Skip to content

feat(netbird): add PAT seeding#4

Merged
mikkeldamsgaard merged 2 commits intomainfrom
claude/brave-mahavira
Feb 25, 2026
Merged

feat(netbird): add PAT seeding#4
mikkeldamsgaard merged 2 commits intomainfrom
claude/brave-mahavira

Conversation

@mikkeldamsgaard
Copy link
Contributor

@mikkeldamsgaard mikkeldamsgaard commented Feb 25, 2026
edited
Loading

Overview

Add Personal Access Token (PAT) seeding capability to the NetBird Helm chart using Initium v1.0.4. Enables immediate API access without manual token creation — useful for automation, CI/CD, and GitOps workflows.

Key Features

PAT Seeding Mechanism

  • SQLite: Native sidecar (init container with restartPolicy: Always, K8s 1.28+) in the server Deployment
    • Shares data volume with server (solves ReadWriteOnce PVC multi-attach issues)
    • Uses --sidecar flag to stay alive after seeding
    • Pod shows 2/2 Running when healthy
  • PostgreSQL/MySQL: Post-install/post-upgrade Helm hook Job with TCP readiness check

Seed Behavior

  • Waits for accounts, users, and personal_access_tokens tables (via GORM AutoMigrate)
  • Idempotently inserts service user account and PAT (safe on re-installs)
  • Uses MiniJinja templates for secure token/hash injection via env vars

Configuration (values.yaml)

  • pat.enabled: Enable/disable PAT seeding
  • pat.secret.secretName: K8s Secret containing plaintext PAT and base64 SHA256 hash
  • pat.name, pat.userId, pat.accountId: Configurable identifiers
  • pat.expirationDays: Token validity period (default 365)

Changes

  • New templates: pat-seed-configmap.yaml, pat-seed-job.yaml
  • Updated: server-deployment.yaml with native sidecar support
  • Helpers: _helpers.tpl with PAT seed spec generation
  • Testing: 148 unit tests (configmap, job, deployment integration)
  • E2E: Updated ci/scripts/e2e.sh with PAT generation and authentication verification
  • Dependency: Upgraded Initium to v1.0.4 (adds --sidecar flag, text PK fixes)
  • Database compatibility: Boolean/datetime formats for MySQL tinyint and compatibility

Breaking Changes

None. PAT seeding is opt-in (pat.enabled: false by default).

Testing

  • SQLite, PostgreSQL, MySQL all tested with PAT authentication
  • curl -H "Authorization: Token nbp_..." https://netbird.example.com/api/groups verified
  • Pod readiness, logs, and seed completion validated in e2e tests

Closes #3

mikkeldamsgaard and others added 2 commits February 25, 2026 14:01
@mikkeldamsgaard
feat(netbird): add PAT seeding via post-install/post-upgrade Job
a48890a 
Add Personal Access Token (PAT) seeding capability to the NetBird Helm chart
using Initium v1.0.1. When pat.enabled=true, a post-install/post-upgrade Job
seeds a service user account and PAT into the database.
Features:
- New pat-seed-job.yaml: Helm hook Job that waits for the server and seeds PAT
- New pat-seed-configmap.yaml: Initium seed specification
- Supports all three database backends: SQLite, PostgreSQL, MySQL
- Security contexts: root for SQLite (PVC access), non-root for external DBs
- ConfigMap uses MiniJinja templates for sensitive token injection via env vars
- Comprehensive unit tests (configmap and job) with 148 total tests passing
Configuration (values.yaml):
- pat.enabled: Enable/disable PAT seeding
- pat.accountId/userId: IDs for the seeded account and service user
- pat.name: PAT display name
- pat.expirationDays: Token validity period (default 365 days)
- pat.secret.secretName: K8s Secret containing the PAT token and hash
E2E testing:
- Updated e2e.sh with proper PAT token generation (nbp_ + 30-char secret +
  base62 CRC32 checksum) and curl-based authentication verification
- All three backends (sqlite, postgres, mysql) tested and passing
Dependencies:
- Upgraded Initium to v1.0.1 (fixes PostgreSQL insert_row for text PKs)
- Boolean values use 1/0 for MySQL tinyint compatibility
- Datetime format uses space separator for MySQL compatibility
@mikkeldamsgaard @claude
fix(netbird): use native sidecar for SQLite PAT seeding
e5d3f1f 
The PAT seed Job cannot mount a ReadWriteOnce PVC that is already
attached to the server pod. Replace the Job with a Kubernetes native
sidecar (init container with restartPolicy: Always, K8s 1.28+) that
shares the data volume inside the same pod.

Changes:
- server-deployment.yaml: add pat-seed native sidecar with --sidecar
  flag (Initium v1.0.4) to stay alive after seeding, maintaining
  full pod readiness (2/2 Running)
- pat-seed-job.yaml: only render for external databases (PostgreSQL/MySQL)
- pat-seed-configmap.yaml: regular resource for SQLite (needed by
  Deployment), Helm hook for external DBs (needed by hook Job)
- _helpers.tpl: remove gob-encoded network_* columns from accounts
  seed to prevent migratePreAuto decode errors on server restart
- values.yaml: bump Initium from v1.0.1 to v1.0.4
- e2e.sh: check sidecar logs for completion instead of container
  termination (sidecar stays alive with --sidecar flag)
- 167 unit tests passing, SQLite e2e test passing with PAT auth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mikkeldamsgaard mikkeldamsgaard changed the title feat(netbird): add PAT seeding with native sidecar for SQLite feat(netbird): add PAT seeding Feb 25, 2026
@mikkeldamsgaard mikkeldamsgaard merged commit 8af365e into main Feb 25, 2026
5 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Seed Database with Netbird Personal Access Token (PAT) Using Initium

1 participant

@mikkeldamsgaard