From eb987fa4424501f59ce5113379f8eeefce518458 Mon Sep 17 00:00:00 2001 From: Alexis Ducastel Date: Sun, 21 Nov 2021 23:07:32 +0100 Subject: [PATCH] Add optionnal initContainer to fix sysctl config --- .../wg-access-server/templates/deployment.yaml | 14 ++++++++++++++ deploy/helm/wg-access-server/values.yaml | 9 +++++++++ 2 files changed, 23 insertions(+) diff --git a/deploy/helm/wg-access-server/templates/deployment.yaml b/deploy/helm/wg-access-server/templates/deployment.yaml index 03620b87..c32a5fec 100644 --- a/deploy/helm/wg-access-server/templates/deployment.yaml +++ b/deploy/helm/wg-access-server/templates/deployment.yaml @@ -26,6 +26,20 @@ spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.sysctlInitContainer }} + initContainers: + - command: + - sysctl + - -w + - net.ipv4.ip_forward=1 + image: busybox + imagePullPolicy: IfNotPresent + name: init-sysctl + securityContext: + privileged: true + runAsNonRoot: false + runAsUser: 0 {{- end }} containers: - name: {{ .Chart.Name }} diff --git a/deploy/helm/wg-access-server/values.yaml b/deploy/helm/wg-access-server/values.yaml index e54f5cad..268de5ec 100644 --- a/deploy/helm/wg-access-server/values.yaml +++ b/deploy/helm/wg-access-server/values.yaml @@ -79,3 +79,12 @@ nodeSelector: {} tolerations: [] affinity: {} + +# sysctlInitContainer flag adds an initContainer named "init-sysctl" to wg-access-server deployment. +# The goal is to set the sysctl net.ipv4.ip_forward=1 to allow packet routing through node. +# This initContainer needs to run as privileged, but this is only limited to +# the initContainer run time, the main container will remain unprivileged as expected. +# Use case : +# DNS is functionning properly through VPN but does not work for standard traffic. +# NB : If you have no problem with wireguard traffic, you should not enable this initContainer +sysctlInitContainer: false