Home

Awesome

wg-access-server - Helm Chart Repository

This repository contains the Helm Chart files for the wg-access-server project.

Installing the Chart

To install the chart with the release name wireguard:

$ helm install wireguard --repo https://freifunkMUC.github.io/wg-access-server-chart/ wg-access-server

The command deploys wg-access-server on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

A wireguard private key needs to be set in order for the pod to start successfully. Use wg genkey and append --set wireguard.config.privateKey="<wg-private-key>" to the command above.

Per default persistence is disabled and devices will not persist. To enable persistence, set persistence.enabled.

Because IPv6 on Kubernetes is disabled by default in most clusters and can't be enabled on a per-pod basis, the default values.yaml disables it for the VPN as well. If you have a cluster with working IPv6, set config: {} in your values.yaml or specify a custom VPN-internal prefix under config.vpn.cidrv6.

If no admin password is set, the Chart generates a random one. You can retrieve it using kubectl get secret ... as prompted by helm after installing the Chart.

Uninstalling the Chart

To uninstall/delete the wireguard deployment:

$ helm delete wireguard

The command removes all the Kubernetes components associated with the chart and deletes the release.

Example values.yaml

# wg-access-server config
web:
  config:
    adminUsername: "<Username for the admin user>"
    adminPassword: "<Password for the admin user>",
  service:
    type: 'LoadBalancer',
    loadBalancerIP: "IP of the admin panel",

wireguard:
  config:
    privateKey: "<Private Key>"
  service:
    type: ClusterIP
    loadBalancerIP: "IP of the WireGuard service"

persistence:
  enabled: true
  size: "100Mi"
  accessModes:
    - ReadWriteOnce

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx",
    cert-manager.io/cluster-issuer: "letsencrypt-prod" 
  hosts:
    - vpn.example.com
  tls:
    - hosts: 
        - vpn.example.com
      secretName: `wg-access-server-tls`

All Configuration

KeyTypeDefaultDescription
configobject{}inline wg-access-server config (config.yaml)
web.config.adminUsernamestring"admin"
web.config.adminPasswordstring""If omitted a random password will be generated and stored in the secret
web.service.annotationsobject{}
web.service.externalTrafficPolicystring""
web.service.typestring"ClusterIP"
web.service.loadBalancerIPstring""
wireguard.config.privateKeystring""REQUIRED - A wireguard private key. You can generate one using $ wg genkey
wireguard.service.annotationsobject{}
wireguard.service.typestring"ClusterIP"
wireguard.service.sessionAffinitystring"ClientIP"
wireguard.service.externalTrafficPolicystring""
wireguard.service.ipFamilyPolicystring"SingleStack"
wireguard.service.loadBalancerIPstring""
wireguard.service.portint51820
wireguard.service.nodePortint""Use available port from range 30000-32768
persistence.enabledboolfalse
persistence.existingClaimstring""Use existing PVC claim for persistence instead
persistence.annotationsobject{}
persistence.accessModes[0]string"ReadWriteOnce"
persistence.storageClassstring""
persistence.sizestring"100Mi"
ingress.enabledboolfalse
ingress.annotationsobject{}
ingress.ingressClassNamestring""
ingress.hostslist[]
ingress.tlslist[]
nameOverridestring""
fullnameOverridestring""
hostNetworkboolfalseRun the application pod in the host network of the node
imagePullSecretslist[]
image.repositorystring"ghcr.io/freifunkmuc/wg-access-server"
image.tagstring""
image.pullPolicystring"IfNotPresent"
replicasint1
strategy.typestring""Recreate if persistence.enabled true or RollingUpdate if false
resourcesobject{}pod cpu/memory resource requests and limits
securityContextobject{"capabilities":{"add": ["NET_ADMIN"]}}Set securityContext for the application pod
nodeSelectorobject{}
tolerationslist[]
affinityobject{}