125 lines
3.6 KiB
YAML
125 lines
3.6 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: wgtsbridge
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: wireguard
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: wireguard
|
|
spec:
|
|
serviceAccountName: wgtsbridge
|
|
shareProcessNamespace: true
|
|
initContainers:
|
|
- name: sysctls
|
|
image: busybox
|
|
command:
|
|
- sh
|
|
- -c
|
|
- sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
privileged: true
|
|
containers:
|
|
- name: wireguard
|
|
image: docker.io/masipcat/wireguard-go:latest
|
|
command:
|
|
- sh
|
|
- -c
|
|
- echo "Public key '$(wg pubkey < /etc/wireguard/privatekey)'" && /entrypoint.sh
|
|
ports:
|
|
- containerPort: 51820
|
|
protocol: UDP
|
|
name: wireguard
|
|
env:
|
|
- name: LOG_LEVEL
|
|
value: info
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
privileged: true
|
|
resources:
|
|
requests:
|
|
memory: 64Mi
|
|
cpu: "100m"
|
|
limits:
|
|
memory: 256Mi
|
|
volumeMounts:
|
|
- name: cfgmap
|
|
mountPath: /etc/wireguard/wg0.conf
|
|
subPath: wg0.conf
|
|
- name: secret
|
|
mountPath: /etc/wireguard/privatekey
|
|
subPath: privatekey
|
|
- name: tailscale
|
|
image: ghcr.io/tailscale/tailscale:v1.62.1
|
|
imagePullPolicy: IfNotPresent
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
export PATH=$PATH:/tailscale/bin
|
|
export PROCESS_TO_WAIT_FOR="bash"
|
|
set -e
|
|
|
|
if [[ ! -d /dev/net ]]; then
|
|
mkdir -p /dev/net
|
|
fi
|
|
if [[ ! -c /dev/net/tun ]]; then
|
|
mknod /dev/net/tun c 10 200
|
|
fi
|
|
|
|
echo "==> Starting tailscaled in background"
|
|
tailscaled --socket=/tmp/tailscaled.sock --state=kube:tsstate --no-logs-no-support &
|
|
TS_PID=$!
|
|
|
|
echo "==> Running tailscale up with key ${TS_AUTH_KEY}"
|
|
tailscale --socket=/tmp/tailscaled.sock up \
|
|
--authkey=${TS_AUTH_KEY} \
|
|
--accept-dns=false \
|
|
--advertise-routes="10.42.42.0/24" \
|
|
--hostname=wireguard-bridge \
|
|
--snat-subnet-routes=true \
|
|
--login-server https://headscale.tbrnt.ch
|
|
|
|
echo "==> Waiting for Tailscale to connect properly"
|
|
until tailscale --socket=/tmp/tailscaled.sock status; do
|
|
echo "... Tailscale not ready yet"
|
|
sleep 2
|
|
done
|
|
|
|
echo "==> Connected! Waiting for main container to exit"
|
|
while pidof $PROCESS_TO_WAIT_FOR > /dev/null; do sleep 1; done
|
|
|
|
echo "==> Main container ended - stopping Tailscale"
|
|
kill -s SIGINT $TS_PID
|
|
wait ${TS_PID}
|
|
env:
|
|
- name: TS_AUTH_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: TS_AUTH_KEY
|
|
name: wg-secret
|
|
- name: TS_KUBE_SECRET
|
|
value: tsstate
|
|
- name: TS_USERSPACE
|
|
value: "false"
|
|
resources: {}
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
volumes:
|
|
- name: cfgmap
|
|
configMap:
|
|
name: wg-configmap
|
|
- name: secret
|
|
secret:
|
|
secretName: wg-secret |