Helm/wg-easy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test

Browse Source
This commit is contained in:
Mr. Swordsteel
2025-08-25 19:20:19 +02:00
commit c271b3b2b3
10 changed files with 348 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
.gitea/workflows/release.yaml Normal file
View File

@@ -0,0 +1,44 @@
name: Helm OCI CI
on:
workflow_dispatch:
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
# Checkout code
- name: Checkout repository
uses: actions/checkout@v3
# Install Helm
- name: Set up Helm
uses: azure/setup-helm@v4
# Extract chart name and version
- name: Get Chart Info
id: chart
run: |
NAME=$(helm show chart ./helm | grep '^name:' | awk '{print $2}')
VERSION=$(helm show chart ./helm | grep '^version:' | awk '{print $2}')
echo "chart_name=$NAME" >> $GITHUB_ENV
echo "chart_version=$VERSION" >> $GITHUB_ENV
# Login to Gitea OCI Registry
- name: Helm OCI Login
run: |
echo "${{ secrets.CI_BOT_TOKEN }}" | helm registry login gitea.lulz.ltd \
--username ${{ secrets.CI_BOT_USERNAME }} \
--password-stdin
# Package Helm chart
- name: Package Helm Chart
run: |
helm package ./helm
# helm push heimdall-0.1.0.tgz oci://gitea.lulz.ltd/helm
# Push chart to Gitea OCI registry
- name: Push Helm Chart to Gitea OCI
run: |
echo "${chart_name}-${chart_version}.tgz oci://gitea.lulz.ltd/helm"
helm push ${chart_name}-${chart_version}.tgz oci://gitea.lulz.ltd/helm

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.idea/

157
README.md Normal file
View File

@@ -0,0 +1,157 @@
# Check if traffic hits the pod
```shell
kubectl -n wg-easy exec -it wg-easy-wg-easy-0 -- wg show
```
```shell
microk8s kubectl -n wg-easy exec -it wg-easy-wg-easy-0 -- iptables -t nat -L -n -v | grep 10.8
```
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE
Qj&lLhA$L82m8zWi
#net.ipv4.ip_forward=1
#net.ipv4.conf.default.src_valid_mark=1
#net.ipv4.conf.all.src_valid_mark=1
sudo nano /var/snap/microk8s/current/args/kubelet
--allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv4.conf.all.src_valid_mark
```shell
helm install wg-easy ./ --namespace wg-easy --create-namespace
```
```shell
kubectl delete ns wg-easy
```
```shell
kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-0 -- ip add
```
```shell
kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-6bcdd9fcb4-7xt94 -- iptables -t nat -L -n -v
```
```shell
kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-6bcdd9fcb4-7xt94 -- sysctl net.ipv4.ip_forward
```
```shell
kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-6bcdd9fcb4-7xt94 -- sysctl net.ipv4.conf.all.src_valid_mark
```
```shell
kubectl -n wg-easy logs -f wg-easy-0
```
```shell
kubectl -n wg-easy get pvc,pod,svc
```
# Rout traffic
## Systemd service
lets create a file `/etc/systemd/system/wireguard-masquerade.service`
```shell
sudo nano /etc/systemd/system/wireguard-masquerade.service
```
replace `<host-interface>` with your network card like `eth0`
```
[Unit]
Description=WireGuard MASQUERADE for 10.8.0.0/24
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
```
## Enable
```shell
sudo systemctl enable wireguard-masquerade
```
## Start
```shell
sudo systemctl start wireguard-masquerade
```
swordsteel@microk8s:~$ sudo systemctl enable wg-masquerade
Failed to enable unit: File wg-masquerade.service: Bad message
---
# WireGuard
Qj&lLhA$L82m8zWi
```shell
helm install wg-easy ./helm --namespace wireguard --create-namespace
```
```shell
helm -n wireguard upgrade wg-easy .\helm\
```
```shell
kubectl -n wireguard get pvc,pod,svc
```
```shell
kubectl -n wireguard logs -f wg-easy-0
```
```shell
kubectl delete ns wireguard
```
```shell
kubectl get ns
```
```shell
kubectl -n wireguard describe pod wg-easy-wg-easy-0
```

23
helm/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
helm/Chart.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v2
name: wg-easy
description: Helm chart for wg-easy with MetalLB and StatefulSet
type: application
version: 0.1.0
appVersion: "15.1.0"

18
helm/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,18 @@
{{- define "wg-easy.name" -}}
wg-easy
{{- end }}
{{- define "wg-easy.fullname" -}}
{{ printf "%s-%s" .Release.Name (include "wg-easy.name" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- define "wg-easy.labels" -}}
app.kubernetes.io/name: {{ include "wg-easy.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- define "wg-easy.selectorLabels" -}}
app: {{ include "wg-easy.name" . }}
{{- end }}

13
helm/templates/persistentvolumeclaim.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "wg-easy.name" . }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.persistence.size }}
{{- if and .Values.persistence.storageClass (ne .Values.persistence.storageClass "") }}
storageClassName: {{ .Values.persistence.storageClass | quote }}
{{- end }}

20
helm/templates/service.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "wg-easy.name" . }}
spec:
type: {{ .Values.service.type }}
{{- if and .Values.service.loadBalancerIP (ne .Values.service.loadBalancerIP "") }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
ports:
- name: http
port: {{ .Values.service.httpPort }}
targetPort: 51821
protocol: TCP
- name: wireguard
port: {{ .Values.service.wgPort }}
targetPort: {{ .Values.service.wgPort }}
protocol: UDP
selector:
app: {{ include "wg-easy.name" . }}

44
helm/templates/statefulset.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "wg-easy.name" . }}
labels:
app: {{ include "wg-easy.name" . }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ include "wg-easy.name" . }}
template:
metadata:
labels:
app: {{ include "wg-easy.name" . }}
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: wg-easy
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 51821
protocol: TCP
- name: wireguard
containerPort: {{ .Values.service.wgPort }}
protocol: UDP
env:
- name: INSECURE
value: {{ .Values.env.INSECURE | quote }}
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_MODULE"]
volumeMounts:
- name: wg-easy-data
mountPath: /etc/wireguard
volumes:
- name: wg-easy-data
persistentVolumeClaim:
claimName: {{ include "wg-easy.name" . }}

22
helm/values.yaml Normal file
View File

@@ -0,0 +1,22 @@
replicaCount: 1
image:
repository: ghcr.io/wg-easy/wg-easy
tag: "15.1"
pullPolicy: IfNotPresent
service:
type: LoadBalancer
httpPort: 80
wgPort: 51820
loadBalancerIP: "10.0.3.15" # Set to a MetalLB-assigned IP, e.g. 192.168.1.240
persistence:
enabled: true
size: 1Gi
# storageClass: ""
env:
INSECURE: true