From 3bc56b33b80c580885323d661564a29d6c5be6f8 Mon Sep 17 00:00:00 2001
From: Michael Thomson <michael@michaelthomson.dev>
Date: Wed, 17 Apr 2024 17:24:06 -0400
Subject: [PATCH] wireguard udp and protect wg dash

---
 traefik/helmrelease-traefik.yaml |  4 ++++
 wg-easy/ingress-route-tcp.yaml   | 12 ++++++++++++
 wg-easy/ingress.yaml             |  1 +
 3 files changed, 17 insertions(+)
 create mode 100644 wg-easy/ingress-route-tcp.yaml

diff --git a/traefik/helmrelease-traefik.yaml b/traefik/helmrelease-traefik.yaml
index a3ef362..00d0d57 100644
--- a/traefik/helmrelease-traefik.yaml
+++ b/traefik/helmrelease-traefik.yaml
@@ -757,6 +757,10 @@ spec:
       gitea-ssh:
         port: 55522
         expose: true
+      wireguard-udp:
+        port: 51820
+        expose: true
+        protocol: UDP
 
     # -- TLS Options are created as TLSOption CRDs
     # https://doc.traefik.io/traefik/https/tls/#tls-options
diff --git a/wg-easy/ingress-route-tcp.yaml b/wg-easy/ingress-route-tcp.yaml
new file mode 100644
index 0000000..46a438d
--- /dev/null
+++ b/wg-easy/ingress-route-tcp.yaml
@@ -0,0 +1,12 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteUDP
+metadata:
+  name: wireguard-udp
+  namespace: wg-easy
+spec:
+  entryPoints:
+    - wireguard-udp
+  routes:
+  - services:
+    - name: wg-easy
+      port: 51820
diff --git a/wg-easy/ingress.yaml b/wg-easy/ingress.yaml
index 0aed506..827120b 100644
--- a/wg-easy/ingress.yaml
+++ b/wg-easy/ingress.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: wg-easy
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   rules: