apiVersion: apps/v1 kind: Deployment metadata: name: emissary-ingress namespace: emissary spec: template: spec: terminationGracePeriodSeconds: 90 containers: - name: ambassador env: - name: AMBASSADOR_AMBEX_SNAPSHOT_COUNT value: "5" - name: AMBASSADOR_FAST_RECONFIGURE value: "false" - name: AMBASSADOR_DRAIN_TIME value: "300" resources: limits: memory: 2000Mi requests: memory: 1000Mi volumeMounts: - name: ambassador-errorpages mountPath: /ambassador/ambassador-errorpages livenessProbe: failureThreshold: 6 httpGet: port: admin path: /ambassador/v0/check_alive scheme: HTTP initialDelaySeconds: 30 periodSeconds: 6 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 6 httpGet: port: admin path: /ambassador/v0/check_ready scheme: HTTP initialDelaySeconds: 30 periodSeconds: 6 successThreshold: 1 timeoutSeconds: 1 lifecycle: preStop: exec: command: ["sleep 60"] - name: wireguard image: bzl://cmd/sds/remoteaccess/wireguard:container_push command: - /bin/bash args: - -c - /entrypoint/wg-sync.sh ports: - protocol: TCP containerPort: 51820 resources: limits: cpu: "15m" memory: 100Mi requests: cpu: 5m memory: 50Mi volumeMounts: - name: wireguard-config readOnly: true mountPath: /etc/wireguard/secret/ imagePullPolicy: IfNotPresent securityContext: capabilities: add: - NET_ADMIN - NET_RAW - SYS_MODULE drop: - all runAsUser: 0 # wg-quick must be run as user 0 https://github.com/WireGuard/wireguard-tools/blob/master/src/wg-quick/linux.bash#L85 volumes: - name: ambassador-errorpages configMap: name: ambassador-errorpages defaultMode: 420 - name: wireguard-config secret: optional: true secretName: wireguard-client