Skip to content

freifunkMUC/wg-access-server-chart

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

wg-access-server - Helm Chart Repository

This repository contains the Helm Chart files for the wg-access-server project.

Installing the Chart

To install the chart with the release name wireguard:

$ helm install wireguard --repo https://freifunkMUC.github.io/wg-access-server-chart/ wg-access-server

The command deploys wg-access-server on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

A wireguard private key needs to be set in order for the pod to start successfully. Use wg genkey and append --set wireguard.config.privateKey="<wg-private-key>" to the command above.

Per default persistence is disabled and devices will not persist. To enable persistence, set persistence.enabled.

Because IPv6 on Kubernetes is disabled by default in most clusters and can't be enabled on a per-pod basis, the default values.yaml disables it for the VPN as well. If you have a cluster with working IPv6, set config: {} in your values.yaml or specify a custom VPN-internal prefix under config.vpn.cidrv6.

If no admin password is set, the Chart generates a random one. You can retrieve it using kubectl get secret ... as prompted by helm after installing the Chart.

Uninstalling the Chart

To uninstall/delete the wireguard deployment:

$ helm delete wireguard

The command removes all the Kubernetes components associated with the chart and deletes the release.

Example values.yaml

# wg-access-server config
web:
  config:
    adminUsername: "<Username for the admin user>"
    adminPassword: "<Password for the admin user>",
  service:
    type: 'LoadBalancer',
    loadBalancerIP: "IP of the admin panel",

wireguard:
  config:
    privateKey: "<Private Key>"
  service:
    type: ClusterIP
    loadBalancerIP: "IP of the WireGuard service"

persistence:
  enabled: true
  size: "100Mi"
  accessModes:
    - ReadWriteOnce

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx",
    cert-manager.io/cluster-issuer: "letsencrypt-prod" 
  hosts:
    - vpn.example.com
  tls:
    - hosts: 
        - vpn.example.com
      secretName: `wg-access-server-tls`

All Configuration

Key Type Default Description
config object {} inline wg-access-server config (config.yaml)
web.config.adminUsername string "admin"
web.config.adminPassword string "" If omitted a random password will be generated and stored in the secret
web.service.annotations object {}
web.service.externalTrafficPolicy string ""
web.service.type string "ClusterIP"
web.service.loadBalancerIP string ""
wireguard.config.privateKey string "" REQUIRED - A wireguard private key. You can generate one using $ wg genkey
wireguard.service.annotations object {}
wireguard.service.type string "ClusterIP"
wireguard.service.sessionAffinity string "ClientIP"
wireguard.service.externalTrafficPolicy string ""
wireguard.service.ipFamilyPolicy string "SingleStack"
wireguard.service.loadBalancerIP string ""
wireguard.service.port int 51820
wireguard.service.nodePort int "" Use available port from range 30000-32768
persistence.enabled bool false
persistence.existingClaim string "" Use existing PVC claim for persistence instead
persistence.annotations object {}
persistence.accessModes[0] string "ReadWriteOnce"
persistence.storageClass string ""
persistence.size string "100Mi"
ingress.enabled bool false
ingress.annotations object {}
ingress.ingressClassName string ""
ingress.hosts list []
ingress.tls list []
nameOverride string ""
fullnameOverride string ""
hostNetwork bool false Run the application pod in the host network of the node
imagePullSecrets list []
image.repository string "ghcr.io/freifunkmuc/wg-access-server"
image.tag string ""
image.pullPolicy string "IfNotPresent"
replicas int 1
strategy.type string "" Recreate if persistence.enabled true or RollingUpdate if false
resources object {} pod cpu/memory resource requests and limits
securityContext object {"capabilities":{"add": ["NET_ADMIN"]}} Set securityContext for the application pod
nodeSelector object {}
tolerations list []
affinity object {}