painless deployment of wireguard on kubernetes
Currently the opeartor has only been tested on GKE; if you are facing any problems please open an issue or join our slack channel
- IBM Cloud Kubernetes Service
- Google Kubernetes Engine
- requires
spec.mtu: "1380"
- requires
- DigitalOcean Kubernetes
- requires
spec.serviceType: "NodePort"
. DigitalOcean LoadBalancer does not support UDP.
- requires
- Amazon EKS
- Azure Kubernetes Service
- ...?
- Uses userspace implementation of wireguard through wireguard-go
- Automatic key generation
- Automatic IP allocation
- Does not need persistance. peer/server keys are stored as k8s secrets and loaded into the wireguard pod
- Exposes a metrics endpoint by utilizing prometheus_wireguard_exporter
apiVersion: vpn.example.com/v1alpha1
kind: Wireguard
metadata:
name: "my-cool-vpn"
spec:
mtu: "1380"
apiVersion: vpn.example.com/v1alpha1
kind: WireguardPeer
metadata:
name: peer1
spec:
wireguardRef: "my-cool-vpn"
Peer configuration can be retreived using the following command
kubectl get wireguardpeer peer1 --template={{.status.config}} | bash
[Interface]
PrivateKey = WOhR7uTMAqmZamc1umzfwm8o4ZxLdR5LjDcUYaW/PH8=
Address = 10.8.0.3
DNS = 1.1.1.1
MTU = 1380
[Peer]
PublicKey = sO3ZWhnIT8owcdsfwiMRu2D8LzKmae2gUAxAmhx5GTg=
AllowedIPs = 0.0.0.0/0
Endpoint = 32.121.45.102:51820
git clone https://github.com/jodevsa/wireguard-operator
make deploy
cd wireguard-operator
make undeploy