homelab/archive/2022.07.bxl-k3s-pi/apps/wireguard/app.yaml

122 lines
2.4 KiB
YAML

apiVersion: v1
kind: Namespace
metadata:
name: wireguard
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: wireguard
namespace: wireguard
labels:
app: wireguard
annotations:
reloader.stakater.com/auto: "true"
spec:
selector:
matchLabels:
app: wireguard
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
app: wireguard
spec:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: wireguard
restartPolicy: Always
initContainers:
- name: init
image: busybox:1.32.0
command:
- sh
- -c
- sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
containers:
- name: wireguard
image: masipcat/wireguard-go:latest
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
ports:
- containerPort: 51820
protocol: UDP
command:
- sh
- -c
- /entrypoint.sh
env:
- name: LOG_LEVEL
value: info
resources:
requests:
memory: "64Mi"
cpu: "150m"
limits:
memory: "128Mi"
volumeMounts:
- name: wireguard-config
mountPath: /etc/wireguard/wg0.key
subPath: wg0.key
readOnly: true
- name: wireguard-config
mountPath: /etc/wireguard/wg0.conf
subPath: wg0.conf
readOnly: true
volumes:
- name: wireguard-config
secret:
secretName: wireguard
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: wg-pdb
namespace: wireguard
spec:
minAvailable: 1
selector:
matchLabels:
app: wireguard
---
apiVersion: v1
kind: Service
metadata:
name: wireguard
namespace: wireguard
labels:
app: wireguard
annotations:
metallb.universe.tf/loadBalancerIPs: 192.168.1.210
metallb.universe.tf/allow-shared-ip: "management-192.168.1.210"
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
selector:
app: wireguard
ports:
- name: vpn
port: 51820
protocol: UDP