All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- netbird: Add
server.stunService.nodePortvalue to allow specifying a fixed NodePort number whenserver.stunService.typeisNodePort.
- netbird: Fail-fast Helm template validation that rejects
server.config.exposedAddressvalues without an explicit port (e.g.https://netbird.example.com). NetBird clients require the port — without it the daemon fails withmissing port in address. Usehttps://netbird.example.com:443instead. Fixes #75. - netbird: Gateway API support as a mutually-exclusive alternative to
Kubernetes Ingress for every traffic class. New values:
server.httpRoute(HTTPRoute),server.grpcRoute(GRPCRoute),server.relayHttpRoute(HTTPRoute),server.relayTcpRoute(TCPRoute, v1alpha2), anddashboard.httpRoute(HTTPRoute). The chart renders routes only; users provideparentRefsto a Gateway they already manage. OmittedbackendRefsauto-fill to the netbird server / dashboard Service on port 80. Fixes #74 — controllers that support plaintext h2c (Envoy Gateway, Traefik Gateway, …) can now expose gRPC without TLS viaGRPCRoute, sidestepping the nginx-ingress h2c limitation that madeserver.ingressGrpcfail silently without a cert. - netbird: Fail-fast validation that rejects enabling both an Ingress
and its Gateway-API counterpart for the same traffic class (and between
server.relayHttpRoute/server.relayTcpRoute), or enabling a route with an emptyparentRefslist. - netbird: Fail-fast validation that rejects
server.ingressGrpc.enabled=truewith an emptyserver.ingressGrpc.tlslist. gRPC over Kubernetes Ingress requires TLS (nginx-ingress cannot negotiate plaintext h2c, and the defaultssl-redirect: "true"annotation redirects plaintext gRPC to HTTPS) — previously this misconfiguration failed silently. Fixes #74. Users who want plaintext gRPC should useserver.grpcRoutewith a Gateway API controller that supports h2c.
- netbird: Bump appVersion from 0.68.2 to 0.68.3. See v0.68.3 release notes (#71).
- netbird: README and
values.yamlexamples now showexposedAddresswith an explicit:443port and document that the port is required even when it matches the scheme default. - netbird: README gains a "Gateway API as an alternative to Ingress" section with copy-pasteable examples, parameter tables for the new route blocks, and an updated architecture diagram.
- netbird: Document STUN networking setup in README — explains why STUN needs a separate service (UDP), and covers options for LoadBalancer, shared static IP, and NodePort configurations (#67).
- netbird: Bump appVersion from 0.68.1 to 0.68.2. See v0.68.2 release notes (#69).
- netbird: Bump appVersion from 0.67.4 to 0.68.1. See v0.68.1 release notes.
- netbird: Bump appVersion from 0.67.1 to 0.67.4. See v0.67.4 release notes.
- netbird: Bump appVersion from 0.66.4 to 0.67.0. See v0.67.0 release notes.
- netbird: Bump Initium from 2.0.0 to 2.1.0 to fix a regression in database creation on blank PostgreSQL/MySQL instances.
- e2e: PostgreSQL and MySQL e2e tests no longer pre-create the
netbirddatabase, so Initium'screate_if_missingpath is properly exercised. - netbird: Fix seed spec connection strings failing when the database
password contains URL-special characters (
@,%,:, etc.). Seed specs now use Initium v2's structured connection config instead of URL strings, so passwords with any characters work without encoding. E2E tests now use a password containing%40to guard against regressions. Fixes #32.
- netbird: Bump appVersion from 0.66.3 to 0.66.4 (chart version 0.2.1). Bug fixes and improvements; no breaking changes. See v0.66.4 release notes.
- netbird: Bump Initium from 1.2.0 to 2.0.0. Uses structured database connection config (no more URL-encoded passwords).
- Upstream version check: Fix duplicate issue creation caused by GitHub's
--searchfailing to match titles with special characters (e.g.→). The deduplication check now filters by theautoreleaselabel instead.
- netbird: Bump appVersion from 0.65.3 to 0.66.3 (chart version 0.1.2). Bug fixes and improvements; no breaking changes. See v0.66.3 release notes.
- Upstream version check workflow: The
autoreleaselabel is now created automatically if it does not exist, fixing the scheduled workflow failure (could not add label: 'autorelease' not found).
- Automated upstream version tracking: New scheduled GitHub Actions workflow
(
.github/workflows/upstream-check.yaml) that runs daily to detect new releases from upstream repositories and opens a GitHub issue when an update is available. Currently tracks NetBird server (netbirdio/netbird). .upstream-monitor.yamlconfiguration file mapping upstream GitHub repositories to Helm chart version fields. Add new charts or sources by extending this file.ci/scripts/upstream-check.shscript that reads the monitor config, queries the GitHub API for latest releases, compares with current chart versions, and creates GitHub issues for available updates. SupportsDRY_RUN=truefor preview mode.- Workflow supports manual trigger via
workflow_dispatchwith optional dry-run input.
-
OIDC/SSO configuration: New
oidc.*values for structured OIDC/SSO configuration. Whenoidc.enabled: true, the chart rendershttp:,deviceAuthFlow:,pkceAuthFlow:, andidpConfig:sections in the server config.yaml. Supports all NetBird-supported IdP managers: keycloak, auth0, azure, zitadel, okta, authentik, google, jumpcloud, dex, embedded. -
oidc.audience,oidc.userIdClaim,oidc.configEndpoint,oidc.authKeysLocationfor HttpServerConfig fields. -
oidc.deviceAuthFlow.*for Device Authorization Flow (RFC 8628) — CLI clients. -
oidc.pkceAuthFlow.*for PKCE Authorization Flow (RFC 7636) — dashboard and web app clients. Supports both plain-text and secret-ref client secrets. -
oidc.idpManager.*for IdP Manager configuration (server-side user/group sync). Provider-specific credentials rendered under the correct YAML key based onoidc.idpManager.managerType(e.g.keycloakClientCredentials,auth0ClientCredentials,azureClientCredentials). -
OIDC secret values (
IDP_CLIENT_SECRET,PKCE_CLIENT_SECRET) injected via Kubernetes Secrets using the existing Initium render pipeline. -
Dashboard
AUTH_AUTHORITYfalls back toserver.config.auth.issuerwhendashboard.config.authAuthorityis empty. -
E2E test with Keycloak deployed in-cluster: verifies OIDC middleware, token acquisition via direct grant, and authenticated API access.
-
E2E test with Zitadel + PostgreSQL deployed in-cluster: bootstraps project/apps/service user via Management API, verifies OIDC middleware, OIDC discovery, and client_credentials token acquisition.
-
Unit tests for OIDC config rendering, secret injection, provider credentials key mapping, and dashboard fallback (190 tests total).
-
PAT seeding: Optional Personal Access Token seeding via
pat.*values. Whenpat.enabled: true, a service user account and PAT are seeded into the database using Initium'sseedcommand. The seed waits for the server to create its schema (GORM AutoMigrate), then idempotently inserts account, user, and PAT records. -
SQLite: PAT seed runs as a Kubernetes native sidecar (init container with
restartPolicy: Always, K8s 1.28+) in the server Deployment. The sidecar uses Initium's--sidecarflag to stay alive after seeding, maintaining full pod readiness (2/2 Running). This avoids ReadWriteOnce PVC multi-attach issues that prevent a separate Job from mounting the PVC. -
PostgreSQL/MySQL: PAT seed runs as a post-install/post-upgrade Helm hook Job with a
wait-forinit container for server TCP readiness. -
PAT seed spec uses
wait_forto wait foraccounts,users, andpersonal_access_tokenstables before inserting data. -
PAT seed data uses
unique_keyfor idempotent inserts (safe on re-installs). -
PAT seed ConfigMap is a regular release resource for SQLite and a Helm hook for external databases.
-
E2E tests extended to verify PAT authentication with
GET /api/groupsacross all three database backends (SQLite, PostgreSQL, MySQL). -
Unit tests for PAT seed Job, ConfigMap, and sidecar templates.
-
Upgraded Initium init container image to v1.0.4 (adds
--sidecarflag for keeping the process alive after task completion, SHA256/base64 template filters, PostgreSQL text primary key fix).
- Breaking: Removed
pat.secret.hashedTokenKeyfrom PAT configuration. The SHA256 hash is now computed automatically at seed time by Initium v1.0.4 using MiniJinja'ssha256andbase64encodefilters. Users only need to supply the plaintext PAT token in their Kubernetes Secret. Migration: Remove thehashedTokenkey from your PAT Secret and thepat.secret.hashedTokenKeyfrom your values. Onlypat.secret.tokenKey(default:"token") is needed. - Breaking: Replaced raw DSN secret (
server.secrets.storeDsn) with structureddatabase.*configuration. The chart now constructs the DSN internally fromdatabase.type,database.host,database.port,database.user,database.name, anddatabase.passwordSecret. Users no longer need to build DSN strings. - Breaking: Removed
server.config.store.engine. Usedatabase.typeinstead (sqlite,postgresql,mysql).
- Structured database configuration via
database.*values with per-engine defaults (port 5432 for postgresql, 3306 for mysql). database.sslModefor PostgreSQL SSL mode control (default:disable).- Initium
wait-forinit container: waits for external database to be reachable before starting the server (TCP probe with 120s timeout and exponential backoff). - Initium
seedinit container: creates the target database if it does not exist via a declarative seed spec (create_if_missing: true). DB_PASSWORDenvironment variable injected into config-init viasecretKeyReffor DSN construction at render time.- Seed spec rendered as
seed.yamlin the server ConfigMap for non-sqlite engines. - Unit tests for init container ordering, env var injection, and database-specific rendering (120 tests, up from 110).
- CHANGELOG.md.