Production-ready Helm charts for self-hosted infrastructure, maintained by KitStream.
| Chart | Description | Version |
|---|---|---|
| netbird | Deploy NetBird VPN (management, signal, dashboard, relay) on Kubernetes | 0.1.1 |
helm install netbird oci://ghcr.io/kitstream/helms/netbird \
--version 0.1.1 \
-n netbird --create-namespace \
-f my-values.yamlgit clone https://github.com/KitStream/helms.git
helm install netbird helms/charts/netbird \
-n netbird --create-namespace \
-f my-values.yamlSee each chart's README for detailed configuration.
- No shell in init containers — Uses Initium (FROM scratch) instead of Alpine + shell scripts. No package manager, no shell escaping issues, smaller attack surface.
- Hardened by default — Non-root, read-only root filesystem, all capabilities dropped, no privilege escalation.
- Structured configuration — No raw DSN strings. Provide
database.host,database.user, etc. and the chart builds it for you. - Automatic database readiness — Init containers wait for your database and create it if it doesn't exist. No manual setup, no race conditions.
- Comprehensive testing — Unit tests (helm-unittest) + E2E tests across SQLite, PostgreSQL, and MySQL backends on every PR.
- Helm v3.8+ (OCI support)
- kubectl configured for your target cluster
- Kubernetes 1.24+ (1.28+ for SQLite PAT seeding)
A scheduled GitHub Actions workflow checks upstream repositories daily for new releases and opens a GitHub issue when a chart is behind upstream.
- The workflow reads
.upstream-monitor.yamlto discover which upstream repos map to which chart version fields. - For each source, it queries the GitHub Releases API for the latest non-draft, non-prerelease tag.
- If the upstream version differs from what the chart currently references, a GitHub issue is created with the current and latest versions, a link to the upstream release, and a checklist of what needs to be done.
Edit .upstream-monitor.yaml to add new charts or upstream sources:
charts:
- name: netbird
path: charts/netbird
sources:
- name: server
github: netbirdio/netbird
strip_v_prefix: true
targets:
- file: Chart.yaml
yaml_path: .appVersionRun the check on demand from the Actions tab → Upstream Version Check →
Run workflow. Enable the dry_run checkbox to preview changes without
creating an issue.
# Preview what would change (no issue created)
DRY_RUN=true ./ci/scripts/upstream-check.sh
# Run for real (requires gh auth login)
./ci/scripts/upstream-check.shWe welcome contributions! Please read our Contributing Guide before submitting pull requests.
See SECURITY.md for our security policy and reporting instructions.
Apache License 2.0 — see LICENSE.
Copyright 2026 KitStream