1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 name: emissary-ingress
5 namespace: emissary
6spec:
7 template:
8 spec:
9 terminationGracePeriodSeconds: 90
10 containers:
11 - name: ambassador
12 env:
13 - name: AMBASSADOR_AMBEX_SNAPSHOT_COUNT
14 value: "5"
15 - name: AMBASSADOR_FAST_RECONFIGURE
16 value: "false"
17 - name: AMBASSADOR_DRAIN_TIME
18 value: "300"
19 resources:
20 limits:
21 memory: 2000Mi
22 requests:
23 memory: 1000Mi
24 volumeMounts:
25 - name: ambassador-errorpages
26 mountPath: /ambassador/ambassador-errorpages
27 livenessProbe:
28 failureThreshold: 6
29 httpGet:
30 port: admin
31 path: /ambassador/v0/check_alive
32 scheme: HTTP
33 initialDelaySeconds: 30
34 periodSeconds: 6
35 successThreshold: 1
36 timeoutSeconds: 1
37 readinessProbe:
38 failureThreshold: 6
39 httpGet:
40 port: admin
41 path: /ambassador/v0/check_ready
42 scheme: HTTP
43 initialDelaySeconds: 30
44 periodSeconds: 6
45 successThreshold: 1
46 timeoutSeconds: 1
47 lifecycle:
48 preStop:
49 exec:
50 command: ["sleep 60"]
51 - name: wireguard
52 image: bzl://cmd/sds/remoteaccess/wireguard:container_push
53 command:
54 - /bin/bash
55 args:
56 - -c
57 - /entrypoint/wg-sync.sh
58 ports:
59 - protocol: TCP
60 containerPort: 51820
61 resources:
62 limits:
63 cpu: "15m"
64 memory: 100Mi
65 requests:
66 cpu: 5m
67 memory: 50Mi
68 volumeMounts:
69 - name: wireguard-config
70 readOnly: true
71 mountPath: /etc/wireguard/secret/
72 imagePullPolicy: IfNotPresent
73 securityContext:
74 capabilities:
75 add:
76 - NET_ADMIN
77 - NET_RAW
78 - SYS_MODULE
79 drop:
80 - all
81 runAsUser: 0 # wg-quick must be run as user 0 https://github.com/WireGuard/wireguard-tools/blob/master/src/wg-quick/linux.bash#L85
82 volumes:
83 - name: ambassador-errorpages
84 configMap:
85 name: ambassador-errorpages
86 defaultMode: 420
87 - name: wireguard-config
88 secret:
89 optional: true
90 secretName: wireguard-client
View as plain text