apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard-relay
  namespace: vpn
  labels:
    platform.edge.ncr.com/component: wireguard-relay
spec:
  replicas: 1
  selector:
    matchLabels:
      platform.edge.ncr.com/component: wireguard-relay
  template:
    metadata:
      labels:
        platform.edge.ncr.com/component: wireguard-relay
    spec:
      containers:
      - name: prometheus-exporter
        image: bzl://hack/deps:wireguardprometheus_container_push
        args:
        - -n/etc/wireguard/wg0.conf
        - -afalse
        - -vfalse
        ports:
        - name: wg-metrics
          protocol: TCP
          containerPort: 9586
        volumeMounts:
        - name: wireguard-config
          mountPath: /etc/wireguard
        imagePullPolicy: IfNotPresent
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
            - SETGID
            - SETUID
            drop:
            - all
      - name: wireguard
        image: bzl://cmd/sds/remoteaccess/wireguard:container_push
        command:
        - /bin/bash
        args:
        - -c
        - /entrypoint/wg-sync.sh
        ports:
        - protocol: TCP
          containerPort: 51820
        volumeMounts:
        - name: wireguard-config
          readOnly: true
          mountPath: /etc/wireguard/secret/
        imagePullPolicy: IfNotPresent
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
            - NET_RAW
            - SYS_MODULE
            drop:
            - all
      volumes:
      - name: wireguard-config
        secret:
          optional: true
          secretName: wireguard-relay
      imagePullSecrets:
      - name: edge-docker-pull-secret