Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/freifunkmuc/wg-access-server-chart

Helm Charts for wg-access-server
https://github.com/freifunkmuc/wg-access-server-chart

hacktoberfest helm helm-chart k8s kubernetes vpn wireguard

Last synced: 6 months ago
JSON representation

Helm Charts for wg-access-server

Awesome Lists containing this project

README 

          
# wg-access-server - Helm Chart Repository



This repository contains the Helm Chart files for the [wg-access-server](https://github.com/freifunkMUC/wg-access-server) project.



## Installing the Chart



To install the chart with the release name `wireguard`:



```bash

$ helm install wireguard --repo https://freifunkMUC.github.io/wg-access-server-chart/ wg-access-server

```



The command deploys wg-access-server on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.



A wireguard private key needs to be set in order for the pod to start successfully. Use `wg genkey` and append `--set wireguard.config.privateKey=""` to the command above.



Per default persistence is disabled and devices will not persist. To enable persistence, set `persistence.enabled`.



Because IPv6 on Kubernetes is disabled by default in most clusters and can't be enabled on a per-pod basis, the default `values.yaml` disables it for the VPN as well. If you have a cluster with working IPv6, set `config: {}` in your `values.yaml` or specify a custom VPN-internal prefix under `config.vpn.cidrv6`.



If no admin password is set, the Chart generates a random one. You can retrieve it using `kubectl get secret ...` as prompted by helm after installing the Chart.



## Uninstalling the Chart



To uninstall/delete the `wireguard` deployment:



```

$ helm delete wireguard

```



The command removes all the Kubernetes components associated with the chart and deletes the release.



## Example values.yaml



```

# wg-access-server config

web:

  config:

    adminUsername: ""

    adminPassword: "",

  service:

    type: 'LoadBalancer',

    loadBalancerIP: "IP of the admin panel",



wireguard:

  config:

    privateKey: ""

  service:

    type: ClusterIP

    loadBalancerIP: "IP of the WireGuard service"



persistence:

  enabled: true

  size: "100Mi"

  accessModes:

    - ReadWriteOnce



ingress:

  enabled: true

  annotations:

    kubernetes.io/ingress.class: "nginx",

    cert-manager.io/cluster-issuer: "letsencrypt-prod" 

  hosts:

    - vpn.example.com

  tls:

    - hosts: 

        - vpn.example.com

      secretName: `wg-access-server-tls`

```



## All Configuration



| Key | Type | Default | Description |

|-----|------|---------|-------------|

| config | object | `{}` | inline wg-access-server config ([config.yaml](https://www.freie-netze.org/wg-access-server/2-configuration/#the-config-file-configyaml)) |

| web.config.adminUsername | string | `"admin"` |  |

| web.config.adminPassword | string | `""` | If omitted a random password will be generated and stored in the secret |

| web.service.annotations | object | `{}` |  |

| web.service.externalTrafficPolicy | string | `""` |  |

| web.service.type | string | `"ClusterIP"` |  |

| web.service.loadBalancerIP | string | `""` |  |

| wireguard.config.privateKey | string | `""` | REQUIRED - A wireguard private key. You can generate one using `$ wg genkey` |

| wireguard.service.annotations | object | `{}` |  |

| wireguard.service.type | string | `"ClusterIP"` |  |

| wireguard.service.sessionAffinity | string | `"ClientIP"` |  |

| wireguard.service.externalTrafficPolicy | string | `""` |  |

| wireguard.service.ipFamilyPolicy | string | `"SingleStack"` |  |

| wireguard.service.loadBalancerIP | string | `""` |  |

| wireguard.service.port | int | `51820` |  |

| wireguard.service.nodePort | int | `""` | Use available port from range 30000-32768 |

| persistence.enabled | bool | `false` |  |

| persistence.existingClaim | string | `""` | Use existing PVC claim for persistence instead |

| persistence.annotations | object | `{}` |  |

| persistence.accessModes[0] | string | `"ReadWriteOnce"` |  |

| persistence.storageClass | string | `""` |  |

| persistence.size | string | `"100Mi"` |  |

| ingress.enabled | bool | `false` |  |

| ingress.annotations | object | `{}` |  |

| ingress.ingressClassName | string | `""` |  |

| ingress.hosts | list | `[]` |  |

| ingress.tls | list | `[]` |  |

| nameOverride | string | `""` |  |

| fullnameOverride | string | `""` |  |

| hostNetwork | bool | `false` | Run the application pod in the host network of the node |

| imagePullSecrets | list | `[]` |  |

| image.repository | string | `"ghcr.io/freifunkmuc/wg-access-server"` |  |

| image.tag | string | `""` |  |

| image.pullPolicy | string | `"IfNotPresent"` |  |

| replicas | int | `1` |  |

| strategy.type | string | `""` | `Recreate` if `persistence.enabled` true or `RollingUpdate` if false |

| resources | object | `{}` | pod cpu/memory resource requests and limits |

| securityContext | object | `{"capabilities":{"add": ["NET_ADMIN"]}}` | Set `securityContext` for the application pod |

| nodeSelector | object | `{}` |  |

| tolerations | list | `[]` |  |

| affinity | object | `{}` |  |