--- apiVersion: apps/v1 kind: DaemonSet metadata: name: amneziawg labels: app: amneziawg annotations: secret.reloader.stakater.com/reload: "amneziawg-server" configmap.reloader.stakater.com/reload: "amneziawg-scripts" spec: selector: matchLabels: app: amneziawg updateStrategy: type: RollingUpdate template: metadata: labels: app: amneziawg spec: serviceAccountName: amneziawg hostNetwork: true dnsPolicy: ClusterFirstWithHostNet nodeSelector: amnezia-vpn: "true" tolerations: - operator: Exists initContainers: - name: install-awg image: amneziavpn/amneziawg-go:latest imagePullPolicy: IfNotPresent command: - /bin/bash - -lc - | set -euo pipefail cp /usr/bin/awg /shared-bin/awg chmod 0755 /shared-bin/awg volumeMounts: - name: awg-bin mountPath: /shared-bin - name: register-endpoint image: bitnami/kubectl:latest imagePullPolicy: IfNotPresent env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: PORT value: "5847" command: - /bin/bash - -lc - | set -euo pipefail NAMESPACE="$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)" ENDPOINT="$(kubectl get node "${NODE_NAME}" -o jsonpath="{.metadata.labels['external-ipv4']}")" if [ -z "${ENDPOINT}" ]; then ENDPOINT="$(kubectl get node "${NODE_NAME}" -o jsonpath='{range .status.addresses[?(@.type=="ExternalIP")]}{.address}{end}')" fi if [ -z "${ENDPOINT}" ]; then echo "ERROR: node ${NODE_NAME} has no external-ipv4 label and no ExternalIP" exit 1 fi VALUE="${ENDPOINT}:${PORT}" echo "Registering AmneziaWG endpoint: ${NODE_NAME} -> ${VALUE}" if kubectl get secret amneziawg-endpoints -n "${NAMESPACE}" >/dev/null 2>&1; then kubectl patch secret amneziawg-endpoints -n "${NAMESPACE}" \ --type merge -p "{\"stringData\":{\"${NODE_NAME}\":\"${VALUE}\"}}" else kubectl create secret generic amneziawg-endpoints -n "${NAMESPACE}" \ --from-literal="${NODE_NAME}=${VALUE}" fi - name: sync-client-secret image: bitnami/kubectl:latest imagePullPolicy: IfNotPresent command: - /bin/bash - /scripts/client-secret-sync.sh - once resources: requests: memory: "32Mi" cpu: "10m" limits: memory: "128Mi" cpu: "100m" volumeMounts: - name: scripts mountPath: /scripts readOnly: true - name: runtime-config mountPath: /run/amnezia containers: - name: amneziawg image: amneziavpn/amneziawg-go:latest imagePullPolicy: IfNotPresent securityContext: privileged: true capabilities: add: - NET_ADMIN - SYS_MODULE command: - /bin/bash - /scripts/run.sh ports: - name: awg containerPort: 5847 protocol: UDP readinessProbe: exec: command: - /bin/bash - -lc - awg show awg0 >/dev/null 2>&1 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 3 failureThreshold: 3 livenessProbe: exec: command: - /bin/bash - -lc - awg show awg0 >/dev/null 2>&1 initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 resources: requests: memory: "64Mi" cpu: "50m" limits: memory: "256Mi" cpu: "500m" volumeMounts: - name: server-config mountPath: /etc/amnezia/server readOnly: true - name: scripts mountPath: /scripts readOnly: true - name: runtime-config mountPath: /run/amnezia - name: dev-net-tun mountPath: /dev/net/tun - name: reload-status image: bitnami/kubectl:latest imagePullPolicy: IfNotPresent env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name command: - /bin/bash - /scripts/status-patch.sh resources: requests: memory: "32Mi" cpu: "10m" limits: memory: "128Mi" cpu: "100m" volumeMounts: - name: scripts mountPath: /scripts readOnly: true - name: runtime-config mountPath: /run/amnezia - name: client-secret-sync image: bitnami/kubectl:latest imagePullPolicy: IfNotPresent command: - /bin/bash - /scripts/client-secret-sync.sh resources: requests: memory: "32Mi" cpu: "10m" limits: memory: "128Mi" cpu: "100m" volumeMounts: - name: scripts mountPath: /scripts readOnly: true - name: runtime-config mountPath: /run/amnezia - name: amneziawg-exporter-redis image: redis:alpine imagePullPolicy: IfNotPresent command: - redis-server - /etc/redis/redis.conf ports: - name: redis containerPort: 6379 protocol: TCP resources: requests: memory: "32Mi" cpu: "10m" limits: memory: "128Mi" cpu: "100m" volumeMounts: - name: exporter-redis-config mountPath: /etc/redis readOnly: true - name: exporter-redis-data mountPath: /data - name: amneziawg-exporter image: amneziavpn/amneziawg-exporter:latest imagePullPolicy: IfNotPresent securityContext: capabilities: add: - NET_ADMIN env: - name: AWG_EXPORTER_REDIS_HOST value: "127.0.0.1" - name: AWG_EXPORTER_REDIS_PORT value: "6379" ports: - name: metrics containerPort: 9351 protocol: TCP resources: requests: memory: "64Mi" cpu: "25m" limits: memory: "256Mi" cpu: "200m" volumeMounts: - name: awg-bin mountPath: /usr/bin/awg subPath: awg readOnly: true volumes: - name: server-config secret: secretName: amneziawg-server defaultMode: 0600 items: - key: awg0.conf path: awg0.conf - name: scripts configMap: name: amneziawg-scripts defaultMode: 0755 - name: runtime-config emptyDir: {} - name: awg-bin emptyDir: {} - name: exporter-redis-config configMap: name: amneziawg-exporter-redis - name: exporter-redis-data emptyDir: {} - name: dev-net-tun hostPath: path: /dev/net/tun type: CharDevice