{{ if .Values.wireguard.enabled -}} apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ include "..fullname" . }}-frontend labels: {{- include "..labels" . | nindent 4 }} spec: selector: matchLabels: {{- include "..selectorLabels" . | nindent 6 }} component: frontend template: metadata: labels: {{- include "..selectorLabels" . | nindent 8 }} component: frontend spec: hostNetwork: false initContainers: - name: tproxy-setup image: nixery.dev/busybox/iptables command: ["/bin/sh", "-x", "/entrypoint.sh"] env: {{- include "..commonEnv" . | nindent 10 }} securityContext: capabilities: add: ["NET_ADMIN"] volumeMounts: - name: tproxy-setup mountPath: "/entrypoint.sh" subPath: "tproxy-setup.sh" readOnly: true - name: wg-setup image: "nixery.dev/busybox/wireguard-tools" command: ["/bin/sh", "-x", "/etc/wireguard/wireguard-setup.sh"] env: {{- include "..commonEnv" . | nindent 10 }} securityContext: capabilities: add: ["NET_ADMIN"] volumeMounts: - name: wireguard mountPath: "/etc/wireguard" readOnly: true containers: - name: tproxy # Image source: github.com/burgerdev/go-tproxy image: ghcr.io/burgerdev/go-tproxy:latest command: ["/tproxy", "--port=61001", "--nat=true"] securityContext: capabilities: add: ["NET_RAW"] volumes: - name: tproxy-setup configMap: name: {{ include "..fullname" . }}-tproxy - name: wireguard projected: sources: - secret: name: {{ include "..fullname" . }}-wg items: - key: wg.conf path: wg.conf - configMap: name: {{ include "..fullname" . }}-wg items: - key: wireguard-setup.sh path: wireguard-setup.sh {{- end }}