{{- $fullName := include "wg-access-server.fullname" . -}}
{{ $secretName := $fullName }}
{{- if .Values.config.existingSecret -}}
{{ $secretName = .Values.config.existingSecret }}
{{ end -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "wg-access-server.fullname" . }}
labels:
{{- include "wg-access-server.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicas }}
strategy:
{{- if .Values.persistence.enabled }}
type: {{ .Values.strategy.type | default "Recreate" | quote }}
{{- else }}
type: {{ .Values.strategy.type | default "RollingUpdate" | quote }}
{{- end }}
selector:
matchLabels:
{{- include "wg-access-server.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
labels:
{{- include "wg-access-server.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
capabilities:
add: ['NET_ADMIN']
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 8000
protocol: TCP
- name: wireguard
containerPort: 51820
protocol: UDP
env:
{{- if .Values.wireguard.config.privateKey }}
- name: WG_WIREGUARD_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: "{{ $secretName }}"
key: privateKey
{{- end }}
{{- if .Values.web.config.adminUsername }}
- name: WG_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: "{{ $secretName }}"
key: adminUsername
{{- end}}
{{- if .Values.web.config.adminPassword }}
- name: WG_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ $secretName }}"
key: adminPassword
{{- end}}
{{- if .Values.config.csiSecretsStore }}
- name: WG_CONFIG
value: /secrets/config.yaml
{{- end}}
volumeMounts:
- name: tun
mountPath: /dev/net/tun
- name: data
mountPath: /data
{{- if .Values.config.csiSecretsStore }}
- name: config
mountPath: /secrets
{{- else }}
- name: config
mountPath: /config.yaml
subPath: config.yaml
{{- end}}
readinessProbe:
httpGet:
path: /health
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- name: tun
hostPath:
type: 'CharDevice'
path: /dev/net/tun
- name: data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ $fullName }}{{- end }}
{{- end }}
{{- if not .Values.persistence.enabled }}
emptyDir: {}
{{- end }}
{{- if .Values.config.csiSecretsStore }}
- name: config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: app-secrets
{{- else }}
- name: config
configMap:
name: "{{ $fullName }}"
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}