apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard-store
  namespace: vpn
  labels:
    platform.edge.ncr.com/component: wireguard-store
spec:
  replicas: 1
  selector:
    matchLabels:
      platform.edge.ncr.com/component: wireguard-store
  template:
    metadata:
      labels:
        platform.edge.ncr.com/component: wireguard-store
      annotations:
        config.linkerd.io/skip-subnets: 172.16.16.0/20
    spec:
      serviceAccountName: wireguard-vnc
      serviceAccount: wireguard-vnc
      priorityClassName: edge-p4-operability-services
      containers:
      - name: nginx
        image: bzl://hack/deps:nginx_container_push
        ports:
        - protocol: TCP
          containerPort: 80
        resources:
          limits:
            cpu: "15m"
            memory: 100Mi
          requests:
            cpu: 5m
            memory: 50Mi
        volumeMounts:
        - name: nginx-config
          mountPath: /etc/nginx/nginx.conf
          subPath: nginx.conf
        imagePullPolicy: IfNotPresent
      - name: wireguard
        image: bzl://cmd/sds/remoteaccess/wireguard:container_push
        command:
        - /bin/bash
        args:
        - -c
        - /entrypoint/wg-sync.sh
        ports:
        - protocol: TCP
          containerPort: 51820
        resources:
          limits:
            cpu: "15m"
            memory: 100Mi
          requests:
            cpu: 5m
            memory: 50Mi
        volumeMounts:
        - name: wireguard-config
          readOnly: true
          mountPath: /etc/wireguard/secret/
        imagePullPolicy: IfNotPresent
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
            - NET_RAW
            - SYS_MODULE
            drop:
            - all
      volumes:
      - name: nginx-config
        configMap:
          name: nginx-config
      - name: wireguard-config
        secret:
          optional: true
          secretName: wireguard-store
      imagePullSecrets:
      - name: edge-docker-pull-secret