Add documentation for API server proxy#776
Conversation
📝 WalkthroughWalkthroughThis PR adds documentation and navigation for a new Kubernetes API Server Proxy integration feature. It introduces a navigation link in the Kubernetes section of the documentation menu and provides a comprehensive MDX page documenting deployment prerequisites, RBAC configuration, permission assignment, and CLI usage. ChangesKubernetes API Server Proxy Documentation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
src/components/NavigationDocs.jsxOops! Something went wrong! :( ESLint: 9.39.4 TypeError: Converting circular structure to JSON src/pages/manage/integrations/kubernetes/api-server-proxy.mdxOops! Something went wrong! :( ESLint: 9.39.4 TypeError: Converting circular structure to JSON Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/components/NavigationDocs.jsx`:
- Around line 481-484: Update src/components/NavigationAPI.jsx to add an
apiNavigation entry mirroring the new docs route: insert an item in the
apiNavigation array (or the /manage/integrations/kubernetes block) with title
"API Server Proxy" and href "/manage/integrations/kubernetes/api-server-proxy"
so the file contains the substring "api-server-proxy" and has the corresponding
"/manage/integrations/kubernetes" section; ensure the new entry follows the same
shape/fields as existing entries in apiNavigation to keep both navigation
contexts in sync.
In `@src/pages/manage/integrations/kubernetes/api-server-proxy.mdx`:
- Line 3: Fix several grammar and clarity issues in the opening paragraph of
src/pages/manage/integrations/kubernetes/api-server-proxy.mdx: combine the
fragmented sentences into a single clear sentence (e.g., merge "Security
requirements may prohibit..." and "While integrations..." into one clause),
correct possessive/branding ("NetBirds network" → "NetBird's network" or
"NetBird network" depending on style), change awkward phrasing like "using the
NetBird identity to append permissions to the incoming request" to a clearer
form such as "using the NetBird identity to attach/assign permissions to
incoming requests", and correct any subject-verb errors like "users who is" to
"users who are"; update the first paragraph text accordingly so the meaning is
preserved and grammar is correct.
- Around line 102-106: The docs example under the "Available Kubernetes
clusters" block contains an environment-specific FQDN
("prod.netbird-kubeapi-proxy.netbird.cloud.") — replace that concrete hostname
with a neutral placeholder (e.g., "<cluster-fqdn.example>" or
"your-cluster.example.com") so the example no longer exposes real environment
identifiers; update the FQDN value in the example list (the "Name: prod / FQDN:
..." entry) accordingly and ensure the placeholder follows the same formatting
as the other example fields.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a1e1a78a-e4b5-4fba-aae7-fa1659e6c3e9
📒 Files selected for processing (2)
src/components/NavigationDocs.jsxsrc/pages/manage/integrations/kubernetes/api-server-proxy.mdx
| { | ||
| title: 'API Server Proxy', | ||
| href: '/manage/integrations/kubernetes/api-server-proxy', | ||
| }, |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify both navigation files exist
fd -i 'NavigationDocs.jsx|NavigationAPI.jsx' src/components
# Inspect occurrences of the new route in both files
rg -n -C2 '/manage/integrations/kubernetes/api-server-proxy' src/components/NavigationDocs.jsx src/components/NavigationAPI.jsxRepository: netbirdio/docs
Length of output: 481
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Search for the new route in NavigationAPI using both full href and substring
rg -n -C2 'api-server-proxy' src/components/NavigationAPI.jsx || true
rg -n -C2 '/manage/integrations/kubernetes/api-server-proxy' src/components/NavigationAPI.jsx || true
# Also see what kubernetes manage integration routes exist in NavigationAPI
rg -n -C2 '/manage/integrations/kubernetes' src/components/NavigationAPI.jsx || trueRepository: netbirdio/docs
Length of output: 40
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE="src/components/NavigationAPI.jsx"
echo "== Checking for new route in NavigationAPI.jsx =="
if rg -n '/manage/integrations/kubernetes/api-server-proxy' "$FILE" -C2; then
echo "Found full href match."
else
echo "NO full href match."
fi
if rg -n 'api-server-proxy' "$FILE" -C2; then
echo "Found substring match."
else
echo "NO api-server-proxy substring match."
fi
echo
echo "== Checking if any kubernetes block exists in NavigationAPI.jsx =="
rg -n '/manage/integrations/kubernetes' "$FILE" -C1 || echo "NO /manage/integrations/kubernetes matches."
echo
echo "== Display nearby kubernetes-related navigation area (first match if any) =="
# If there is any kubernetes manage integration reference, print ~40 lines around the first one.
FIRST_MATCH=$(rg -n '/manage/integrations/kubernetes' "$FILE" | head -n1 | cut -d: -f1 || true)
if [ -n "${FIRST_MATCH:-}" ]; then
START=$((FIRST_MATCH-20))
END=$((FIRST_MATCH+20))
nl -ba "$FILE" | sed -n "${START},${END}p"
else
echo "No kubernetes-related navigation reference found to print context."
fiRepository: netbirdio/docs
Length of output: 422
Update NavigationAPI.jsx to match the new docs route
{
title: 'API Server Proxy',
href: '/manage/integrations/kubernetes/api-server-proxy',
},
src/components/NavigationDocs.jsx includes the new “API Server Proxy” entry, but src/components/NavigationAPI.jsx has no matching route (no /manage/integrations/kubernetes/api-server-proxy, no api-server-proxy substring, and no /manage/integrations/kubernetes block). Add the corresponding apiNavigation entry so both navigation contexts stay in sync.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/components/NavigationDocs.jsx` around lines 481 - 484, Update
src/components/NavigationAPI.jsx to add an apiNavigation entry mirroring the new
docs route: insert an item in the apiNavigation array (or the
/manage/integrations/kubernetes block) with title "API Server Proxy" and href
"/manage/integrations/kubernetes/api-server-proxy" so the file contains the
substring "api-server-proxy" and has the corresponding
"/manage/integrations/kubernetes" section; ensure the new entry follows the same
shape/fields as existing entries in apiNavigation to keep both navigation
contexts in sync.
| @@ -0,0 +1,119 @@ | |||
| # API Server Proxy | |||
|
|
|||
| Managing access to a Kubernetes cluster can be challenging. Security requirements may prohibit exposing the API server to the public internet. While integrations with existing authorization systems may be impossible. The NetBird API server proxy solves both the access and authorization problem in a single solution by exposing the API server through NetBirds network while using the NetBird identity to append permissions to the incoming request. All done without the need to store any credentials on the local machine. | |||
There was a problem hiding this comment.
Tighten grammar in key explanatory sentences.
There are a few grammar issues that reduce clarity (e.g., "NetBirds network", "users who is").
As per coding guidelines, "Page title must come from the first # Heading in the MDX file ... import custom components ... as needed" and this page already follows the structural rule; this suggestion is purely for user-facing text quality.
Suggested edit
-Managing access to a Kubernetes cluster can be challenging. Security requirements may prohibit exposing the API server to the public internet. While integrations with existing authorization systems may be impossible. The NetBird API server proxy solves both the access and authorization problem in a single solution by exposing the API server through NetBirds network while using the NetBird identity to append permissions to the incoming request. All done without the need to store any credentials on the local machine.
+Managing access to a Kubernetes cluster can be challenging. Security requirements may prohibit exposing the API server to the public internet, while integrations with existing authorization systems may be impossible. The NetBird API server proxy solves both access and authorization in a single solution by exposing the API server through NetBird’s network and using NetBird identity to append permissions to incoming requests—without storing credentials on the local machine.-The proxy uses [user impersonation](https://kubernetes.io/docs/reference/access-authn-authz/user-impersonation/) to grant to each call based on the source of the request. The request to the API server is modified to include the NetBird users and groups the user is a member of. The group name can then be used in role bindings to assign permissions. In this example any NetBird users who is a member of the kubernetes-read group will get full read access to the cluster.
+The proxy uses [user impersonation](https://kubernetes.io/docs/reference/access-authn-authz/user-impersonation/) to grant permissions to each call based on the source of the request. The request to the API server is modified to include the NetBird user and groups the user is a member of. The group name can then be used in role bindings to assign permissions. In this example, any NetBird user who is a member of the `kubernetes-read` group gets full read access to the cluster.Also applies to: 65-65
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/pages/manage/integrations/kubernetes/api-server-proxy.mdx` at line 3, Fix
several grammar and clarity issues in the opening paragraph of
src/pages/manage/integrations/kubernetes/api-server-proxy.mdx: combine the
fragmented sentences into a single clear sentence (e.g., merge "Security
requirements may prohibit..." and "While integrations..." into one clause),
correct possessive/branding ("NetBirds network" → "NetBird's network" or
"NetBird network" depending on style), change awkward phrasing like "using the
NetBird identity to append permissions to the incoming request" to a clearer
form such as "using the NetBird identity to attach/assign permissions to
incoming requests", and correct any subject-verb errors like "users who is" to
"users who are"; update the first paragraph text accordingly so the meaning is
preserved and grammar is correct.
| Available Kubernetes clusters: | ||
|
|
||
| - Name: prod | ||
| FQDN: prod.netbird-kubeapi-proxy.netbird.cloud. | ||
| Version: v1.35.0 |
There was a problem hiding this comment.
Replace environment-specific FQDN with a placeholder in docs examples.
Line 105 includes a concrete-looking hostname (prod.netbird-kubeapi-proxy.netbird.cloud.); please replace it with a neutral placeholder to avoid leaking real environment identifiers in public docs.
As per coding guidelines, "Never include real customer names, internal hostnames, IPs, or production credentials in MDX documentation or public/ files — use placeholders instead."
Suggested edit
Available Kubernetes clusters:
- Name: prod
- FQDN: prod.netbird-kubeapi-proxy.netbird.cloud.
+ FQDN: <cluster-id>.example.netbird-kubeapi-proxy.netbird.cloud
Version: v1.35.0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Available Kubernetes clusters: | |
| - Name: prod | |
| FQDN: prod.netbird-kubeapi-proxy.netbird.cloud. | |
| Version: v1.35.0 | |
| Available Kubernetes clusters: | |
| - Name: prod | |
| FQDN: <cluster-id>.example.netbird-kubeapi-proxy.netbird.cloud | |
| Version: v1.35.0 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/pages/manage/integrations/kubernetes/api-server-proxy.mdx` around lines
102 - 106, The docs example under the "Available Kubernetes clusters" block
contains an environment-specific FQDN
("prod.netbird-kubeapi-proxy.netbird.cloud.") — replace that concrete hostname
with a neutral placeholder (e.g., "<cluster-fqdn.example>" or
"your-cluster.example.com") so the example no longer exposes real environment
identifiers; update the FQDN value in the example list (the "Name: prod / FQDN:
..." entry) accordingly and ensure the placeholder follows the same formatting
as the other example fields.
1 participant
Summary by CodeRabbit