mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-29 01:16:12 -05:00
0564e4ebb4
* vpn: add fake-on-prem infra * dev-docs: move vpn helm
69 lines
2.0 KiB
YAML
69 lines
2.0 KiB
YAML
{{ if .Values.wireguard.enabled -}}
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: {{ include "..fullname" . }}-frontend
|
|
labels: {{- include "..labels" . | nindent 4 }}
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
{{- include "..selectorLabels" . | nindent 6 }}
|
|
component: frontend
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{- include "..selectorLabels" . | nindent 8 }}
|
|
component: frontend
|
|
spec:
|
|
hostNetwork: false
|
|
initContainers:
|
|
- name: tproxy-setup
|
|
image: nixery.dev/busybox/iptables
|
|
command: ["/bin/sh", "-x", "/entrypoint.sh"]
|
|
env: {{- include "..commonEnv" . | nindent 10 }}
|
|
securityContext:
|
|
capabilities:
|
|
add: ["NET_ADMIN"]
|
|
volumeMounts:
|
|
- name: tproxy-setup
|
|
mountPath: "/entrypoint.sh"
|
|
subPath: "tproxy-setup.sh"
|
|
readOnly: true
|
|
- name: wg-setup
|
|
image: "nixery.dev/busybox/wireguard-tools"
|
|
command: ["/bin/sh", "-x", "/etc/wireguard/wireguard-setup.sh"]
|
|
env: {{- include "..commonEnv" . | nindent 10 }}
|
|
securityContext:
|
|
capabilities:
|
|
add: ["NET_ADMIN"]
|
|
volumeMounts:
|
|
- name: wireguard
|
|
mountPath: "/etc/wireguard"
|
|
readOnly: true
|
|
containers:
|
|
- name: tproxy
|
|
# Image source: github.com/burgerdev/go-tproxy
|
|
image: ghcr.io/burgerdev/go-tproxy:latest
|
|
command: ["/tproxy", "--port=61001", "--nat=true"]
|
|
securityContext:
|
|
capabilities:
|
|
add: ["NET_RAW"]
|
|
volumes:
|
|
- name: tproxy-setup
|
|
configMap:
|
|
name: {{ include "..fullname" . }}-tproxy
|
|
- name: wireguard
|
|
projected:
|
|
sources:
|
|
- secret:
|
|
name: {{ include "..fullname" . }}-wg
|
|
items:
|
|
- key: wg.conf
|
|
path: wg.conf
|
|
- configMap:
|
|
name: {{ include "..fullname" . }}-wg
|
|
items:
|
|
- key: wireguard-setup.sh
|
|
path: wireguard-setup.sh
|
|
{{- end }}
|