From 2b0a85ae9e19c8af7844b7a2177cd033106cec8a Mon Sep 17 00:00:00 2001
From: Shahab Dogar <shahab@dogar.dev>
Date: Thu, 11 Dec 2025 07:17:52 +0500
Subject: [PATCH] feat: add routing peers to netbird

---
 netbird/index.ts    | 67 +++++++++++++++++++++++++++++++++++++++++++++
 netbird/values.yaml |  8 ++++++
 2 files changed, 75 insertions(+)

diff --git a/netbird/index.ts b/netbird/index.ts
index 042a579..c3ab1bd 100644
--- a/netbird/index.ts
+++ b/netbird/index.ts
@@ -9,6 +9,7 @@ import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
 import { SecretV1 } from "@cdktf/provider-kubernetes/lib/secret-v1";
 import { Release } from "@cdktf/provider-helm/lib/release";
 import { CloudflareCertificate, OnePasswordSecret } from "../utils";
+import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
 
 export class Netbird extends TerraformStack {
   constructor(scope: Construct, id: string) {
@@ -91,5 +92,71 @@ export class Netbird extends TerraformStack {
       chart: "netbird",
       values: [fs.readFileSync(path.join(__dirname, "values.yaml"), "utf8")],
     }).importFrom("netbird/netbird");
+
+    new OnePasswordSecret(this, "netbird-setup-key", {
+      name: "netbird-setup-key",
+      namespace,
+      provider: kubernetes,
+      itemPath: "vaults/Lab/items/netbird-setup-key",
+    });
+
+    new DeploymentV1(this, "netbird-routing-peers", {
+      provider: kubernetes,
+      metadata: {
+        name: "netbird-routing-peer",
+        namespace,
+      },
+      spec: {
+        replicas: "3",
+        selector: {
+          matchLabels: {
+            app: "netbird-routing-peers",
+          },
+        },
+        template: {
+          metadata: {
+            labels: {
+              app: "netbird-routing-peers",
+            },
+          },
+          spec: {
+            container: [
+              {
+                name: "netbird-routing-peers",
+                image: "netbirdio/netbird:latest",
+                env: [
+                  {
+                    name: "NB_SETUP_KEY",
+                    valueFrom: {
+                      secretKeyRef: {
+                        name: "netbird-setup-key",
+                        key: "credential",
+                      },
+                    },
+                  },
+                  {
+                    name: "NB_MANAGEMENT_URL",
+                    value: "https://vpn.dogar.dev",
+                  },
+                  {
+                    name: "NB_HOSTNAME",
+                    value: "netbird-k8s-router",
+                  },
+                  {
+                    name: "NB_LOG_LEVEL",
+                    value: "info",
+                  },
+                ],
+                securityContext: {
+                  capabilities: {
+                    add: ["NET_ADMIN", "SYS_RESOURCE", "SYS_ADMIN"],
+                  },
+                },
+              },
+            ],
+          },
+        },
+      },
+    });
   }
 }
diff --git a/netbird/values.yaml b/netbird/values.yaml
index 28ed83f..7087c80 100644
--- a/netbird/values.yaml
+++ b/netbird/values.yaml
@@ -1,5 +1,7 @@
 fullnameOverride: netbird
 management:
+  image:
+    tag: latest
   configmap: |-
     {
       "Stuns": [
@@ -137,8 +139,12 @@ management:
 
 signal:
   enabled: true
+  image:
+    tag: latest
 
 relay:
+  image:
+    tag: latest
   envFromSecret:
     NB_AUTH_SECRET: netbird/relayPassword
   env:
@@ -148,6 +154,8 @@ relay:
 
 dashboard:
   enabled: true
+  image:
+    tag: "v2.23.0"
   env:
     # Endpoints
     NETBIRD_MGMT_API_ENDPOINT: https://vpn.dogar.dev:443