apps/wireguard/install.yaml

kind: Secret
apiVersion: v1
metadata:
  name: wg-secret
  namespace: wireguard
type: Opaque
data:
  # Generate and encode the server private key: `wg genkey | base64`
  privatekey: Z0hnaVdNdDJjbzhKQ2JyT05HWnlLTEFpYnVKaUJRdFlUZzJ0RlJkS1NrST0K
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: wg-configmap
  namespace: wireguard
data:
  wg0.conf: |
    [Interface]
    Address = 10.0.0.1/24
    ListenPort = 51820
    PostUp = wg set wg0 private-key /etc/wireguard/privatekey; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
    # PostUp = wg set wg0 private-key /etc/wireguard/privatekey && iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -o eth0 -j MASQUERADE
    # PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
    # PostUp = wg set wg0 private-key /etc/wireguard/privatekey && iptables -A FORWARD -i %i -j ACCEPT && iptables -A FORWARD -o %i -j ACCEPT && iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
    # PostDown = iptables -D FORWARD -i %i -j ACCEPT && iptables -D FORWARD -o %i -j ACCEPT && iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
    DNS = 8.8.8.8

    [Peer]
    PublicKey = ES2NAzBw/ZVWu14blA2/UiQBVfeuxZpstbZbkEAuzUo=
    AllowedIPs = 10.0.0.2/24
---
kind: Service
apiVersion: v1
metadata:
  name: wireguard
  namespace: wireguard
  labels:
    app: wireguard
spec:
  type: LoadBalancer
  ports:
  - name: wg
    protocol: UDP
    port: 51820
    targetPort: 51820
  selector:
    app: wireguard
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard
  namespace: wireguard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wireguard
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      initContainers:
        - name: sysctls
          image: busybox
          command:
          - sh
          - -c
          - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
            privileged: true
      containers:
        - name: wireguard
          image: giolekva/wireguard:latest
          command:
          - sh
          - -c
          - echo "Public key '$(wg pubkey < /etc/wireguard/privatekey)'" && sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1 && /entrypoint.sh
          ports:
          - containerPort: 51820
            protocol: UDP
            name: wireguard
          env:
          - name: LOG_LEVEL
            value: debug
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
            privileged: true
          resources:
            requests:
              memory: 64Mi
              cpu: "100m"
            limits:
              memory: 256Mi
          volumeMounts:
          - name: cfgmap
            mountPath: /etc/wireguard/wg0.conf
            subPath: wg0.conf
          - name: secret
            mountPath: /etc/wireguard/privatekey
            subPath: privatekey
      volumes:
      - name: cfgmap
        configMap:
          name: wg-configmap
      - name: secret
        secret:
          secretName: wg-secret