truenas/charts/wg-easy/1.0.12/templates/deployment.yaml

{{ include "common.storage.hostPathValidate" .Values }}
apiVersion: {{ template "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
  name: {{ template "common.names.fullname" . }}-wg
  labels:
    app: {{ template "common.names.name" . }}
    chart: {{ template "common.names.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  annotations:
    rollme: {{ randAlphaNum 5 | quote }}
spec:
  replicas: {{ (default 1 .Values.replicas) }}
  strategy:
    type: "Recreate"
  selector:
    matchLabels:
      app: {{ template "common.names.name" . }}
      release: {{ .Release.Name }}
  template:
    metadata:
      name: {{ template "common.names.fullname" . }}
      labels:
        {{- include "common.labels.selectorLabels" . | nindent 8 }}
      annotations: {{ include "common.annotations" . | nindent 8 }}
    spec:
      hostNetwork: {{ .Values.hostNetwork }}
      hostname: {{ .Release.Name }}
      containers:
        - name: {{ .Chart.Name }}
          {{ include "common.resources.limitation" . | nindent 10 }}
          {{ include "common.containers.imageConfig" .Values.image | nindent 10 }}
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
                - SYS_MODULE
            {{/* https://github.com/WeeJeWel/wg-easy/pull/394 */}}
            runAsUser: 0
            runAsGroup: 0
            readOnlyRootFilesystem: false
            runAsNonRoot: false
          volumeMounts: {{ include "common.storage.configureAppVolumeMountsInContainer" .Values | nindent 12 }}
          {{ range $index, $hostPathConfiguration := .Values.extraAppVolumeMounts }}
            - name: extrappvolume-{{ $index }}
              mountPath: {{ $hostPathConfiguration.mountPath }}
          {{ end }}
          ports:
            - name: udp
              containerPort: {{ .Values.wgUDPPort }}
              protocol: UDP
            {{- if not .Values.hostNetwork }}
              hostPort: null
            {{- end }}
            - name: web
              containerPort: {{ .Values.webUIPort }}
            {{- if not .Values.hostNetwork }}
              hostPort: null
            {{- end }}
          env:
            {{ $wgeasy := .Values.wgeasy }}
            {{ $envList := (default list .Values.environmentVariables) }}
            {{ $envList = mustAppend $envList (dict "name" "WG_HOST" "value" $wgeasy.host) }}
            {{ $envList = mustAppend $envList (dict "name" "PASSWORD" "value" $wgeasy.password) }}
            {{ $envList = mustAppend $envList (dict "name" "WG_PORT" "value" .Values.wgUDPPort) }}
            {{ $envList = mustAppend $envList (dict "name" "PORT" "value" .Values.webUIPort) }}
            {{ $envList = mustAppend $envList (dict "name" "WG_PERSISTENT_KEEPALIVE" "value" $wgeasy.keep_alive) }}
            {{ $envList = mustAppend $envList (dict "name" "WG_MTU" "value" $wgeasy.client_mtu) }}
            {{ $envList = mustAppend $envList (dict "name" "WG_DEFAULT_ADDRESS" "value" $wgeasy.client_address_range) }}
            {{ $envList = mustAppend $envList (dict "name" "WG_DEFAULT_DNS" "value" $wgeasy.client_dns_server) }}
            {{ if $wgeasy.allowed_ips }}
            {{ $envList = mustAppend $envList (dict "name" "WG_ALLOWED_IPS" "value" (join "," $wgeasy.allowed_ips)) }}
            {{ else }}
            {{ $envList = mustAppend $envList (dict "name" "WG_ALLOWED_IPS" "value" ("0.0.0.0/0,::/0")) }}
            {{ end }}
            {{ include "common.containers.environmentVariables" (dict "environmentVariables" $envList) | nindent 12 }}
          readinessProbe:
            httpGet:
              path: /
              port: {{ .Values.webUIPort }}
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 5
            successThreshold: 2
          livenessProbe:
            httpGet:
              path: /
              port: {{ .Values.webUIPort }}
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 5
            successThreshold: 1
          startupProbe:
            httpGet:
              path: /
              port: {{ .Values.webUIPort }}
            initialDelaySeconds: 10
            periodSeconds: 5
            timeoutSeconds: 2
            failureThreshold: 60
            successThreshold: 1
          {{ $ip := .Values.wgeasy.client_address_range | replace "x" "0" }}
          lifecycle:
            preStop:
              exec:
                command:
                  - /bin/bash
                  - -c
                  - |
                    echo "Deleting routes created by the app..."
                    netmask=$(ip route | grep {{ $ip }})
                    netmask=$(echo $netmask | grep -o -E '/.\d*')
                    netmask=${netmask#/}
                    echo "Matched routes to delete... {{ $ip }}/$netmask"
                    # Don't try to delete routes if steps above didn't grep-ed anything
                    if [ ! "$netmask" == "" ]; then
                      ip route del {{ $ip }}/$netmask || echo "Route deletion failed..."
                    fi
                    echo "Routes deleted..."
                    interface=$(ip a | grep wg0)
                    if [ ! "$interface" == "" ]; then
                      echo "Removing wg0 interface..."
                      ip link delete wg0
                      echo "Removed wg0 interface..."
                    fi

{{ include "common.networking.dnsConfiguration" .Values | nindent 6 }}
      volumes: {{ include "common.storage.configureAppVolumes" .Values | nindent 8 }}
      {{ range $index, $hostPathConfiguration := .Values.extraAppVolumeMounts }}
        - name: extrappvolume-{{ $index }}
          hostPath:
            path: {{ $hostPathConfiguration.hostPath }}
      {{ end }}