commit 6b879db2c36e66ae960969508d80fcd189ecce78
author giolekva <giolekva@gmail.com> Wed Jun 10 21:00:39 2020 +0400
committer giolekva <giolekva@gmail.com> Wed Jun 10 21:00:39 2020 +0400
tree 556c1503ac6472c6cfa7bb5ced22d1c646e9f7d2
parent b6d40621acb2f9a82386719154f77b4c81960b04

wireguard

apps/wireguard/install.yaml

diff --git a/apps/wireguard/install.yaml b/apps/wireguard/install.yaml
new file mode 100644
index 0000000..5864424
--- /dev/null
+++ b/apps/wireguard/install.yaml
@@ -0,0 +1,115 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: wg-secret
+  namespace: wireguard
+type: Opaque
+data:
+  # Generate and encode the server private key: `wg genkey | base64`
+  privatekey: Z0hnaVdNdDJjbzhKQ2JyT05HWnlLTEFpYnVKaUJRdFlUZzJ0RlJkS1NrST0K
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: wg-configmap
+  namespace: wireguard
+data:
+  wg0.conf: |
+    [Interface]
+    Address = 10.0.0.1/24
+    ListenPort = 51820
+    PostUp = wg set wg0 private-key /etc/wireguard/privatekey; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+    # PostUp = wg set wg0 private-key /etc/wireguard/privatekey && iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -o eth0 -j MASQUERADE
+    # PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+    # PostUp = wg set wg0 private-key /etc/wireguard/privatekey && iptables -A FORWARD -i %i -j ACCEPT && iptables -A FORWARD -o %i -j ACCEPT && iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
+    # PostDown = iptables -D FORWARD -i %i -j ACCEPT && iptables -D FORWARD -o %i -j ACCEPT && iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+    DNS = 8.8.8.8
+
+    [Peer]
+    PublicKey = ES2NAzBw/ZVWu14blA2/UiQBVfeuxZpstbZbkEAuzUo=
+    AllowedIPs = 10.0.0.2/24
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: wireguard
+  namespace: wireguard
+  labels:
+    app: wireguard
+spec:
+  type: LoadBalancer
+  ports:
+  - name: wg
+    protocol: UDP
+    port: 51820
+    targetPort: 51820
+  selector:
+    app: wireguard
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wireguard
+  namespace: wireguard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: wireguard
+  template:
+    metadata:
+      labels:
+        app: wireguard
+    spec:
+      initContainers:
+        - name: sysctls
+          image: busybox
+          command:
+          - sh
+          - -c
+          - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+            privileged: true
+      containers:
+        - name: wireguard
+          image: giolekva/wireguard:latest
+          command:
+          - sh
+          - -c
+          - echo "Public key '$(wg pubkey < /etc/wireguard/privatekey)'" && sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1 && /entrypoint.sh
+          ports:
+          - containerPort: 51820
+            protocol: UDP
+            name: wireguard
+          env:
+          - name: LOG_LEVEL
+            value: debug
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+            privileged: true
+          resources:
+            requests:
+              memory: 64Mi
+              cpu: "100m"
+            limits:
+              memory: 256Mi
+          volumeMounts:
+          - name: cfgmap
+            mountPath: /etc/wireguard/wg0.conf
+            subPath: wg0.conf
+          - name: secret
+            mountPath: /etc/wireguard/privatekey
+            subPath: privatekey
+      volumes:
+      - name: cfgmap
+        configMap:
+          name: wg-configmap
+      - name: secret
+        secret:
+          secretName: wg-secret
\ No newline at end of file