KitStream · mikkeldamsgaard · Mar 14, 2026 · Mar 14, 2026 · Mar 14, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
 
 ### Fixed
 
+- **netbird**: Bump Initium from 2.0.0 to 2.1.0 to fix a regression in
+  database creation on blank PostgreSQL/MySQL instances.
+- **e2e**: PostgreSQL and MySQL e2e tests no longer pre-create the `netbird`
+  database, so Initium's `create_if_missing` path is properly exercised.
 - **netbird**: Fix seed spec connection strings failing when the database
   password contains URL-special characters (`@`, `%`, `:`, etc.).
   Seed specs now use Initium v2's structured connection config instead of

diff --git a/charts/netbird/Chart.yaml b/charts/netbird/Chart.yaml
@@ -30,7 +30,5 @@ annotations:
     - name: Initium
       url: https://github.com/KitStream/initium
   artifacthub.io/changes: |
-    - kind: changed
-      description: Bump appVersion from 0.66.3 to 0.66.4
     - kind: fixed
-      description: Use structured connection config for seed specs
+      description: Bump initium from 2.0.0 to 2.1.0 to fix regression
diff --git a/charts/netbird/ci/e2e-values-mysql.yaml b/charts/netbird/ci/e2e-values-mysql.yaml
@@ -2,12 +2,15 @@
 #
 # The e2e script deploys mysql via a simple Deployment + Service
 # and creates the password secret before chart install.
+# The MySQL instance starts WITHOUT a "netbird" database so that
+# Initium's create_if_missing path is exercised.  We connect as
+# root since MYSQL_USER is not created without MYSQL_DATABASE.
 
 database:
   type: mysql
   host: "mysql.netbird-e2e.svc.cluster.local"
   port: 3306
-  user: netbird
+  user: root
   name: netbird
   passwordSecret:
     secretName: netbird-db-password

diff --git a/charts/netbird/ci/e2e-values-postgres.yaml b/charts/netbird/ci/e2e-values-postgres.yaml
@@ -2,6 +2,8 @@
 #
 # The e2e script deploys postgres via a simple Deployment + Service
 # and creates the password secret before chart install.
+# The PostgreSQL instance starts WITHOUT a "netbird" database so
+# that Initium's create_if_missing path is exercised.
 
 database:
   type: postgresql

diff --git a/charts/netbird/tests/pat-seed-job_test.yaml b/charts/netbird/tests/pat-seed-job_test.yaml
@@ -119,7 +119,7 @@ tests:
           value: wait-server
       - equal:
           path: spec.template.spec.initContainers[0].image
-          value: "ghcr.io/kitstream/initium:2.0.0"
+          value: "ghcr.io/kitstream/initium:2.1.0"
       - contains:
           path: spec.template.spec.initContainers[0].args
           content: "tcp://RELEASE-NAME-netbird-server:80"
@@ -158,7 +158,7 @@ tests:
           value: db-seed
       - equal:
           path: spec.template.spec.initContainers[1].image
-          value: "ghcr.io/kitstream/initium:2.0.0"
+          value: "ghcr.io/kitstream/initium:2.1.0"
 
   - it: should inject PAT_TOKEN into db-seed init container
     set:

diff --git a/charts/netbird/tests/server-deployment_test.yaml b/charts/netbird/tests/server-deployment_test.yaml
@@ -144,7 +144,7 @@ tests:
           value: config-init
       - equal:
           path: spec.template.spec.initContainers[0].image
-          value: "ghcr.io/kitstream/initium:2.0.0"
+          value: "ghcr.io/kitstream/initium:2.1.0"
 
   - it: should have only config-init for sqlite without pat
     asserts:
@@ -386,7 +386,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.initContainers[1].image
-          value: "ghcr.io/kitstream/initium:2.0.0"
+          value: "ghcr.io/kitstream/initium:2.1.0"
 
   - it: should run seed command with --sidecar flag in pat-seed sidecar
     set:

diff --git a/charts/netbird/values.yaml b/charts/netbird/values.yaml
@@ -280,7 +280,7 @@ server:
     # -- Init container image repository.
     repository: ghcr.io/kitstream/initium
     # -- Init container image tag.
-    tag: "2.0.0"
+    tag: "2.1.0"
 
   # -- Component-level image pull secrets.
   imagePullSecrets: []

diff --git a/ci/scripts/e2e.sh b/ci/scripts/e2e.sh
@@ -36,14 +36,16 @@ kubectl create namespace "$NAMESPACE" --dry-run=client -o yaml | kubectl apply -
 # ── Deploy database (if needed) ───────────────────────────────────────
 deploy_postgres() {
   log "Deploying PostgreSQL..."
+  # NOTE: POSTGRES_DB is intentionally omitted so the "netbird" database does
+  # NOT exist on startup.  Initium's create_if_missing must create it — this
+  # is the production-like path we want to exercise in e2e tests.
   kubectl -n "$NAMESPACE" apply -f - <<'EOF'
 apiVersion: v1
 kind: Secret
 metadata:
   name: postgres-credentials
 type: Opaque
 stringData:
-  POSTGRES_DB: netbird
   POSTGRES_USER: netbird
   POSTGRES_PASSWORD: "test%40pass"
 ---
@@ -97,16 +99,17 @@ EOF
 
 deploy_mysql() {
   log "Deploying MySQL..."
+  # NOTE: MYSQL_DATABASE is intentionally omitted so the "netbird" database
+  # does NOT exist on startup.  Initium's create_if_missing must create it.
+  # Without MYSQL_DATABASE the image won't create MYSQL_USER either, so the
+  # chart connects as root (see e2e-values-mysql.yaml).
   kubectl -n "$NAMESPACE" apply -f - <<'EOF'
 apiVersion: v1
 kind: Secret
 metadata:
   name: mysql-credentials
 type: Opaque
 stringData:
-  MYSQL_DATABASE: netbird
-  MYSQL_USER: netbird
-  MYSQL_PASSWORD: "test%40pass"
   MYSQL_ROOT_PASSWORD: rootpassword
 ---
 apiVersion: v1
@@ -155,7 +158,7 @@ EOF
 
   # Create the password secret for netbird
   kubectl -n "$NAMESPACE" create secret generic netbird-db-password \
-    --from-literal=password='test%40pass'
+    --from-literal=password='rootpassword'
 }
 
 # ── Generate PAT for testing ───────────────────────────────────────────