feat(netbird): add netbird router agent

This should allow me to connect to services from a Netbird VPN connection

k8s/infra/vpn/netbird/agent/agent-setup-key.yaml

@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: agent-setup-key
+  namespace: netbird
+spec:
+  encryptedData:
+    setupKey: AgBN0mKmHvesRgAxn3DDYxFqZbsBtHl1pK7NKSaZtD1HDsNAjV7BzqvL/ahgNfHVuVNyXfj8yGB1vJCcaC0QW8FnORRxSP/NRrWL3Qfh1g0LjrNyYvTc38TGlIMCPZ7YUEsyTIWxahNAGtLU2oQ7px8Nl0ysJXxbueIiP+OEEMJzeurzyKzR1NCSgXCUOo9AaDsuLT9l0isIMdAfQVrbK8WYC9ttiyghf9SfwuiEZ9WjRduazPFtYaQ5yAyER/Pqw1RV0qyNrRht+3S3pWiOBYY37F8Ge+Hzr/w/eVVmGeP7LN5qF5NPf82mu6dgf494lf0eWYwixJyLYO0KwdGgXT9gL5pzyr3h2MCcoHGunqgHy+votXdC23tSPFcCJSAaDonQlRSIa+gJLp/+BjVPHMu/ESmKKOuZkCoJUt7pEJZTyHVIHfnqV94qfKe+4urXSVC1rNtxN+ElKJPzyyUNhGQKa/UkhvIEb0XViSkS2qOhThwOV9jj/rvYsHCiQDZzs3Mci/Lzmeb8VgTnFzHKksh3TBlUTqMbUq8kbqqSrgn32/0675/cNTuQ0XfdgqUXcL70dbx10qSkjEbz99oRJyOTStmN9iopGgG99V39wVzH/xLHHEGGvAON9rccUG3ViAXrZUdnPi9b+Vhls8k2n9CZrTtbWZANA4f9GVXcIIFOPMw7FVDR+e8o/YpSSBaFMyKUfeCYQS9dC6jNQJbCmSnSbTWqi5/br3CSSe/qovSs/ndgMTk=
+  template:
+    metadata:
+      name: agent-setup-key
+      namespace: netbird
+    type: Opaque

k8s/infra/vpn/netbird/agent/daemon-set.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: netbird-agent
+  namespace: netbird
+spec:
+  selector:
+    matchLabels:
+      app: netbird
+  template:
+    metadata:
+      labels:
+        app: netbird
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: netbird
+          image: netbirdio/netbird:0.28.7 # renovate: docker=netbirdio/netbird
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              add: [ NET_ADMIN, PERFMON, BPF ]
+          envFrom:
+            - configMapRef:
+                name: agent-config
+          env:
+            - name: NB_SETUP_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: agent-setup-key
+                  key: setupKey
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      volumes:
+        - name: config
+          emptyDir: { }

k8s/infra/vpn/netbird/agent/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configMapGenerator:
+  - name: agent-config
+    namespace: netbird
+    literals:
+      - NB_HOSTNAME="talos-router"
+      - NB_LOG_LEVEL="warn"
+      - NB_MANAGEMENT_URL="https://netbird.stonegarden.dev"
+      - NB_ADMIN_URL="https://netbird.stonegarden.dev"
+      - NB_CONFIG="/config/config.json"
+
+resources:
+  - agent-setup-key.yaml
+  - daemon-set.yaml

k8s/infra/vpn/netbird/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
   - http-route.yaml
   - backend
   - dashboard
+  - agent

k8s/infra/vpn/netbird/ns.yaml

@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: netbird
+  labels:
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: baseline