apiVersion: apps/v1 kind: Deployment metadata: name: wireguard-relay namespace: vpn labels: platform.edge.ncr.com/component: wireguard-relay spec: replicas: 1 selector: matchLabels: platform.edge.ncr.com/component: wireguard-relay template: metadata: labels: platform.edge.ncr.com/component: wireguard-relay spec: containers: - name: prometheus-exporter image: bzl://hack/deps:wireguardprometheus_container_push args: - -n/etc/wireguard/wg0.conf - -afalse - -vfalse ports: - name: wg-metrics protocol: TCP containerPort: 9586 volumeMounts: - name: wireguard-config mountPath: /etc/wireguard imagePullPolicy: IfNotPresent securityContext: capabilities: add: - NET_ADMIN - SETGID - SETUID drop: - all - name: wireguard image: bzl://cmd/sds/remoteaccess/wireguard:container_push command: - /bin/bash args: - -c - /entrypoint/wg-sync.sh ports: - protocol: TCP containerPort: 51820 volumeMounts: - name: wireguard-config readOnly: true mountPath: /etc/wireguard/secret/ imagePullPolicy: IfNotPresent securityContext: capabilities: add: - NET_ADMIN - NET_RAW - SYS_MODULE drop: - all volumes: - name: wireguard-config secret: optional: true secretName: wireguard-relay imagePullSecrets: - name: edge-docker-pull-secret