Skip to content

fix: update apexkube-agent version and improve deployment configuration #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Luv7804 merged 6 commits into from
Jun 9, 2026
Merged

fix: update apexkube-agent version and improve deployment configuration #142

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
21fd6a0
fix: update apexkube-agent version and improve deployment configuration
Luv7804 Jun 2, 2026
d9af46a
Replace Authorization header instead of adding
Luv7804 Jun 5, 2026
7eab4e5
Merge branch 'main' into fix/env_based_config_apexkube-agent
Luv7804 Jun 8, 2026
0edd848
fix: add pip cache in ci
Luv7804 Jun 8, 2026
c843b9e
fix: remove pip cache in ci
Luv7804 Jun 8, 2026
df7aa63
fix: restore wireguard privileged mode and add CI test values
Luv7804 Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/apexkube-agent/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@ description: A Helm chart for deploying the ApexKube agent with Envoy and WireGu
maintainers:
- name: improwised
type: application
version: 1.0.1
version: 1.2.0
appVersion: "1.0.0"
65 changes: 65 additions & 0 deletions charts/apexkube-agent/ci/ci-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
envoy:
config:
jwt:
publicKey: "{\"keys\":[{\"alg\":\"EdDSA\",\"crv\":\"Ed25519\",\"kty\":\"OKP\",\"x\":\"11ks650uhzB2KlUPCoMDhtC2mkKfYym8U4WQjMeNjhU\"}]}"

wireguard:
config:
address: "10.0.0.2/24"
peer:
publicKey: "11ks650uhzB2KlUPCoMDhtC2mkKfYym8U4WQjMeNjhU="
endpoint: "wireguard.example.com:51820"
allowedIPs: "10.0.0.1/32"
privateKey: "uui586n4pFIq00r4+djMoM7mtA6zYjZXo2Euurmu0Xw="

tls:
certData:
tls.crt: |
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIUaGwrA8nGGga2NXKUnIpyg5xUeZ0wDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDYwOTA1NTQyNFoXDTI3MDYw
OTA1NTQyNFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAo0Ejot8FHw9QpUgqHiVQ+xJAEiBVRF4NoRqesbRwsDEZ
XjZr5Hjijm6nb7tF8JDosIU0dY2uuxo5CopcpiSUmoxyd6MkEEDpK0AsuTA8vw5f
Dm2zNw45CF2+zUSXdK1zU0B+GIRkUpbTua691LhyFyJ5vzBNLl0HwqaZ1LjZTdwd
SQoKo1Z2V8rB0RN9OTqxO3caCFTqOJyHZtB3QoF8EPB/Tola6UwaJyZQ9vYdWKov
vhOx6ytWDCUqY6UWA6BFXtNP7gDkM7B5STpXL706PkzNhvKsaF4bTgkWDWhCKhmF
Oek/2gUxeURw+iSKw/FnF15EnFZee1/MS3StcHMTuwIDAQABo1MwUTAdBgNVHQ4E
FgQU7GZbVWRAsxjB/h+sSMMfZBPJvswwHwYDVR0jBBgwFoAU7GZbVWRAsxjB/h+s
SMMfZBPJvswwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAWPn9
Iad2wxStDKowcANc8pJjqbLSsrq6/BGSleyug514/Wf2tEfa4okvsRtUy32u2s4U
kGYdAcmZxI9DEliUA+MI0UPq9cD3RBReboEVStfsKNaOlSxECOickc3EtAav6fR4
hsCj3lIIgv3Ghn7NAlgUEM5Z41kfTU1yJ868Cbh9kX0VmrGAL3hOYHBE/PuoeG2q
TUKAl5Ji+1j4mBLnAMxxq+96yOLl0U4vyb1O9eXIOr+PXipVHi0p/bQJb791i5tg
k0jgQUjI+DyGi8bIRVedu6sCTHm3j8NSCTfK3OyBSocR5kSZ3Ml/kQk54lZnqfOW
7ReukJfLzfHS1oaBjw==
-----END CERTIFICATE-----
tls.key: |
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjQSOi3wUfD1Cl
SCoeJVD7EkASIFVEXg2hGp6xtHCwMRleNmvkeOKObqdvu0XwkOiwhTR1ja67GjkK
ilymJJSajHJ3oyQQQOkrQCy5MDy/Dl8ObbM3DjkIXb7NRJd0rXNTQH4YhGRSltO5
rr3UuHIXInm/ME0uXQfCppnUuNlN3B1JCgqjVnZXysHRE305OrE7dxoIVOo4nIdm
0HdCgXwQ8H9OiVrpTBonJlD29h1Yqi++E7HrK1YMJSpjpRYDoEVe00/uAOQzsHlJ
OlcvvTo+TM2G8qxoXhtOCRYNaEIqGYU56T/aBTF5RHD6JIrD8WcXXkScVl57X8xL
dK1wcxO7AgMBAAECggEADkjoW9uE4LNf3J6EZO/h9p4hshRXMazDJ4ojQaxmwdwB
+r7rUOoM9OaUyw+JbqPXYH6/WNvlYqTIQfZaZgVEZYONjo9dW/i6DllGsIuafSM+
SQ5rRJF/hw5g4Cg00nZM5Yd6oR2Qg7OD4jb6kE71WLXhDkwlLL3iLHOUeUsVZJ0O
wc/COvrO82YHpmVyw+W1tatfnupKaaQQR6AT2rW1gw04OW3nSXXtkwELrXsmW9eD
IMBdHzNKoI64iWsZNrUKV2v+5sHIBp9szYdoggQ+0Cj8fYZPqqsH2qc3GdnoCdkG
t2A1VEc+a95FxriYdMDRu6YF+WWXsivXTPktelYKzQKBgQDONkeuMsKy/gcVLeib
Wy/U0KfG0zfaZWsi+B7b9OkGIUS/QwPboGhXsAG6ype8j9JkZIPLec4pzhVg+Vfi
N2gKp5W20ZcDHTyQHxSduaJ4Scxf13H3CMuXMHPY/3rzrXwzv7uoMFTRYySSI2bX
jEI8JDc9ThOMgfbnPUoLBEsvPwKBgQDKq7PImMxIds4NLd22FJLnKLarbf3R7omK
qO+MZvMNSJZr1+jWp8ROx0rb7OU0TJCuTGSgFYRJd6gfqFNhHjz1kR+g+qI6LN2D
1ETWnbDUX8kZWy7IH7mwQiRIXkKT8EHG3jO4uI0wP1fBgl+KwZf6EXP2s9Gaj8jx
hM3H90J4hQKBgF6Ii7vUEWW1BtIyxZvS5c6OCRwg4E4CiGbzkFINqHXi8n0r36zj
kHICggh7r6wF0tGrMrApGtYXX72hESTneY7I3N1+n9gRox3+4Zic7Vpvmn2lat1w
7sRUtgcYt+jV80ZV81VbMsb6yF0mVZMi/YpMn/Y+wL99JQ9FDZiXU1BJAoGAIzq1
hakJ2Y7NQn02jPAGmSf6mNIFzPgp8HBtM3qxxR1ZCGX/k1CWTxtVZ+VF8lFc1O9y
jmEvHZYvI1GfLMKU1hrj5Jesm3AxETlUvfmrQz9jNYUkHKVnIbxdkjbQW+bniCoX
04RBBqH8HycKdJQyVsWx4rBfPv6/bzwmiRvx8gECgYEAushj118qPg/QCz13JTp9
e/hwQ/ySBrUAiIZUPEu9Q1aAQRYmOpFzIrUWYBPsgEvqh9J0a7eemKBMCxjGsbiI
PMX2Ykvkp63VpT3e1BxEvzFtGCeOXFJK/PyWp6jJ3sPCz73fTzf4YwNW1LB0o7yz
vaM6yMaGewGkOyFTFgYwZOM=
-----END PRIVATE KEY-----
20 changes: 13 additions & 7 deletions charts/apexkube-agent/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,9 @@ spec:
port: healthcheck
{{- end }}
env:
- name: LOG_LEVEL
value: info
- name: ENABLE_HEALTHCHECK
value: "{{ .Values.wireguard.healthcheck.enabled }}"
{{- if .Values.wireguard.env }}
{{- toYaml .Values.wireguard.env | nindent 12 }}
{{- end }}
securityContext:
{{- toYaml .Values.wireguard.securityContext | nindent 12 }}
resources:
Expand All @@ -87,9 +86,16 @@ spec:
- /bin/sh
- -c
- |
# Wait for WireGuard interface to be up
sleep 5
echo "WireGuard interface should be up now"
# Wait for WireGuard interface to be up (poll with timeout instead of indefinite loop)
for i in 1 2 3 4 5 6 7 8 9 10; do
if ip link show wg0 > /dev/null 2>&1; then
echo "WireGuard is up"
exit 0
fi
sleep 1
done
echo "WireGuard failed to start in time"
exit 1
volumes:
- name: envoy-config-volume
configMap:
Expand Down
4 changes: 2 additions & 2 deletions charts/apexkube-agent/templates/envoy-config-cm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ data:
address:
socket_address:
address: 0.0.0.0
port_value: 8080
port_value: {{ .Values.envoy.containerPort }}
filter_chains:
- transport_socket:
name: envoy.transport_sockets.tls
Expand Down Expand Up @@ -68,7 +68,7 @@ data:
end

if cached_token then
request_handle:headers():add("Authorization", "Bearer " .. cached_token)
request_handle:headers():replace("Authorization", "Bearer " .. cached_token)
end
end
- name: envoy.filters.http.router
Expand Down
1 change: 1 addition & 0 deletions charts/apexkube-agent/templates/wireguard-config-cm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ data:
wg0.conf: |
[Interface]
Address = {{ .Values.wireguard.config.address }}
PostUp = wg set %i private-key /etc/wireguard/privatekey

[Peer]
PublicKey = {{ .Values.wireguard.config.peer.publicKey }}
Expand Down
20 changes: 8 additions & 12 deletions charts/apexkube-agent/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,18 +52,6 @@ envoy:
# Container port for Envoy
containerPort: 10000

# Service configuration for Envoy
service:
# Service type (ClusterIP, NodePort, LoadBalancer)
type: ClusterIP
# Service port
port: 10000
# Target port on the container
targetPort: 10000
# NodePort (only applicable when type is NodePort)
# If not specified, Kubernetes will allocate one automatically
nodePort: ""

# WireGuard VPN configuration
wireguard:
image:
Expand Down Expand Up @@ -112,6 +100,14 @@ wireguard:
# WARNING: This is sensitive data. Consider using existingSecret for production
privateKey: "<wireguard-private-key>"

# Environment variables for WireGuard container (optional)
# Define as a list of env var objects; this replaces the hardcoded env in the deployment
env:
- name: LOG_LEVEL
value: "info"
- name: ENABLE_HEALTHCHECK
value: "true"

# Resource limits and requests for WireGuard container
resources:
requests:
Expand Down
Loading