The NetBird API Exporter is built with a modular architecture that makes it easy to add support for new NetBird APIs while keeping the code organized and maintainable. The project follows Go best practices and provides comprehensive Prometheus metrics for NetBird deployments.
netbird-api-exporter/
├── main.go # Clean application entry point
├── pkg/ # Core application packages
│ ├── netbird/ # NetBird API client and types
│ │ ├── client.go # Base HTTP client for NetBird API
│ │ └── types.go # Shared data structures (Peer, Group, User, etc.)
│ ├── exporters/ # Prometheus exporters for different APIs
│ │ ├── exporter.go # Main composite exporter
│ │ ├── peers.go # Peers API exporter
│ │ ├── groups.go # Groups API exporter
│ │ ├── users.go # Users API exporter
│ │ ├── networks.go # Networks API exporter
│ │ ├── dns.go # DNS API exporter
│ │ └── *_test.go # Comprehensive test suite for each exporter
│ └── utils/ # Utility functions
│ └── config.go # Configuration helpers
├── charts/ # Kubernetes deployment
│ └── netbird-api-exporter/ # Helm chart for K8s deployment
│ └── templates/ # K8s resource templates
│ └── tests/ # Helm chart tests
├── docs/ # GitHub Pages documentation
│ ├── _config.yml # Jekyll configuration
│ ├── _sass/ # Styling for documentation
│ ├── getting-started/ # Getting started guides
│ ├── installation/ # Installation documentation
│ ├── index.md # Documentation homepage
│ └── *.md # Various documentation files
├── tmp/ # Temporary files (gitignored)
├── docker-compose.yml # Local development with Docker Compose
├── Dockerfile # Container image definition
├── env.example # Environment variables template
├── Makefile # Build and development automation
├── netbird-exporter.service # Systemd service file
├── prometheus.yml.example # Example Prometheus configuration
├── go.mod # Go module definition
├── go.sum # Go module checksums
├── LICENSE # Project license
├── README.md # Main project documentation
├── CONTRIBUTING.md # Contribution guidelines
└── ARCHITECTURE.md # This fileThe NetBird client package provides a unified interface for interacting with the NetBird API.
- Provides a reusable HTTP client for all NetBird API calls
- Handles authentication with API tokens
- Implements common error handling and logging
- Manages HTTP timeouts and retries
Contains shared data structures used across different APIs:
Peer: NetBird peer informationGroup: NetBird group detailsUser: User account informationNetwork: Network configurationDNSNameServerGroup: DNS configuration- Common utility types and constants
Each exporter implements the prometheus.Collector interface and focuses on a specific NetBird API endpoint.
- Orchestrates all individual API exporters
- Provides unified metrics collection
- Implements graceful error handling and recovery
- Manages scrape timing and error metrics
Provides comprehensive peer metrics:
- Total peer count
- Connection status
- Operating system distribution
- Geographic distribution
- Group memberships
- SSH configuration
- Login status and approval requirements
Handles group-related metrics:
- Total group count
- Peer counts per group
- Resource assignments
- Group types and issued status
Manages user account metrics:
- User counts by role and status
- Service user identification
- Login timestamps
- Permission mappings
- Auto-group assignments
Tracks network configuration:
- Network counts and information
- Router assignments
- Resource associations
- Policy applications
- Routing peer configurations
Monitors DNS configuration:
- Nameserver group management
- Domain configurations
- DNS management status
- Nameserver types and ports
Clean and focused application entry point:
- Configuration management via environment variables
- HTTP server setup with configurable endpoints
- Graceful shutdown handling
- Health check endpoints
- Structured logging setup
Centralized configuration management:
- Environment variable parsing
- Default value handling
- Configuration validation
- Type-safe configuration access
Each exporter has corresponding test files following Go conventions:
*_test.gofiles alongside implementation- Table-driven tests for comprehensive coverage
- Mock NetBird API responses
- Error condition testing
- Metrics validation
func TestExporter_CollectMetrics(t *testing.T) {
tests := []struct {
name string
apiResponse string
expectedMetrics map[string]float64
expectError bool
}{
// Test cases...
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Test implementation
})
}
}- Dockerfile: Multi-stage build for optimal image size
- docker-compose.yml: Local development environment
- Base Image: Minimal Alpine Linux for security
- Helm Chart: Production-ready Kubernetes deployment
- ConfigMaps: Environment-based configuration
- ServiceMonitor: Prometheus operator integration
- RBAC: Minimal required permissions
- netbird-exporter.service: Native Linux service deployment
- Automatic restart and logging integration
- Environment file support
# NetBird API Configuration
NETBIRD_API_URL=https://api.netbird.io
NETBIRD_API_TOKEN=your_token_here
# Server Configuration
LISTEN_ADDRESS=:8080
METRICS_PATH=/metrics
# Logging
LOG_LEVEL=info- Environment variables (highest priority)
- Configuration files
- Default values (lowest priority)
- Jekyll-based: Automatic documentation generation
- Responsive Design: Mobile-friendly documentation
- Search Integration: Full-text documentation search
- Getting Started: Quick setup guides
- Installation: Detailed deployment instructions
- API Reference: Metrics documentation
- Examples: Real-world configuration examples
The modular architecture makes adding new APIs straightforward:
Add new data structures to pkg/netbird/types.go:
// Policy represents a NetBird policy from the API
type Policy struct {
ID string `json:"id"`
Name string `json:"name"`
Description string `json:"description"`
Enabled bool `json:"enabled"`
Rules []Rule `json:"rules"`
}Create pkg/exporters/policies.go:
package exporters
import (
"github.com/prometheus/client_golang/prometheus"
"github.com/matanbaruch/netbird-api-exporter/pkg/netbird"
)
type PoliciesExporter struct {
client *netbird.Client
// Prometheus metrics
policiesTotal *prometheus.GaugeVec
policiesEnabled *prometheus.GaugeVec
scrapeErrors prometheus.Counter
scrapeDuration prometheus.Histogram
}
func NewPoliciesExporter(client *netbird.Client) *PoliciesExporter {
return &PoliciesExporter{
client: client,
policiesTotal: prometheus.NewGaugeVec(
prometheus.GaugeOpts{
Name: "netbird_policies",
Help: "Total number of NetBird policies",
},
[]string{},
),
// Initialize other metrics...
}
}
func (e *PoliciesExporter) Describe(ch chan<- *prometheus.Desc) {
e.policiesTotal.Describe(ch)
// Describe other metrics...
}
func (e *PoliciesExporter) Collect(ch chan<- prometheus.Metric) {
// Implementation...
}Update pkg/exporters/exporter.go:
type NetBirdExporter struct {
client *netbird.Client
peersExporter *PeersExporter
groupsExporter *GroupsExporter
usersExporter *UsersExporter
networksExporter *NetworksExporter
dnsExporter *DNSExporter
policiesExporter *PoliciesExporter // Add new exporter
}Create comprehensive tests in pkg/exporters/policies_test.go:
func TestPoliciesExporter_Collect(t *testing.T) {
// Test implementation
}- Add metrics to README.md
- Update architecture documentation
- Add configuration examples
- Respect NetBird API rate limits
- Implement exponential backoff
- Cache responses when appropriate
- Efficient metric reset patterns
- Garbage collection optimization
- Resource cleanup on shutdown
- Self-monitoring with exporter metrics
- Scrape duration tracking
- Error rate monitoring
- Secure token storage
- Token rotation support
- Environment-based configuration
- Non-root user execution
- Minimal base images
- Regular security updates
- TLS encryption for API calls
- Configurable timeouts
- Certificate validation
- Artifact Attestations: All releases include signed build provenance attestations
- Sigstore Integration: Container images and binaries are signed using Sigstore
- GitHub Actions: Builds occur in secure, auditable GitHub Actions environment
- Reproducible Builds: Pinned dependencies and deterministic build process
- SLSA Compliance: Following SLSA (Supply-chain Levels for Software Artifacts) guidelines
Users can verify the authenticity of artifacts:
# Verify Docker image attestation
gh attestation verify oci://ghcr.io/matanbaruch/netbird-api-exporter:latest --owner matanbaruch
# Verify binary attestations
gh attestation verify netbird-api-exporter-linux-amd64 --owner matanbaruchSee docs/security/artifact-attestations.md for complete verification instructions.
- Configuration-driven API selection
- Custom scrape intervals per API
- API response caching
- Rate limiting with retry logic
- Custom metric filtering
- Multi-tenant support
- API health status metrics
- Response time percentiles
- Error categorization
- Performance profiling
- Operator pattern for Kubernetes
- Auto-scaling based on load
- Multi-region deployment support
- Blue-green deployment patterns
When contributing to the project architecture:
- Follow Patterns: Use existing patterns for consistency
- Test Coverage: Ensure comprehensive test coverage
- Documentation: Update architectural documentation
- Backwards Compatibility: Consider existing deployments
- Performance: Profile and benchmark changes
- Security: Consider security implications
- Use
netbird_prefix for all metrics - Use
snake_casefor metric names - Include units in metric names when appropriate
- Use consistent label naming
- Keep label cardinality reasonable
- Use meaningful label names
- Avoid high-cardinality labels
- Consider label stability over time
- Gauges: For current state values
- Counters: For monotonically increasing values
- Histograms: For timing and size distributions
- Summaries: For quantile calculations
This architecture provides a solid foundation for monitoring NetBird deployments while maintaining flexibility for future enhancements and easy maintenance.