konstfish/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Read the blog post! Contains a bit more info: https://konst.fish/blog/NetBird-Reverse-Proxy-on-Kubernetes
You'll need a secret netbird-proxy-token w/ a key token obtained from running:
/go/bin/netbird-mgmt token create --name "proxy-token" (for the management container image) or
netbird-mgmt token create --name "proxy-token" (for the netbird-server container image)
Another prerequisite for this setup is cert-manager to provision the serving certificate.
Also ideally your cluster should support LoadBalancer services, otherwise you can have your ingress controller or gateway do a TLS passthrough, service will have to be changed to be ClusterIP.

  
## cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: proxy-example-com
spec:
  secretName: proxy-example-com
  issuerRef:
    name: letsencrypt-dns
    kind: ClusterIssuer
  commonName: "proxy.example.com"
  dnsNames:
  - "proxy.example.com"
  - "*.proxy.example.com"

## deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: netbird-reverse-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: netbird-reverse-proxy
  template:
    metadata:
      labels:
        app: netbird-reverse-proxy
    spec:
      containers:
        - name: reverse-proxy
          image: netbirdio/reverse-proxy:0.65.1
          env:
            - name: NB_PROXY_TOKEN
              valueFrom:
                secretKeyRef:
                  name: netbird-proxy-token
                  key: token
            - name: NB_PROXY_DEBUG_LOGS
              value: "true"
            - name: NB_PROXY_MANAGEMENT_ADDRESS
              value: "https://netbird.example.com:443"
            - name: NB_PROXY_DOMAIN
              value: "netbird.example.com"
            - name: NB_PROXY_ACME_CERTIFICATES
              value: "false"
            - name: NB_PROXY_CERTIFICATE_DIRECTORY
              value: "/certs"
            - name: "NB_PROXY_LISTEN_ADDRESS"
              value: ":8443"
            - name: NB_PROXY_HEALTH_ADDRESS
              value: ":8080"
          ports:
            - containerPort: 8443
          resources:
            limits:
              cpu: 200m
              memory: 256Mi
            requests:
              cpu: 50m
              memory: 128Mi
          startupProbe:
            httpGet:
              path: /healthz/startup
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 5
            timeoutSeconds: 5
            failureThreshold: 10
          readinessProbe:
            httpGet:
              path: /healthz/ready
              port: 8080
            periodSeconds: 5
            timeoutSeconds: 5
            failureThreshold: 2
          livenessProbe:
            httpGet:
              path: /healthz/live
              port: 8080
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 3
          volumeMounts:
            - name: certs
              mountPath: /certs
              readOnly: true
      volumes:
        - name: certs
          secret:
            secretName: proxy-example-com

## service.yaml
kind: Service
apiVersion: v1
metadata:
  name: netbird-reverse-proxy
spec:
  selector:
    app: netbird-reverse-proxy
  type: LoadBalancer
  ports:
  - name: https
    targetPort: 8443
    port: 443
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: proxy-example-com
	spec:
	secretName: proxy-example-com
	issuerRef:
	name: letsencrypt-dns
	kind: ClusterIssuer
	commonName: "proxy.example.com"
	dnsNames:
	- "proxy.example.com"
	- "*.proxy.example.com"
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: netbird-reverse-proxy
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: netbird-reverse-proxy
	template:
	metadata:
	labels:
	app: netbird-reverse-proxy
	spec:
	containers:
	- name: reverse-proxy
	image: netbirdio/reverse-proxy:0.65.1
	env:
	- name: NB_PROXY_TOKEN
	valueFrom:
	secretKeyRef:
	name: netbird-proxy-token
	key: token
	- name: NB_PROXY_DEBUG_LOGS
	value: "true"
	- name: NB_PROXY_MANAGEMENT_ADDRESS
	value: "https://netbird.example.com:443"
	- name: NB_PROXY_DOMAIN
	value: "netbird.example.com"
	- name: NB_PROXY_ACME_CERTIFICATES
	value: "false"
	- name: NB_PROXY_CERTIFICATE_DIRECTORY
	value: "/certs"
	- name: "NB_PROXY_LISTEN_ADDRESS"
	value: ":8443"
	- name: NB_PROXY_HEALTH_ADDRESS
	value: ":8080"
	ports:
	- containerPort: 8443
	resources:
	limits:
	cpu: 200m
	memory: 256Mi
	requests:
	cpu: 50m
	memory: 128Mi
	startupProbe:
	httpGet:
	path: /healthz/startup
	port: 8080
	initialDelaySeconds: 5
	periodSeconds: 5
	timeoutSeconds: 5
	failureThreshold: 10
	readinessProbe:
	httpGet:
	path: /healthz/ready
	port: 8080
	periodSeconds: 5
	timeoutSeconds: 5
	failureThreshold: 2
	livenessProbe:
	httpGet:
	path: /healthz/live
	port: 8080
	periodSeconds: 10
	timeoutSeconds: 5
	failureThreshold: 3
	volumeMounts:
	- name: certs
	mountPath: /certs
	readOnly: true
	volumes:
	- name: certs
	secret:
	secretName: proxy-example-com
	kind: Service
	apiVersion: v1
	metadata:
	name: netbird-reverse-proxy
	spec:
	selector:
	app: netbird-reverse-proxy
	type: LoadBalancer
	ports:
	- name: https
	targetPort: 8443
	port: 443