1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 name: wireguard-relay
5 namespace: vpn
6 labels:
7 platform.edge.ncr.com/component: wireguard-relay
8spec:
9 replicas: 1
10 selector:
11 matchLabels:
12 platform.edge.ncr.com/component: wireguard-relay
13 template:
14 metadata:
15 labels:
16 platform.edge.ncr.com/component: wireguard-relay
17 spec:
18 containers:
19 - name: prometheus-exporter
20 image: bzl://hack/deps:wireguardprometheus_container_push
21 args:
22 - -n/etc/wireguard/wg0.conf
23 - -atrue # run wg with sudo
24 - -vfalse # verbose
25 - -dtrue # enable wireguard_latest_handshake_delay_seconds metric
26 ports:
27 - name: wg-metrics
28 protocol: TCP
29 containerPort: 9586
30 resources:
31 limits:
32 cpu: "15m"
33 memory: 100Mi
34 requests:
35 cpu: 5m
36 memory: 50Mi
37 volumeMounts:
38 - name: wireguard-config
39 mountPath: /etc/wireguard
40 imagePullPolicy: IfNotPresent
41 securityContext:
42 capabilities:
43 add:
44 - NET_ADMIN
45 - SETGID
46 - SETUID
47 drop:
48 - all
49 runAsUser: 1000 # run as prometheus-wireguard-exporter
50 - name: wireguard
51 image: bzl://cmd/sds/remoteaccess/wireguard:container_push
52 command:
53 - /bin/bash
54 args:
55 - -c
56 - /entrypoint/wg-sync.sh
57 ports:
58 - protocol: TCP
59 containerPort: 51820
60 resources:
61 limits:
62 cpu: "15m"
63 memory: 100Mi
64 requests:
65 cpu: 5m
66 memory: 50Mi
67 volumeMounts:
68 - name: wireguard-config
69 readOnly: true
70 mountPath: /etc/wireguard/secret/
71 imagePullPolicy: IfNotPresent
72 securityContext:
73 capabilities:
74 add:
75 - NET_ADMIN
76 - NET_RAW
77 - SYS_MODULE
78 drop:
79 - all
80 volumes:
81 - name: wireguard-config
82 secret:
83 optional: true
84 secretName: wireguard-relay
85 imagePullSecrets:
86 - name: edge-docker-pull-secret
View as plain text