--- apiVersion: apps/v1 kind: DaemonSet metadata: name: amneziawg labels: app: amneziawg annotations: reloader.stakater.com/auto: "true" secret.reloader.stakater.com/reload: "amneziawg-server,amneziawg-clients" spec: selector: matchLabels: app: amneziawg updateStrategy: type: RollingUpdate template: metadata: labels: app: amneziawg spec: serviceAccountName: amneziawg hostNetwork: true dnsPolicy: ClusterFirstWithHostNet nodeSelector: amnezia-vpn: "true" tolerations: - operator: Exists initContainers: - name: register-endpoint image: bitnami/kubectl:latest imagePullPolicy: IfNotPresent env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: PORT value: "5847" command: - /bin/bash - -lc - | set -euo pipefail NAMESPACE="$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)" ENDPOINT="$(kubectl get node "${NODE_NAME}" -o jsonpath="{.metadata.labels['external-ipv4']}")" if [ -z "${ENDPOINT}" ]; then ENDPOINT="$(kubectl get node "${NODE_NAME}" -o jsonpath='{range .status.addresses[?(@.type=="ExternalIP")]}{.address}{end}')" fi if [ -z "${ENDPOINT}" ]; then echo "ERROR: node ${NODE_NAME} has no external-ipv4 label and no ExternalIP" exit 1 fi VALUE="${ENDPOINT}:${PORT}" echo "Registering AmneziaWG endpoint: ${NODE_NAME} -> ${VALUE}" if kubectl get secret amneziawg-endpoints -n "${NAMESPACE}" >/dev/null 2>&1; then kubectl patch secret amneziawg-endpoints -n "${NAMESPACE}" \ --type merge -p "{\"stringData\":{\"${NODE_NAME}\":\"${VALUE}\"}}" else kubectl create secret generic amneziawg-endpoints -n "${NAMESPACE}" \ --from-literal="${NODE_NAME}=${VALUE}" fi containers: - name: amneziawg image: amneziavpn/amneziawg-go:latest imagePullPolicy: IfNotPresent securityContext: privileged: true capabilities: add: - NET_ADMIN - SYS_MODULE command: - /bin/bash - /scripts/run.sh ports: - name: awg containerPort: 5847 protocol: UDP readinessProbe: exec: command: - /bin/bash - -lc - awg show awg0 >/dev/null 2>&1 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 3 failureThreshold: 3 livenessProbe: exec: command: - /bin/bash - -lc - awg show awg0 >/dev/null 2>&1 initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 resources: requests: memory: "64Mi" cpu: "50m" limits: memory: "256Mi" cpu: "500m" volumeMounts: - name: server-config mountPath: /etc/amnezia/server readOnly: true - name: client-config mountPath: /etc/amnezia/clients readOnly: true - name: scripts mountPath: /scripts readOnly: true - name: runtime-config mountPath: /run/amnezia - name: dev-net-tun mountPath: /dev/net/tun volumes: - name: server-config secret: secretName: amneziawg-server defaultMode: 0600 items: - key: awg0.conf path: awg0.conf - name: client-config secret: secretName: amneziawg-clients optional: true defaultMode: 0600 - name: scripts configMap: name: amneziawg-scripts defaultMode: 0755 - name: runtime-config emptyDir: {} - name: dev-net-tun hostPath: path: /dev/net/tun type: CharDevice