Initial implementation

Makefile.vars.mk

@@ -50,4 +50,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml
+test_instances = tests/defaults.yml tests/resources.yml

class/defaults.yml

@@ -3,3 +3,33 @@ parameters:
     =_metadata:
       multi_tenant: true
     namespace: syn-netbird-operator
+
+    charts:
+      netbird-operator:
+        source: oci://ghcr.io/netbirdio/helm-charts/netbird-operator
+        version: 0.5.0
+
+    namespace_labels: {}
+    namespace_annotations: {}
+
+    # NetBird management API credentials
+    api:
+      secret_name: netbird-mgmt-api-key
+      secret_key: NB_API_KEY
+      token: ?{vaultkv:${cluster:tenant}/${cluster:name}/netbird-operator/api-token}
+
+    # NetBird custom resources (netbird.io/v1alpha1)
+    groups: {}
+    network_resources: {}
+    network_routers: {}
+    setup_keys: {}
+    sidecar_profiles: {}
+
+    rbac:
+      aggregated_cluster_reader: true
+
+    helm_values:
+      netbirdAPI:
+        keyFromSecret:
+          name: ${netbird_operator:api:secret_name}
+          key: ${netbird_operator:api:secret_key}

class/netbird-operator.yml

@@ -1,5 +1,11 @@
 parameters:
   kapitan:
+    dependencies:
+      - type: helm
+        source: ${netbird_operator:charts:netbird-operator:source}
+        version: ${netbird_operator:charts:netbird-operator:version}
+        chart_name: netbird-operator
+        output_path: ${_base_directory}/helmcharts/netbird-operator/${netbird_operator:charts:netbird-operator:version}
     compile:
       - input_paths:
           - ${_base_directory}/component/app.jsonnet
@@ -9,3 +15,13 @@ parameters:
           - ${_base_directory}/component/main.jsonnet
         input_type: jsonnet
         output_path: netbird-operator/
+      # netbird-operator Helm chart (ships CRDs in chart's crds/ dir)
+      - input_paths:
+          - ${_base_directory}/helmcharts/netbird-operator/${netbird_operator:charts:netbird-operator:version}
+        input_type: helm
+        helm_values: ${netbird_operator:helm_values}
+        helm_params:
+          name: netbird-operator
+          namespace: ${netbird_operator:namespace}
+          include_crds: true
+        output_path: netbird-operator/02_netbird_operator

component/app.jsonnet

@@ -3,7 +3,15 @@ local inv = kap.inventory();
 local params = inv.parameters.netbird_operator;
 local argocd = import 'lib/argocd.libjsonnet';
 
-local app = argocd.App('netbird-operator', params.namespace);
+local app = argocd.App('netbird-operator', params.namespace) {
+  spec+: {
+    syncPolicy+: {
+      syncOptions+: [
+        'ServerSideApply=true',
+      ],
+    },
+  },
+};
 
 local appPath =
   local project = std.get(std.get(app, 'spec', {}), 'project', 'syn');

component/main.jsonnet

@@ -1,10 +1,70 @@
 // main template for netbird-operator
+local com = import 'lib/commodore.libjsonnet';
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
+local lib = import 'lib/netbird-operator.libsonnet';
 local inv = kap.inventory();
 // The hiera parameters for the component
 local params = inv.parameters.netbird_operator;
 
+local apiSecret = kube.Secret(params.api.secret_name) {
+  metadata+: {
+    namespace: params.namespace,
+  },
+  data:: {},
+  stringData: {
+    [params.api.secret_key]: params.api.token,
+  },
+};
+
+local aggregatedClusterRole = {
+  apiVersion: 'rbac.authorization.k8s.io/v1',
+  kind: 'ClusterRole',
+  metadata: {
+    labels: {
+      'rbac.authorization.k8s.io/aggregate-to-cluster-reader': 'true',
+    },
+    name: 'netbird-operator-crds-cluster-reader',
+  },
+  rules: [
+    {
+      apiGroups: [ lib.netbirdApiGroup ],
+      resources: [ '*' ],
+      verbs: [ 'get', 'list', 'watch' ],
+    },
+  ],
+};
+
+local groups = com.generateResources(params.groups, lib.Group);
+local networkResources = com.generateResources(params.network_resources, lib.NetworkResource);
+local networkRouters = com.generateResources(params.network_routers, lib.NetworkRouter);
+local setupKeys = com.generateResources(params.setup_keys, lib.SetupKey);
+local sidecarProfiles = com.generateResources(params.sidecar_profiles, lib.SidecarProfile);
+
 // Define outputs below
 {
+  '00_namespace': kube.Namespace(params.namespace) {
+    metadata+: {
+      annotations+: params.namespace_annotations,
+      labels+: params.namespace_labels,
+    },
+  },
+  '01_api_secret': apiSecret,
+  [if params.rbac.aggregated_cluster_reader then '10_cluster_role']:
+    aggregatedClusterRole,
+} + {
+  ['10_group_%s' % res.metadata.name]: res
+  for res in groups
+} + {
+  ['10_network_resource_%s' % res.metadata.name]: res
+  for res in networkResources
+} + {
+  ['10_network_router_%s' % res.metadata.name]: res
+  for res in networkRouters
+} + {
+  ['10_setup_key_%s' % res.metadata.name]: res
+  for res in setupKeys
+} + {
+  ['10_sidecar_profile_%s' % res.metadata.name]: res
+  for res in sidecarProfiles
 }

docs/modules/ROOT/pages/index.adoc

@@ -2,4 +2,11 @@
 
 netbird-operator is a Commodore component to manage Kubernetes operator for Netbird.
 
+== Prerequisites
+
+The netbird-operator chart requires https://cert-manager.io[cert-manager] to be installed in the cluster.
+cert-manager provisions the TLS certificate used by the operator's admission webhook.
+To opt out and provide certificates manually, set `helm_values.webhook.enableCertManager` to `false` and supply `helm_values.webhook.tls`.
+See the https://github.com/netbirdio/kubernetes-operator/blob/main/charts/netbird-operator/values.yaml[chart `values.yaml`] for the expected TLS value shape.
+
 See the xref:references/parameters.adoc[parameters] reference for further details.

docs/modules/ROOT/pages/references/parameters.adoc

@@ -2,6 +2,19 @@
 
 The parent key for all of the following parameters is `netbird_operator`.
 
+[NOTE]
+====
+The component exposes the `netbird.io/v1alpha1` API: `groups`, `network_resources`, `network_routers`, `setup_keys`, `sidecar_profiles`.
+This is the user-facing API documented in the https://github.com/netbirdio/kubernetes-operator/blob/main/README.md#api[upstream README] and used in the chart's `examples/`.
+
+All resource parameters follow the same pattern:
+
+* Dictionary keys are used as `metadata.name`
+* Resources are created in the component's namespace by default (via ArgoCD), overridable via `metadata.namespace`
+* Values are processed using https://syn.tools/commodore/reference/commodore-libjsonnet.html#_generateresourcesresources_resourcefn[`com.generateResources()`], which supports deep-merging and setting values to `null` for removal
+====
+
+
 == `namespace`
 
 [horizontal]
@@ -11,6 +24,142 @@ default:: `syn-netbird-operator`
 The namespace in which to deploy this component.
 
 
+== `namespace_labels`
+
+[horizontal]
+type:: dictionary
+default:: `{}`
+
+Additional labels to add to the component's namespace.
+
+
+== `namespace_annotations`
+
+[horizontal]
+type:: dictionary
+default:: `{}`
+
+Additional annotations to add to the component's namespace.
+
+
+== `charts`
+
+[horizontal]
+type:: dictionary
+default:: See https://github.com/projectsyn/component-netbird-operator/blob/master/class/defaults.yml[`class/defaults.yml`]
+
+The Helm chart source and version for the netbird-operator chart.
+
+
+== `api.secret_name`
+
+[horizontal]
+type:: string
+default:: `netbird-mgmt-api-key`
+
+Name of the Secret that holds the NetBird management API token.
+The component renders this Secret in the operator namespace and wires the chart to read from it via `helm_values.netbirdAPI.keyFromSecret.name`.
+
+
+== `api.secret_key`
+
+[horizontal]
+type:: string
+default:: `NB_API_KEY`
+
+Key inside the Secret that holds the API token value.
+The operator container references this key as an environment variable.
+
+
+== `api.token`
+
+[horizontal]
+type:: string
+default:: `?{vaultkv:${cluster:tenant}/${cluster:name}/netbird-operator/api-token}`
+
+The NetBird management API token.
+By default, the token is read from Vault at the path above.
+Override per cluster or tenant if the secret lives elsewhere.
+
+
+== `groups`
+
+[horizontal]
+type:: dictionary
+default:: `{}`
+
+Defines `netbird.io/v1alpha1` Group resources.
+Groups are the user-facing abstraction for NetBird groups in the upstream chart documentation.
+
+
+== `network_resources`
+
+[horizontal]
+type:: dictionary
+default:: `{}`
+
+Defines `netbird.io/v1alpha1` NetworkResource resources.
+NetworkResources expose a Kubernetes Service via a NetworkRouter onto the NetBird overlay.
+
+
+== `network_routers`
+
+[horizontal]
+type:: dictionary
+default:: `{}`
+
+Defines `netbird.io/v1alpha1` NetworkRouter resources.
+NetworkRouters deploy the NetBird routing client to route traffic for NetworkResources.
+
+
+== `setup_keys`
+
+[horizontal]
+type:: dictionary
+default:: `{}`
+
+Defines `netbird.io/v1alpha1` SetupKey resources.
+SetupKeys manage NetBird setup keys used to enroll peers and assign them to groups.
+
+
+== `sidecar_profiles`
+
+[horizontal]
+type:: dictionary
+default:: `{}`
+
+Defines `netbird.io/v1alpha1` SidecarProfile resources.
+SidecarProfiles configure NetBird sidecar injection into application pods.
+
+
+== `rbac.aggregated_cluster_reader`
+
+[horizontal]
+type:: bool
+default:: `true`
+
+Whether to create a ClusterRole aggregated to `cluster-reader` that grants read access to all `netbird.io` CRDs.
+
+
+== `helm_values`
+
+[horizontal]
+type:: dictionary
+default::
++
+[source,yaml]
+----
+helm_values:
+  netbirdAPI:
+    keyFromSecret:
+      name: ${netbird_operator:api:secret_name}
+      key: ${netbird_operator:api:secret_key}
+----
+
+Helm values to pass to the netbird-operator Helm chart.
+See the https://github.com/netbirdio/kubernetes-operator/blob/main/charts/netbird-operator/values.yaml[upstream `values.yaml`] for available options.
+
+
 == Example
 
 [source,yaml]

lib/netbird-operator.libsonnet

@@ -0,0 +1,55 @@
+/**
+ * Library with public helper methods provided by component netbird-operator.
+ */
+
+local netbirdApiGroup = 'netbird.io';
+
+local Group(name='') = {
+  apiVersion: '%s/v1alpha1' % netbirdApiGroup,
+  kind: 'Group',
+  metadata: {
+    name: name,
+  },
+};
+
+local NetworkResource(name='') = {
+  apiVersion: '%s/v1alpha1' % netbirdApiGroup,
+  kind: 'NetworkResource',
+  metadata: {
+    name: name,
+  },
+};
+
+local NetworkRouter(name='') = {
+  apiVersion: '%s/v1alpha1' % netbirdApiGroup,
+  kind: 'NetworkRouter',
+  metadata: {
+    name: name,
+  },
+};
+
+local SetupKey(name='') = {
+  apiVersion: '%s/v1alpha1' % netbirdApiGroup,
+  kind: 'SetupKey',
+  metadata: {
+    name: name,
+  },
+};
+
+local SidecarProfile(name='') = {
+  apiVersion: '%s/v1alpha1' % netbirdApiGroup,
+  kind: 'SidecarProfile',
+  metadata: {
+    name: name,
+  },
+};
+
+{
+  Group: Group,
+  NetworkResource: NetworkResource,
+  NetworkRouter: NetworkRouter,
+  SetupKey: SetupKey,
+  SidecarProfile: SidecarProfile,
+
+  netbirdApiGroup: netbirdApiGroup,
+}

tests/golden/defaults/netbird-operator/apps/netbird-operator.yaml

@@ -0,0 +1,4 @@
+spec:
+  syncPolicy:
+    syncOptions:
+      - ServerSideApply=true

tests/golden/defaults/netbird-operator/netbird-operator/00_namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations: {}
+  labels:
+    name: syn-netbird-operator
+  name: syn-netbird-operator