test

.gitea/workflows/release.yaml

@@ -0,0 +1,11 @@
+name: Publish Helm Chart
+
+on:
+  workflow_dispatch:
+
+jobs:
+  call-helm-ci:
+    uses: helm/common-workflows/.gitea/workflows/release.yaml@master
+    secrets:
+      CI_BOT_USERNAME: ${{ secrets.CI_BOT_USERNAME }}
+      CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}

.gitignore

@@ -0,0 +1 @@
+.idea/

README.md

@@ -0,0 +1,102 @@
+# WireGuard with UI
+
+## K8s and unsafe option
+
+Config file on k8s host
+
+```shell
+sudo nano /var/snap/microk8s/current/args/kubelet
+```
+
+add `ipv4` and `ipv6` to be added to the end of the `kubelet` file.
+
+> --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding
+
+## Changing IP
+
+these are recommended, as we use 8.0.0.0/8 for other things...
+
+```
+IPv4 172.16.0.0/24
+IPv6 fdb0::/112
+```
+
+> info: changing ip's, a restart of the pod is needed... for iptables and nat to change to new ip.
+
+## Rout traffic
+
+Here is two ways of making the k8s server handle routing of traffic
+
+### persistent iptables
+
+```shell
+sudo apt install iptables-persistent
+```
+
+- replace `<interface>` with your network card like `eth0`.
+- replace `<host-ipv4>` with ip like `10.8.0.0/24`.
+- replace `<host-ipv6>` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`.
+
+```shell
+sudo iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE
+sudo iptables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
+```
+
+```shell
+sudo netfilter-persistent save
+```
+
+### Systemd service
+
+create this file `/etc/systemd/system/wireguard-masquerade.service`
+
+```shell
+sudo nano /etc/systemd/system/wireguard-masquerade.service
+```
+
+Changes
+
+- replace `<interface>` with your network card like `eth0`.
+- replace `<host-ipv4>` with ip like `10.8.0.0/24`.
+- replace `<host-ipv6>` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`.
+
+```
+[Unit] 
+Description=WireGuard MASQUERADE for <host-ipv4> and <host-ipv6>
+After=network.target 
+
+[Service] 
+Type=oneshot 
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE 
+ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
+RemainAfterExit=yes 
+
+[Install] 
+WantedBy=multi-user.target
+```
+
+#### Enable
+
+```shell
+sudo systemctl enable wireguard-masquerade
+```
+
+#### Start
+
+```shell
+sudo systemctl start wireguard-masquerade
+```
+
+## check system
+
+check IPv4 packet forwarding status.
+
+```shell
+kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv4.ip_forward
+```
+
+check IPv6 packet forwarding status.
+
+```shell
+kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv6.conf.all.forwarding
+```

helm/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: wg-easy
+description: Helm chart for wg-easy with MetalLB and StatefulSet
+type: application
+version: 0.1.0
+appVersion: "15.1.0"

helm/templates/_helpers.tpl

@@ -0,0 +1,18 @@
+{{- define "wg-easy.name" -}}
+wg-easy
+{{- end }}
+
+{{- define "wg-easy.fullname" -}}
+{{ printf "%s-%s" .Release.Name (include "wg-easy.name" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "wg-easy.labels" -}}
+app.kubernetes.io/name: {{ include "wg-easy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "wg-easy.selectorLabels" -}}
+app: {{ include "wg-easy.name" . }}
+{{- end }}

helm/templates/configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "wg-easy.name" . }}
+data:
+  INSECURE: {{ .Values.env.INSECURE | default true | quote }}
+

helm/templates/service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "wg-easy.name" . }}
+spec:
+  type: {{ .Values.service.type }}
+  {{- if and .Values.service.loadBalancerIP (ne .Values.service.loadBalancerIP "") }}
+  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+  {{- end }}
+  ports:
+    - name: http
+      port: {{ .Values.service.uiPort }}
+      targetPort: 51821
+      protocol: TCP
+    - name: wireguard
+      port: {{ .Values.service.wgPort }}
+      targetPort: {{ .Values.service.wgPort }}
+      protocol: UDP
+  selector:
+    app: {{ include "wg-easy.name" . }}

helm/templates/statefulset.yaml

@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "wg-easy.name" . }}
+  labels:
+    app: {{ include "wg-easy.name" . }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ include "wg-easy.name" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "wg-easy.name" . }}
+    spec:
+      securityContext:
+        sysctls:
+          {{- if .Values.sysctls.ipv4Forward }}
+          - name: net.ipv4.ip_forward
+            value: "1"
+          {{- end }}
+          {{- if .Values.sysctls.ipv6Forward }}
+          - name: net.ipv6.conf.all.forwarding
+            value: "1"
+          {{- end }}
+      containers:
+        - name: {{ include "wg-easy.name" . }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 51821
+              protocol: TCP
+            - name: wireguard
+              containerPort: {{ .Values.service.wgPort }}
+              protocol: UDP
+          envFrom:
+            - configMapRef:
+                name: {{ include "wg-easy.name" . }}
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN", "SYS_MODULE"]
+          volumeMounts:
+            - name: wg-easy-data
+              mountPath: /etc/wireguard
+          {{- if .Values.resources }}
+          resources:
+            {{- if .Values.resources.requests }}
+            requests:
+              {{- if .Values.resources.requests.cpu }}
+              cpu: "{{ .Values.resources.requests.cpu }}"
+              {{- end }}
+              {{- if .Values.resources.requests.memory }}
+              memory: "{{ .Values.resources.requests.memory }}"
+              {{- end }}
+            {{- end }}
+            {{- if .Values.resources.limits }}
+            limits:
+              {{- if .Values.resources.limits.cpu }}
+              cpu: "{{ .Values.resources.limits.cpu }}"
+              {{- end }}
+              {{- if .Values.resources.limits.memory }}
+              memory: "{{ .Values.resources.limits.memory }}"
+              {{- end }}
+            {{- end }}
+          {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: wg-easy-data
+      spec:
+        accessModes: {{ .Values.persistence.accessModes }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size }}
+        {{- if and .Values.persistence.storageClass (ne .Values.persistence.storageClass "") }}
+        storageClassName: {{ .Values.persistence.storageClass | quote }}
+        {{- end }}

helm/values.yaml

@@ -0,0 +1,32 @@
+replicaCount: 1
+
+image:
+  repository: ghcr.io/wg-easy/wg-easy
+  tag: "15.1.0"
+  pullPolicy: IfNotPresent
+
+persistence:
+  accessModes:
+    - ReadWriteOnce
+  size: 1Gi
+  storageClass:
+
+env: {}
+#  INSECURE:
+
+resources:
+#  requests:
+#    cpu: "100m"
+#    memory: "128Mi"
+#  limits:
+#    cpu: "250m"
+#    memory: "256Mi"
+
+service:
+  type: ClusterIP
+  uiPort: 80
+  wgPort: 51820
+
+sysctls:
+  ipv4Forward: true
+  ipv6Forward: false