From f8c69c2434582d2c8ccb9424fa1325f0856915df Mon Sep 17 00:00:00 2001
From: Ultradesu <ultradesu@hexor.cy>
Date: Mon, 29 Jun 2026 21:00:55 +0300
Subject: [PATCH] Added config reload

---
 k8s/apps/amnezia/configmap-scripts.yaml | 58 ++++++++++++++++++++++++-
 k8s/apps/amnezia/daemonset.yaml         | 47 ++++++++++++++++----
 2 files changed, 96 insertions(+), 9 deletions(-)

diff --git a/k8s/apps/amnezia/configmap-scripts.yaml b/k8s/apps/amnezia/configmap-scripts.yaml
index 490175b..3b8117f 100644
--- a/k8s/apps/amnezia/configmap-scripts.yaml
+++ b/k8s/apps/amnezia/configmap-scripts.yaml
@@ -126,7 +126,7 @@ data:
     set -euo pipefail
 
     SERVER_CONFIG="/etc/amnezia/server/awg0.conf"
-    CLIENTS_DIR="/etc/amnezia/clients"
+    CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
     RUNTIME_CONFIG="/run/amnezia/awg0.conf"
     SYNC_CONFIG="/run/amnezia/awg0.sync.conf"
     STATUS_FILE="/run/amnezia/reload-status"
@@ -229,6 +229,62 @@ data:
     write_reload_status applied "${initial_hash}"
     watch_client_config "${initial_hash}"
 
+  client-secret-sync.sh: |
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    CLIENT_SECRET="${AMNEZIAWG_CLIENT_SECRET:-amneziawg-clients}"
+    CLIENT_SECRET_KEY="${AMNEZIAWG_CLIENT_SECRET_KEY:-peers.conf}"
+    CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
+    PEERS_FILE="${CLIENTS_DIR}/peers.conf"
+    SYNC_INTERVAL="${AMNEZIAWG_CLIENT_SECRET_SYNC_INTERVAL:-5}"
+    NAMESPACE="${POD_NAMESPACE:-$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)}"
+
+    write_empty_once() {
+      mkdir -p "${CLIENTS_DIR}"
+      if [ ! -f "${PEERS_FILE}" ]; then
+        : > "${PEERS_FILE}"
+        chmod 0600 "${PEERS_FILE}"
+      fi
+    }
+
+    sync_once() {
+      mkdir -p "${CLIENTS_DIR}"
+      local tmp_file="${PEERS_FILE}.tmp"
+      local encoded=""
+
+      if ! encoded="$(kubectl get secret "${CLIENT_SECRET}" -n "${NAMESPACE}" -o "go-template={{ index .data \"${CLIENT_SECRET_KEY}\" }}" 2>/dev/null)"; then
+        echo "WARN: failed to read Secret ${NAMESPACE}/${CLIENT_SECRET}; keeping current peers" >&2
+        write_empty_once
+        return 0
+      fi
+
+      if [ -n "${encoded}" ]; then
+        printf '%s' "${encoded}" | base64 -d > "${tmp_file}"
+      else
+        : > "${tmp_file}"
+      fi
+      chmod 0600 "${tmp_file}"
+
+      if [ -f "${PEERS_FILE}" ] && cmp -s "${tmp_file}" "${PEERS_FILE}"; then
+        rm -f "${tmp_file}"
+        return 0
+      fi
+
+      mv "${tmp_file}" "${PEERS_FILE}"
+      echo "Synced AmneziaWG client peers from Secret ${NAMESPACE}/${CLIENT_SECRET}:${CLIENT_SECRET_KEY}"
+    }
+
+    if [ "${1:-}" = "once" ]; then
+      sync_once
+      exit 0
+    fi
+
+    while true; do
+      sync_once || true
+      sleep "${SYNC_INTERVAL}"
+    done
+
   status-patch.sh: |
     #!/usr/bin/env bash
     set -euo pipefail
diff --git a/k8s/apps/amnezia/daemonset.yaml b/k8s/apps/amnezia/daemonset.yaml
index da1f926..d6f6663 100644
--- a/k8s/apps/amnezia/daemonset.yaml
+++ b/k8s/apps/amnezia/daemonset.yaml
@@ -78,6 +78,26 @@ spec:
                 kubectl create secret generic amneziawg-endpoints -n "${NAMESPACE}" \
                   --from-literal="${NODE_NAME}=${VALUE}"
               fi
+        - name: sync-client-secret
+          image: bitnami/kubectl:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - /scripts/client-secret-sync.sh
+            - once
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "10m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+              readOnly: true
+            - name: runtime-config
+              mountPath: /run/amnezia
       containers:
         - name: amneziawg
           image: amneziavpn/amneziawg-go:latest
@@ -126,9 +146,6 @@ spec:
             - name: server-config
               mountPath: /etc/amnezia/server
               readOnly: true
-            - name: client-config
-              mountPath: /etc/amnezia/clients
-              readOnly: true
             - name: scripts
               mountPath: /scripts
               readOnly: true
@@ -160,6 +177,25 @@ spec:
               readOnly: true
             - name: runtime-config
               mountPath: /run/amnezia
+        - name: client-secret-sync
+          image: bitnami/kubectl:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - /scripts/client-secret-sync.sh
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "10m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+              readOnly: true
+            - name: runtime-config
+              mountPath: /run/amnezia
         - name: amneziawg-exporter-redis
           image: redis:alpine
           imagePullPolicy: IfNotPresent
@@ -219,11 +255,6 @@ spec:
             items:
               - key: awg0.conf
                 path: awg0.conf
-        - name: client-config
-          secret:
-            secretName: amneziawg-clients
-            optional: true
-            defaultMode: 0600
         - name: scripts
           configMap:
             name: amneziawg-scripts