1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 name: wireguard-relay
5 namespace: vpn
6 labels:
7 platform.edge.ncr.com/component: wireguard-relay
8spec:
9 replicas: 1
10 selector:
11 matchLabels:
12 platform.edge.ncr.com/component: wireguard-relay
13 template:
14 metadata:
15 labels:
16 platform.edge.ncr.com/component: wireguard-relay
17 spec:
18 containers:
19 - name: prometheus-exporter
20 image: bzl://hack/deps:wireguardprometheus_container_push
21 args:
22 - -n/etc/wireguard/wg0.conf
23 - -afalse
24 - -vfalse
25 ports:
26 - name: wg-metrics
27 protocol: TCP
28 containerPort: 9586
29 volumeMounts:
30 - name: wireguard-config
31 mountPath: /etc/wireguard
32 imagePullPolicy: IfNotPresent
33 securityContext:
34 capabilities:
35 add:
36 - NET_ADMIN
37 - SETGID
38 - SETUID
39 drop:
40 - all
41 - name: wireguard
42 image: bzl://cmd/sds/remoteaccess/wireguard:container_push
43 command:
44 - /bin/bash
45 args:
46 - -c
47 - /entrypoint/wg-sync.sh
48 ports:
49 - protocol: TCP
50 containerPort: 51820
51 volumeMounts:
52 - name: wireguard-config
53 readOnly: true
54 mountPath: /etc/wireguard/secret/
55 imagePullPolicy: IfNotPresent
56 securityContext:
57 capabilities:
58 add:
59 - NET_ADMIN
60 - NET_RAW
61 - SYS_MODULE
62 drop:
63 - all
64 volumes:
65 - name: wireguard-config
66 secret:
67 optional: true
68 secretName: wireguard-relay
69 imagePullSecrets:
70 - name: edge-docker-pull-secret
View as plain text