From 21fd6a0a3ad79b17ee596cb954a707df1d1fe032 Mon Sep 17 00:00:00 2001 From: Luv7804 Date: Tue, 2 Jun 2026 19:01:27 +0530 Subject: [PATCH 1/5] fix: update apexkube-agent version and improve deployment configuration --- charts/apexkube-agent/Chart.yaml | 2 +- .../apexkube-agent/templates/deployment.yaml | 12 +++++------ .../templates/envoy-config-cm.yaml | 2 +- .../templates/wireguard-config-cm.yaml | 1 + charts/apexkube-agent/values.yaml | 21 +++++++------------ 5 files changed, 16 insertions(+), 22 deletions(-) diff --git a/charts/apexkube-agent/Chart.yaml b/charts/apexkube-agent/Chart.yaml index 952b0dc..37e5316 100644 --- a/charts/apexkube-agent/Chart.yaml +++ b/charts/apexkube-agent/Chart.yaml @@ -4,5 +4,5 @@ description: A Helm chart for deploying the ApexKube agent with Envoy and WireGu maintainers: - name: improwised type: application -version: 1.0.1 +version: 1.2.0 appVersion: "1.0.0" diff --git a/charts/apexkube-agent/templates/deployment.yaml b/charts/apexkube-agent/templates/deployment.yaml index b3e2092..b899bd1 100644 --- a/charts/apexkube-agent/templates/deployment.yaml +++ b/charts/apexkube-agent/templates/deployment.yaml @@ -64,10 +64,9 @@ spec: port: healthcheck {{- end }} env: - - name: LOG_LEVEL - value: info - - name: ENABLE_HEALTHCHECK - value: "{{ .Values.wireguard.healthcheck.enabled }}" + {{- if .Values.wireguard.env }} + {{- toYaml .Values.wireguard.env | nindent 12 }} + {{- end }} securityContext: {{- toYaml .Values.wireguard.securityContext | nindent 12 }} resources: @@ -87,9 +86,8 @@ spec: - /bin/sh - -c - | - # Wait for WireGuard interface to be up - sleep 5 - echo "WireGuard interface should be up now" + # Wait for WireGuard interface to be up (poll instead of fixed sleep) + until ip link show wg0 > /dev/null 2>&1; do sleep 1; done; echo "WireGuard is up" volumes: - name: envoy-config-volume configMap: diff --git a/charts/apexkube-agent/templates/envoy-config-cm.yaml b/charts/apexkube-agent/templates/envoy-config-cm.yaml index 9393dae..746848d 100644 --- a/charts/apexkube-agent/templates/envoy-config-cm.yaml +++ b/charts/apexkube-agent/templates/envoy-config-cm.yaml @@ -11,7 +11,7 @@ data: address: socket_address: address: 0.0.0.0 - port_value: 8080 + port_value: {{ .Values.envoy.containerPort }} filter_chains: - transport_socket: name: envoy.transport_sockets.tls diff --git a/charts/apexkube-agent/templates/wireguard-config-cm.yaml b/charts/apexkube-agent/templates/wireguard-config-cm.yaml index 3c1f19d..bd67c37 100644 --- a/charts/apexkube-agent/templates/wireguard-config-cm.yaml +++ b/charts/apexkube-agent/templates/wireguard-config-cm.yaml @@ -10,6 +10,7 @@ data: wg0.conf: | [Interface] Address = {{ .Values.wireguard.config.address }} + PostUp = wg set %i private-key /etc/wireguard/privatekey [Peer] PublicKey = {{ .Values.wireguard.config.peer.publicKey }} diff --git a/charts/apexkube-agent/values.yaml b/charts/apexkube-agent/values.yaml index b24a949..e17a25b 100644 --- a/charts/apexkube-agent/values.yaml +++ b/charts/apexkube-agent/values.yaml @@ -52,18 +52,6 @@ envoy: # Container port for Envoy containerPort: 10000 - # Service configuration for Envoy - service: - # Service type (ClusterIP, NodePort, LoadBalancer) - type: ClusterIP - # Service port - port: 10000 - # Target port on the container - targetPort: 10000 - # NodePort (only applicable when type is NodePort) - # If not specified, Kubernetes will allocate one automatically - nodePort: "" - # WireGuard VPN configuration wireguard: image: @@ -112,6 +100,14 @@ wireguard: # WARNING: This is sensitive data. Consider using existingSecret for production privateKey: "" + # Environment variables for WireGuard container (optional) + # Define as a list of env var objects; this replaces the hardcoded env in the deployment + env: + - name: LOG_LEVEL + value: "info" + - name: ENABLE_HEALTHCHECK + value: "true" + # Resource limits and requests for WireGuard container resources: requests: @@ -124,7 +120,6 @@ wireguard: # Security context for WireGuard container # WireGuard requires elevated privileges to create network interfaces securityContext: - privileged: true capabilities: add: ["NET_ADMIN"] From d9af46a7bc24fa86c1c0762c6cd38ac28b89fef4 Mon Sep 17 00:00:00 2001 From: Chintan Viradiya <85635072+Luv7804@users.noreply.github.com> Date: Fri, 5 Jun 2026 14:16:25 +0530 Subject: [PATCH 2/5] Replace Authorization header instead of adding Signed-off-by: Chintan Viradiya <85635072+Luv7804@users.noreply.github.com> --- charts/apexkube-agent/templates/envoy-config-cm.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/apexkube-agent/templates/envoy-config-cm.yaml b/charts/apexkube-agent/templates/envoy-config-cm.yaml index 746848d..b295ca9 100644 --- a/charts/apexkube-agent/templates/envoy-config-cm.yaml +++ b/charts/apexkube-agent/templates/envoy-config-cm.yaml @@ -68,7 +68,7 @@ data: end if cached_token then - request_handle:headers():add("Authorization", "Bearer " .. cached_token) + request_handle:headers():replace("Authorization", "Bearer " .. cached_token) end end - name: envoy.filters.http.router From 0edd84801716c5272e8722c5308ff9bcf4c39b7b Mon Sep 17 00:00:00 2001 From: Luv7804 Date: Mon, 8 Jun 2026 19:22:23 +0530 Subject: [PATCH 3/5] fix: add pip cache in ci --- .github/workflows/lint-test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index e570664..97ec6a8 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -37,6 +37,7 @@ jobs: with: python-version: "3.14.5" check-latest: true + cache: "pip" - name: Set up chart-testing uses: helm/chart-testing-action@v2 From c843b9ec2387b01e263075a5e96f95d88ef452b5 Mon Sep 17 00:00:00 2001 From: Luv7804 Date: Mon, 8 Jun 2026 19:24:49 +0530 Subject: [PATCH 4/5] fix: remove pip cache in ci --- .github/workflows/lint-test.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 97ec6a8..e570664 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -37,7 +37,6 @@ jobs: with: python-version: "3.14.5" check-latest: true - cache: "pip" - name: Set up chart-testing uses: helm/chart-testing-action@v2 From df7aa63adbdab8091d7cb1cf78f52cfea0bcfe10 Mon Sep 17 00:00:00 2001 From: Luv7804 Date: Tue, 9 Jun 2026 11:33:01 +0530 Subject: [PATCH 5/5] fix: restore wireguard privileged mode and add CI test values --- charts/apexkube-agent/ci/ci-values.yaml | 65 +++++++++++++++++++ .../apexkube-agent/templates/deployment.yaml | 12 +++- charts/apexkube-agent/values.yaml | 1 + 3 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 charts/apexkube-agent/ci/ci-values.yaml diff --git a/charts/apexkube-agent/ci/ci-values.yaml b/charts/apexkube-agent/ci/ci-values.yaml new file mode 100644 index 0000000..bc1207c --- /dev/null +++ b/charts/apexkube-agent/ci/ci-values.yaml @@ -0,0 +1,65 @@ +envoy: + config: + jwt: + publicKey: "{\"keys\":[{\"alg\":\"EdDSA\",\"crv\":\"Ed25519\",\"kty\":\"OKP\",\"x\":\"11ks650uhzB2KlUPCoMDhtC2mkKfYym8U4WQjMeNjhU\"}]}" + +wireguard: + config: + address: "10.0.0.2/24" + peer: + publicKey: "11ks650uhzB2KlUPCoMDhtC2mkKfYym8U4WQjMeNjhU=" + endpoint: "wireguard.example.com:51820" + allowedIPs: "10.0.0.1/32" + privateKey: "uui586n4pFIq00r4+djMoM7mtA6zYjZXo2Euurmu0Xw=" + +tls: + certData: + tls.crt: | + -----BEGIN CERTIFICATE----- + MIIDCTCCAfGgAwIBAgIUaGwrA8nGGga2NXKUnIpyg5xUeZ0wDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDYwOTA1NTQyNFoXDTI3MDYw + OTA1NTQyNFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAo0Ejot8FHw9QpUgqHiVQ+xJAEiBVRF4NoRqesbRwsDEZ + XjZr5Hjijm6nb7tF8JDosIU0dY2uuxo5CopcpiSUmoxyd6MkEEDpK0AsuTA8vw5f + Dm2zNw45CF2+zUSXdK1zU0B+GIRkUpbTua691LhyFyJ5vzBNLl0HwqaZ1LjZTdwd + SQoKo1Z2V8rB0RN9OTqxO3caCFTqOJyHZtB3QoF8EPB/Tola6UwaJyZQ9vYdWKov + vhOx6ytWDCUqY6UWA6BFXtNP7gDkM7B5STpXL706PkzNhvKsaF4bTgkWDWhCKhmF + Oek/2gUxeURw+iSKw/FnF15EnFZee1/MS3StcHMTuwIDAQABo1MwUTAdBgNVHQ4E + FgQU7GZbVWRAsxjB/h+sSMMfZBPJvswwHwYDVR0jBBgwFoAU7GZbVWRAsxjB/h+s + SMMfZBPJvswwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAWPn9 + Iad2wxStDKowcANc8pJjqbLSsrq6/BGSleyug514/Wf2tEfa4okvsRtUy32u2s4U + kGYdAcmZxI9DEliUA+MI0UPq9cD3RBReboEVStfsKNaOlSxECOickc3EtAav6fR4 + hsCj3lIIgv3Ghn7NAlgUEM5Z41kfTU1yJ868Cbh9kX0VmrGAL3hOYHBE/PuoeG2q + TUKAl5Ji+1j4mBLnAMxxq+96yOLl0U4vyb1O9eXIOr+PXipVHi0p/bQJb791i5tg + k0jgQUjI+DyGi8bIRVedu6sCTHm3j8NSCTfK3OyBSocR5kSZ3Ml/kQk54lZnqfOW + 7ReukJfLzfHS1oaBjw== + -----END CERTIFICATE----- + tls.key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjQSOi3wUfD1Cl + SCoeJVD7EkASIFVEXg2hGp6xtHCwMRleNmvkeOKObqdvu0XwkOiwhTR1ja67GjkK + ilymJJSajHJ3oyQQQOkrQCy5MDy/Dl8ObbM3DjkIXb7NRJd0rXNTQH4YhGRSltO5 + rr3UuHIXInm/ME0uXQfCppnUuNlN3B1JCgqjVnZXysHRE305OrE7dxoIVOo4nIdm + 0HdCgXwQ8H9OiVrpTBonJlD29h1Yqi++E7HrK1YMJSpjpRYDoEVe00/uAOQzsHlJ + OlcvvTo+TM2G8qxoXhtOCRYNaEIqGYU56T/aBTF5RHD6JIrD8WcXXkScVl57X8xL + dK1wcxO7AgMBAAECggEADkjoW9uE4LNf3J6EZO/h9p4hshRXMazDJ4ojQaxmwdwB + +r7rUOoM9OaUyw+JbqPXYH6/WNvlYqTIQfZaZgVEZYONjo9dW/i6DllGsIuafSM+ + SQ5rRJF/hw5g4Cg00nZM5Yd6oR2Qg7OD4jb6kE71WLXhDkwlLL3iLHOUeUsVZJ0O + wc/COvrO82YHpmVyw+W1tatfnupKaaQQR6AT2rW1gw04OW3nSXXtkwELrXsmW9eD + IMBdHzNKoI64iWsZNrUKV2v+5sHIBp9szYdoggQ+0Cj8fYZPqqsH2qc3GdnoCdkG + t2A1VEc+a95FxriYdMDRu6YF+WWXsivXTPktelYKzQKBgQDONkeuMsKy/gcVLeib + Wy/U0KfG0zfaZWsi+B7b9OkGIUS/QwPboGhXsAG6ype8j9JkZIPLec4pzhVg+Vfi + N2gKp5W20ZcDHTyQHxSduaJ4Scxf13H3CMuXMHPY/3rzrXwzv7uoMFTRYySSI2bX + jEI8JDc9ThOMgfbnPUoLBEsvPwKBgQDKq7PImMxIds4NLd22FJLnKLarbf3R7omK + qO+MZvMNSJZr1+jWp8ROx0rb7OU0TJCuTGSgFYRJd6gfqFNhHjz1kR+g+qI6LN2D + 1ETWnbDUX8kZWy7IH7mwQiRIXkKT8EHG3jO4uI0wP1fBgl+KwZf6EXP2s9Gaj8jx + hM3H90J4hQKBgF6Ii7vUEWW1BtIyxZvS5c6OCRwg4E4CiGbzkFINqHXi8n0r36zj + kHICggh7r6wF0tGrMrApGtYXX72hESTneY7I3N1+n9gRox3+4Zic7Vpvmn2lat1w + 7sRUtgcYt+jV80ZV81VbMsb6yF0mVZMi/YpMn/Y+wL99JQ9FDZiXU1BJAoGAIzq1 + hakJ2Y7NQn02jPAGmSf6mNIFzPgp8HBtM3qxxR1ZCGX/k1CWTxtVZ+VF8lFc1O9y + jmEvHZYvI1GfLMKU1hrj5Jesm3AxETlUvfmrQz9jNYUkHKVnIbxdkjbQW+bniCoX + 04RBBqH8HycKdJQyVsWx4rBfPv6/bzwmiRvx8gECgYEAushj118qPg/QCz13JTp9 + e/hwQ/ySBrUAiIZUPEu9Q1aAQRYmOpFzIrUWYBPsgEvqh9J0a7eemKBMCxjGsbiI + PMX2Ykvkp63VpT3e1BxEvzFtGCeOXFJK/PyWp6jJ3sPCz73fTzf4YwNW1LB0o7yz + vaM6yMaGewGkOyFTFgYwZOM= + -----END PRIVATE KEY----- diff --git a/charts/apexkube-agent/templates/deployment.yaml b/charts/apexkube-agent/templates/deployment.yaml index b899bd1..70e6d3d 100644 --- a/charts/apexkube-agent/templates/deployment.yaml +++ b/charts/apexkube-agent/templates/deployment.yaml @@ -86,8 +86,16 @@ spec: - /bin/sh - -c - | - # Wait for WireGuard interface to be up (poll instead of fixed sleep) - until ip link show wg0 > /dev/null 2>&1; do sleep 1; done; echo "WireGuard is up" + # Wait for WireGuard interface to be up (poll with timeout instead of indefinite loop) + for i in 1 2 3 4 5 6 7 8 9 10; do + if ip link show wg0 > /dev/null 2>&1; then + echo "WireGuard is up" + exit 0 + fi + sleep 1 + done + echo "WireGuard failed to start in time" + exit 1 volumes: - name: envoy-config-volume configMap: diff --git a/charts/apexkube-agent/values.yaml b/charts/apexkube-agent/values.yaml index e17a25b..6313a38 100644 --- a/charts/apexkube-agent/values.yaml +++ b/charts/apexkube-agent/values.yaml @@ -120,6 +120,7 @@ wireguard: # Security context for WireGuard container # WireGuard requires elevated privileges to create network interfaces securityContext: + privileged: true capabilities: add: ["NET_ADMIN"]