apiVersion: v1 kind: Namespace metadata: name: wireguard --- apiVersion: apps/v1 kind: DaemonSet metadata: name: wireguard namespace: wireguard labels: app: wireguard annotations: reloader.stakater.com/auto: "true" spec: selector: matchLabels: app: wireguard updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: app: wireguard spec: topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app: wireguard restartPolicy: Always initContainers: - name: init image: busybox:1.32.0 command: - sh - -c - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1 securityContext: privileged: true capabilities: add: - NET_ADMIN containers: - name: wireguard image: masipcat/wireguard-go:latest securityContext: privileged: true capabilities: add: - NET_ADMIN ports: - containerPort: 51820 protocol: UDP command: - sh - -c - /entrypoint.sh env: - name: LOG_LEVEL value: info resources: requests: memory: "64Mi" cpu: "150m" limits: memory: "128Mi" volumeMounts: - name: wireguard-config mountPath: /etc/wireguard/wg0.key subPath: wg0.key readOnly: true - name: wireguard-config mountPath: /etc/wireguard/wg0.conf subPath: wg0.conf readOnly: true volumes: - name: wireguard-config secret: secretName: wireguard --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: wg-pdb namespace: wireguard spec: minAvailable: 1 selector: matchLabels: app: wireguard --- apiVersion: v1 kind: Service metadata: name: wireguard namespace: wireguard labels: app: wireguard annotations: metallb.universe.tf/loadBalancerIPs: 192.168.1.210 metallb.universe.tf/allow-shared-ip: "management-192.168.1.210" spec: type: LoadBalancer externalTrafficPolicy: Cluster selector: app: wireguard ports: - name: vpn port: 51820 protocol: UDP