Skip to content

Add reverse proxy helm chart#32

Open
lixmal wants to merge 11 commits into
mainfrom
feature/netbird-proxy
Open

Add reverse proxy helm chart#32
lixmal wants to merge 11 commits into
mainfrom
feature/netbird-proxy

Conversation

@lixmal

@lixmal lixmal commented Feb 10, 2026

Copy link
Copy Markdown

Summary

Adds a Helm chart for deploying the NetBird reverse proxy.

Kubernetes Resources

Resource Condition Description
Deployment Always Proxy deployment with health probes, configurable cert and data volumes
Service Always Dual-stack (IPv4/IPv6) support, conditional ACME HTTP, NetBird UDP, and extra ports
ServiceAccount serviceAccount.create With configurable token automount (required for k8s-lease cert locking)
Secret proxyToken set (no existingSecret) Proxy token and optional OIDC client secret
PersistentVolumeClaim certVolume.enabled or geolocation.volume.enabled Shared certificate storage and geolocation database
Role rbac.create Grants Kubernetes lease permissions for ACME certificate locking
RoleBinding Same as Role Binds the lease Role to the ServiceAccount
HorizontalPodAutoscaler autoscaling.enabled CPU and memory based autoscaling
PodDisruptionBudget podDisruptionBudget.enabled Configurable minAvailable or maxUnavailable
NetworkPolicy networkPolicy.enabled Restricts ingress to proxy ports with support for additional custom rules
ServiceMonitor serviceMonitor.enabled Prometheus scraping on the health port

Summary by CodeRabbit

Release Notes

  • New Features
    • Added a complete Helm chart for deploying netbird-proxy, enabling streamlined Kubernetes deployments with comprehensive configuration options.
    • Support for autoscaling, network policies, certificate management via ACME, OIDC authentication, and Prometheus monitoring integration.
    • Customizable deployment settings for TLS, ports, geolocation, and security contexts.

Review Change Stack

@lixmal lixmal force-pushed the feature/netbird-proxy branch from 17830b8 to 2458171 Compare March 19, 2026 05:53
@EvantAiI

Copy link
Copy Markdown

Hello when do you think the chart will be ready to deploy ?
Does the maintainer of the repo reviewed the pr ? Cause i don't see any movements from the owners unless the kube-operator...

@jackylamhk jackylamhk left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably add a secret mount for static TLS certs. As the certs mount is always present, users cannot currently mount it via extraVolumes and extraVolumeMounts.

Comment thread charts/netbird-proxy/values.yaml
Comment thread charts/netbird-proxy/templates/deployment.yaml
@lixmal

lixmal commented May 17, 2026

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented May 17, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented May 17, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@lixmal has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 29 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cafc3975-1b64-4e56-8850-0b4bd5dedb00

📥 Commits

Reviewing files that changed from the base of the PR and between dde868a and 067781a.

📒 Files selected for processing (10)
  • charts/netbird-proxy/templates/deployment.yaml
  • charts/netbird-proxy/templates/hpa.yaml
  • charts/netbird-proxy/templates/networkpolicy.yaml
  • charts/netbird-proxy/templates/pdb.yaml
  • charts/netbird-proxy/templates/pvc.yaml
  • charts/netbird-proxy/templates/role.yaml
  • charts/netbird-proxy/templates/rolebinding.yaml
  • charts/netbird-proxy/templates/secret.yaml
  • charts/netbird-proxy/templates/service.yaml
  • charts/netbird-proxy/values.yaml
📝 Walkthrough

Walkthrough

This PR introduces a complete Helm chart for deploying netbird-proxy to Kubernetes. It includes chart metadata, comprehensive configuration defaults, template helper functions, and twelve resource templates covering the deployment workload, service exposure, identity/security (RBAC, secrets, service account), storage (PVCs), scaling (HPA), availability (PodDisruptionBudget), networking (NetworkPolicy), observability (ServiceMonitor), and post-deployment documentation (NOTES).

Changes

NetBird Proxy Helm Chart

Layer / File(s) Summary
Chart Metadata and Template Helpers
charts/netbird-proxy/Chart.yaml, charts/netbird-proxy/templates/_helpers.tpl
Defines chart metadata and establishes helper template functions for consistent resource naming, labeling, selector labels, service account naming, secret naming, port extraction, and OIDC secret naming used across all templates.
Configuration Defaults
charts/netbird-proxy/values.yaml
Provides comprehensive default values for the entire deployment: replica count, proxy token and secret handling, management address, ACME/TLS/OIDC configuration, geolocation settings, certificate volume behavior, Kubernetes security contexts, service account and RBAC, service networking, scheduling, scaling, monitoring, and extension hooks.
Core Workload Deployment
charts/netbird-proxy/templates/deployment.yaml
Renders the main Deployment resource with conditional replicas, pod metadata including secret checksums, the proxy container with dynamic image, extensive environment variable wiring (ACME vs TLS mode, OIDC, geolocation, debug), dynamic port configuration, liveness/readiness/startup probes, volume mounts, and pod volumes. Conditionally applies affinity, topology spread, nodeSelector, and tolerations for scheduling control.
Service and Networking
charts/netbird-proxy/templates/service.yaml, charts/netbird-proxy/templates/networkpolicy.yaml
Service template exposes the workload with conditional IP families, load balancer settings, and fixed/optional ports (HTTPS, health, ACME HTTP, debug, netbird, extra). NetworkPolicy template conditionally restricts ingress traffic by port and protocol, supporting user-provided additional rules.
Identity, Secrets, and RBAC
charts/netbird-proxy/templates/serviceaccount.yaml, charts/netbird-proxy/templates/secret.yaml, charts/netbird-proxy/templates/role.yaml, charts/netbird-proxy/templates/rolebinding.yaml
ServiceAccount template creates identity with configurable name and automount settings. Secret template conditionally stores proxy token and OIDC client secret. Role and RoleBinding templates conditionally enable Kubernetes lease coordination for ACME certificate locking when specified.
Storage, Scaling, and Availability
charts/netbird-proxy/templates/pvc.yaml, charts/netbird-proxy/templates/hpa.yaml, charts/netbird-proxy/templates/pdb.yaml
PVC template conditionally provisions persistent storage for certificates (256Mi default) and geodata (128Mi default). HPA template enables autoscaling on CPU and memory metrics when enabled. PodDisruptionBudget template limits pod disruptions during cluster maintenance.
Observability and Documentation
charts/netbird-proxy/templates/servicemonitor.yaml, charts/netbird-proxy/templates/NOTES.txt
ServiceMonitor template configures Prometheus metrics scraping from the health endpoint. NOTES template provides post-deployment access instructions tailored to service type and conditional guidance for ACME and PROXY protocol configuration.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A proxy chart takes shape with care,
Templates and values everywhere,
Helpers weave through Kubernetes seas,
Deployment, service, identities,
With ACME certs and scaling dreams,
The netbird-proxy finally gleams! 🌟

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Add reverse proxy helm chart' directly and accurately summarizes the primary change: introducing a new Helm chart for deploying NetBird's reverse proxy with all required Kubernetes resources.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/netbird-proxy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/netbird-proxy/templates/hpa.yaml`:
- Around line 15-31: The HPA manifest renders a bare "metrics:" header when
neither .Values.autoscaling.targetCPUUtilizationPercentage nor
.Values.autoscaling.targetMemoryUtilizationPercentage is set, producing invalid
YAML; update the template to conditionally emit the entire metrics block only
when at least one target is configured by wrapping the existing metrics: section
and its two conditional resource entries inside a single outer conditional that
checks .Values.autoscaling.targetCPUUtilizationPercentage or
.Values.autoscaling.targetMemoryUtilizationPercentage so that spec.metrics is
omitted entirely when both are unset.

In `@charts/netbird-proxy/templates/pdb.yaml`:
- Around line 12-17: Change the PDB template to treat explicit 0 as a valid
value and prevent both fields from being rendered together: replace the current
truthy checks with nil-checks against .Values.podDisruptionBudget.minAvailable
and .Values.podDisruptionBudget.maxUnavailable (use the Helm "ne" nil test) so 0
is allowed, and add a mutual-exclusivity validation (e.g., a short template that
fails with a clear message if both .Values.podDisruptionBudget.minAvailable and
.Values.podDisruptionBudget.maxUnavailable are non-nil) to ensure only one of
minAvailable or maxUnavailable is rendered.

In `@charts/netbird-proxy/templates/role.yaml`:
- Line 1: Update the template conditional so Role creation is allowed when RBAC
is enabled and the ACME lock method is k8s-lease even if an existing
ServiceAccount is reused; replace the current check that requires
.Values.serviceAccount.create with a compound condition that requires
.Values.rbac.create and (the ACME lock method equals "k8s-lease") and (either
.Values.serviceAccount.create is true OR a user-supplied ServiceAccount name is
present), and apply the same conditional change in the corresponding RoleBinding
template.

In `@charts/netbird-proxy/templates/secret.yaml`:
- Around line 1-11: When creating the Secret resource guarded by
.Values.existingSecret, ensure we fail-fast if the proxy token is missing:
inside the template that renders the Secret (the block that uses {{- if not
.Values.existingSecret }} and creates the Secret with token: {{
.Values.proxyToken | b64enc }}), add a Helm required check such as {{ required
"proxyToken must be set when existingSecret is not provided" .Values.proxyToken
}} before using .Values.proxyToken (or change the outer condition to require
both not .Values.existingSecret and .Values.proxyToken) so the chart render
fails clearly instead of emitting an empty token Secret.

In `@charts/netbird-proxy/templates/service.yaml`:
- Around line 37-42: The Service currently exposes the acme-http port whenever
.Values.acme.enabled is true; change the Helm conditional to only render the
acme-http port when the ACME challenge type is http-01 (e.g. replace or extend
the guard to check .Values.acme.challengeType == "http-01") so the named port
"acme-http" and port value .Values.service.acmePort are only emitted for
http-01; apply the identical conditional change in the other templates (the
Deployment containerPort entry named "acme-http" and any related port
definitions in networkpolicy.yaml) so all three templates (service, deployment,
networkpolicy) only expose/allow the acme-http port when
.Values.acme.challengeType == "http-01" and omit it otherwise.

In `@charts/netbird-proxy/values.yaml`:
- Around line 3-6: The image repository value is wrong: update the
image.repository entry (currently "netbird-proxy") to the correct official
Docker Hub image "netbirdio/reverse-proxy" so Helm will pull the correct image
for deployment; edit the image block (the repository key) in values.yaml to
replace netbird-proxy with netbirdio/reverse-proxy.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 615f5362-7919-47b5-8636-a9e69e1a46e3

📥 Commits

Reviewing files that changed from the base of the PR and between 2aec0e9 and dde868a.

📒 Files selected for processing (15)
  • charts/netbird-proxy/Chart.yaml
  • charts/netbird-proxy/templates/NOTES.txt
  • charts/netbird-proxy/templates/_helpers.tpl
  • charts/netbird-proxy/templates/deployment.yaml
  • charts/netbird-proxy/templates/hpa.yaml
  • charts/netbird-proxy/templates/networkpolicy.yaml
  • charts/netbird-proxy/templates/pdb.yaml
  • charts/netbird-proxy/templates/pvc.yaml
  • charts/netbird-proxy/templates/role.yaml
  • charts/netbird-proxy/templates/rolebinding.yaml
  • charts/netbird-proxy/templates/secret.yaml
  • charts/netbird-proxy/templates/service.yaml
  • charts/netbird-proxy/templates/serviceaccount.yaml
  • charts/netbird-proxy/templates/servicemonitor.yaml
  • charts/netbird-proxy/values.yaml

Comment thread charts/netbird-proxy/templates/hpa.yaml
Comment thread charts/netbird-proxy/templates/pdb.yaml Outdated
Comment thread charts/netbird-proxy/templates/role.yaml Outdated
Comment thread charts/netbird-proxy/templates/secret.yaml
Comment thread charts/netbird-proxy/templates/service.yaml Outdated
Comment thread charts/netbird-proxy/values.yaml
- Add certVolume.existingSecret to mount a TLS Secret (cert-manager)
- Fix image repository to netbirdio/reverse-proxy
- Gate ACME HTTP port on http-01 challenge in service, deployment, networkpolicy
- Require proxyToken when existingSecret is not provided
- Allow Role/RoleBinding when serviceAccount.name is set without create
- Treat PDB minAvailable/maxUnavailable 0 as valid and fail on mutual exclusivity
- Omit HPA metrics block when no targets are set
- Document crowdsec.existingSecret requirement when top-level existingSecret is used
@lixmal

lixmal commented May 17, 2026

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented May 17, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants