apiVersion: apps/v1
kind: Deployment
metadata:
name: wireguard-relay
namespace: vpn
labels:
platform.edge.ncr.com/component: wireguard-relay
spec:
replicas: 1
selector:
matchLabels:
platform.edge.ncr.com/component: wireguard-relay
template:
metadata:
labels:
platform.edge.ncr.com/component: wireguard-relay
spec:
containers:
- name: prometheus-exporter
image: bzl://hack/deps:wireguardprometheus_container_push
args:
- -n/etc/wireguard/wg0.conf
- -atrue # run wg with sudo
- -vfalse # verbose
- -dtrue # enable wireguard_latest_handshake_delay_seconds metric
ports:
- name: wg-metrics
protocol: TCP
containerPort: 9586
resources:
limits:
cpu: "15m"
memory: 100Mi
requests:
cpu: 5m
memory: 50Mi
volumeMounts:
- name: wireguard-config
mountPath: /etc/wireguard
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
- SETGID
- SETUID
drop:
- all
runAsUser: 1000 # run as prometheus-wireguard-exporter
- name: wireguard
image: bzl://cmd/sds/remoteaccess/wireguard:container_push
command:
- /bin/bash
args:
- -c
- /entrypoint/wg-sync.sh
ports:
- protocol: TCP
containerPort: 51820
resources:
limits:
cpu: "15m"
memory: 100Mi
requests:
cpu: 5m
memory: 50Mi
volumeMounts:
- name: wireguard-config
readOnly: true
mountPath: /etc/wireguard/secret/
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_MODULE
drop:
- all
volumes:
- name: wireguard-config
secret:
optional: true
secretName: wireguard-relay
imagePullSecrets:
- name: edge-docker-pull-secret