homelab/archive/2022.07.bxl-k3s-pi/apps/wireguard/app.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: wireguard

---

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: wireguard
  namespace: wireguard
  labels:
    app: wireguard
  annotations:
    reloader.stakater.com/auto: "true"
spec:
  selector:
    matchLabels:
      app: wireguard
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      topologySpreadConstraints:
      - maxSkew: 1
        topologyKey: kubernetes.io/hostname
        whenUnsatisfiable: DoNotSchedule
        labelSelector:
          matchLabels:
            app: wireguard
      restartPolicy: Always
      initContainers:
      - name: init
        image: busybox:1.32.0
        command:
        - sh
        - -c
        - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
        securityContext:
          privileged: true
          capabilities:
            add:
            - NET_ADMIN
      containers:
      - name: wireguard
        image: masipcat/wireguard-go:latest
        securityContext:
          privileged: true
          capabilities:
            add:
            - NET_ADMIN
        ports:
        - containerPort: 51820
          protocol: UDP
        command:
        - sh
        - -c
        - /entrypoint.sh
        env:
        - name: LOG_LEVEL
          value: info
        resources:
          requests:
            memory: "64Mi"
            cpu: "150m"
          limits:
            memory: "128Mi"
        volumeMounts:
        - name: wireguard-config
          mountPath: /etc/wireguard/wg0.key
          subPath: wg0.key
          readOnly: true
        - name: wireguard-config
          mountPath: /etc/wireguard/wg0.conf
          subPath: wg0.conf
          readOnly: true
      volumes:
      - name: wireguard-config
        secret:
          secretName: wireguard

---

apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: wg-pdb
  namespace: wireguard
spec:
  minAvailable: 1
  selector:
    matchLabels:
      app: wireguard

---

apiVersion: v1
kind: Service
metadata:
  name: wireguard
  namespace: wireguard
  labels:
    app: wireguard
  annotations:
    metallb.universe.tf/loadBalancerIPs: 192.168.1.210
    metallb.universe.tf/allow-shared-ip: "management-192.168.1.210"
spec:
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  selector:
    app: wireguard
  ports:
  - name: vpn
    port: 51820
    protocol: UDP
Archives 2023-04-16 15:04:06 +02:00			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: wireguard`

			`---`

			`apiVersion: apps/v1`
			`kind: DaemonSet`
			`metadata:`
			`name: wireguard`
			`namespace: wireguard`
			`labels:`
			`app: wireguard`
			`annotations:`
			`reloader.stakater.com/auto: "true"`
			`spec:`
			`selector:`
			`matchLabels:`
			`app: wireguard`
			`updateStrategy:`
			`type: RollingUpdate`
			`rollingUpdate:`
			`maxUnavailable: 1`
			`template:`
			`metadata:`
			`labels:`
			`app: wireguard`
			`spec:`
			`topologySpreadConstraints:`
			`- maxSkew: 1`
			`topologyKey: kubernetes.io/hostname`
			`whenUnsatisfiable: DoNotSchedule`
			`labelSelector:`
			`matchLabels:`
			`app: wireguard`
			`restartPolicy: Always`
			`initContainers:`
			`- name: init`
			`image: busybox:1.32.0`
			`command:`
			`- sh`
			`- -c`
			`- sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1`
			`securityContext:`
			`privileged: true`
			`capabilities:`
			`add:`
			`- NET_ADMIN`
			`containers:`
			`- name: wireguard`
			`image: masipcat/wireguard-go:latest`
			`securityContext:`
			`privileged: true`
			`capabilities:`
			`add:`
			`- NET_ADMIN`
			`ports:`
			`- containerPort: 51820`
			`protocol: UDP`
			`command:`
			`- sh`
			`- -c`
			`- /entrypoint.sh`
			`env:`
			`- name: LOG_LEVEL`
			`value: info`
			`resources:`
			`requests:`
			`memory: "64Mi"`
			`cpu: "150m"`
			`limits:`
			`memory: "128Mi"`
			`volumeMounts:`
			`- name: wireguard-config`
			`mountPath: /etc/wireguard/wg0.key`
			`subPath: wg0.key`
			`readOnly: true`
			`- name: wireguard-config`
			`mountPath: /etc/wireguard/wg0.conf`
			`subPath: wg0.conf`
			`readOnly: true`
			`volumes:`
			`- name: wireguard-config`
			`secret:`
			`secretName: wireguard`

			`---`

			`apiVersion: policy/v1`
			`kind: PodDisruptionBudget`
			`metadata:`
			`name: wg-pdb`
			`namespace: wireguard`
			`spec:`
			`minAvailable: 1`
			`selector:`
			`matchLabels:`
			`app: wireguard`

			`---`

			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: wireguard`
			`namespace: wireguard`
			`labels:`
			`app: wireguard`
			`annotations:`
			`metallb.universe.tf/loadBalancerIPs: 192.168.1.210`
			`metallb.universe.tf/allow-shared-ip: "management-192.168.1.210"`
			`spec:`
			`type: LoadBalancer`
			`externalTrafficPolicy: Cluster`
			`selector:`
			`app: wireguard`
			`ports:`
			`- name: vpn`
			`port: 51820`
			`protocol: UDP`