
consistent.

The named signer controls chooses the format of the certificate it
issues; consult the signer implementation's documentation to learn how to
use the certificates it issues.
properties:
certificateChainPath:
description: |-
Write the certificate chain at this path in the projected volume.

Most applications should use credentialBundlePath. When using keyPath
and certificateChainPath, your application needs to check that the key
and leaf certificate are consistent, because it is possible to read the
files mid-rotation.
type: string
credentialBundlePath:
description: |-
Write the credential bundle at this path in the projected volume.

The credential bundle is a single file that contains multiple PEM blocks.
The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
key.

The remaining blocks are CERTIFICATE blocks, containing the issued
certificate chain from the signer (leaf and any intermediates).

Using credentialBundlePath lets your Pod's application code make a single
atomic read that retrieves a consistent key and certificate chain. If you
project them to separate files, your application code will need to
additionally check that the leaf certificate was issued to the key.
type: string
keyPath:
description: |-
Write the key at this path in the projected volume.

Most applications should use credentialBundlePath. When using keyPath
and certificateChainPath, your application needs to check that the key
and leaf certificate are consistent, because it is possible to read the
files mid-rotation.
type: string
keyType:
description: |-
The type of keypair Kubelet will generate for the pod.

Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
"ECDSAP521", and "ED25519".
type: string
maxExpirationSeconds:
description: |-
maxExpirationSeconds is the maximum lifetime permitted for the
certificate.

Kubelet copies this value verbatim into the PodCertificateRequests it
generates for this projection.

If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
will reject values shorter than 3600 (1 hour). The maximum allowable
value is 7862400 (91 days).

The signer implementation is then free to issue a certificate with any
lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
seconds (1 hour). This constraint is enforced by kube-apiserver.
`kubernetes.io` signers will never issue certificates with a lifetime
longer than 24 hours.
format: int32
type: integer
signerName:
description: Kubelet's generated CSRs will be
addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.

These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.

Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.

Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName
type: object
secret:
description: secret information about the secret data
to project
Expand Down Expand Up @@ -1633,7 +1757,6 @@ spec:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
Expand Down
10 changes: 9 additions & 1 deletion charts/kubernetes-operator/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ spec:
- --leader-elect
- --health-probe-bind-address=:{{ .Values.operator.livenessProbe.port }}
- --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs
- --runtime-namespace=$(POD_NAMESPACE)
{{- if .Values.gatewayAPI.enabled }}
- --gateway-api-enabled=true
{{- end }}
{{- if .Values.managementURL }}
- --netbird-management-url={{.Values.managementURL}}
{{- end }}
Expand Down Expand Up @@ -87,8 +91,12 @@ spec:
periodSeconds: {{ .Values.operator.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.operator.livenessProbe.successThreshold }}
timeoutSeconds: {{ .Values.operator.livenessProbe.timeoutSeconds }}
{{- if or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret }}
- name: NB_API_KEY
valueFrom:
secretKeyRef:
Expand Down
6 changes: 4 additions & 2 deletions charts/kubernetes-operator/templates/nbpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,12 @@ spec:
description: {{ $v.description }}
{{- end }}
{{- if $v.protocols }}
protocols: {{ $v.protocols }}
protocols:
{{ toYaml $v.protocols | nindent 4}}
{{- end }}
{{- if $v.ports }}
ports: {{ $v.ports }}
ports:
{{ toYaml $v.ports | nindent 4}}
{{- end }}
{{- if hasKey $v "bidirectional" }}
bidirectional: {{ $v.bidirectional }}
Expand Down
21 changes: 21 additions & 0 deletions charts/kubernetes-operator/templates/rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,27 @@ rules:
- delete
{{- end }}
{{- end }}
{{- if .Values.gatewayAPI.enabled }}
- apiGroups: ["gateway.networking.k8s.io"]
resources:
- gatewayclasses
- gateways
- httproutes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups: ["gateway.networking.k8s.io"]
resources:
- gatewayclasses/status
- gateways/status
- httproutes/status
verbs:
- update
- patch
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand Down
42 changes: 1 addition & 41 deletions charts/kubernetes-operator/templates/webhook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,46 +51,6 @@ webhooks:
resources:
- pods
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
{{- if $.Values.webhook.enableCertManager }}
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "kubernetes-operator.fullname" . }}-serving-cert
{{- end }}
name: {{ include "kubernetes-operator.fullname" . }}-vnbsetupkey-webhook
labels:
{{- include "kubernetes-operator.labels" . | nindent 4 }}
webhooks:
- clientConfig:
{{- if not $.Values.webhook.enableCertManager }}
caBundle: {{ $tls.caCert }}
{{ end }}
service:
name: {{ template "kubernetes-operator.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /validate-netbird-io-v1-nbsetupkey
failurePolicy: {{ .Values.webhook.failurePolicy }}
name: vnbsetupkey-v1.netbird.io
admissionReviewVersions:
- v1
{{- if .Values.webhook.namespaceSelectors }}
namespaceSelector:
matchExpressions:
{{ toYaml .Values.webhook.namespaceSelectors | nindent 4 }}
{{ end }}
rules:
- apiGroups:
- netbird.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- "nbsetupkeys"
sideEffects: None
{{- if and $.Values.ingress.enabled (or .Values.netbirdAPI.key .Values.netbirdAPI.keyFromSecret) }}
---
apiVersion: admissionregistration.k8s.io/v1
Expand Down Expand Up @@ -172,4 +132,4 @@ metadata:
{{ include "kubernetes-operator.labels" . | indent 4 }}
spec:
selfSigned: {}
{{- end }}
{{- end }}
9 changes: 6 additions & 3 deletions charts/kubernetes-operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ webhook:
# operator: NotIn
# values:
# - foo

# Failure Policy for webhook
failurePolicy: Fail

Expand Down Expand Up @@ -184,6 +184,9 @@ ingress:
# sourceGroups:
# - All

gatewayAPI:
enabled: false

cluster:
# Cluster DNS name (used for webhooks certificates and for network resource DNS names)
dns: svc.cluster.local
Expand All @@ -196,8 +199,8 @@ netbirdAPI: {}
#keyFromSecret:
# name: "Secret name"
# key: "NB_API_KEY"
#routingClientImage: "netbirdio/netbird:latest"

#routingClientImage: "netbirdio/netbird:latest"

general:
# General labels, applied to all created K8s resources
Expand Down
Loading
Loading