feat(ipv6): new value forwardIPv6 sets sysctl net.ipv6.conf.all.forwarding (#81)

bryopsida · web-flow · commit f1ca83bdcea3 · 2025-10-19T06:47:12.000-05:00
Updates the original branch introduced by #80 and bumps the versions and updates the docs. Relates to #64
diff --git a/helm/wireguard/Chart.yaml b/helm/wireguard/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: wireguard
 description: A Helm chart for managing a wireguard vpn in kubernetes
 type: application
-version: 0.30.0
+version: 0.31.0
 appVersion: "0.0.0"
 maintainers:
   - name: bryopsida
diff --git a/helm/wireguard/README.md b/helm/wireguard/README.md
@@ -1,6 +1,6 @@
 # wireguard
 
-![Version: 0.30.0](https://img.shields.io/badge/Version-0.30.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
+![Version: 0.31.0](https://img.shields.io/badge/Version-0.31.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
 
 A Helm chart for managing a wireguard vpn in kubernetes
 
@@ -143,6 +143,7 @@ A Helm chart for managing a wireguard vpn in kubernetes
 | service.enabled | bool | `true` | Whether the service will be created or not |
 | service.externalTrafficPolicy | string | `""` | External Traffic Policy for the service |
 | service.extraPorts | list | `[]` | Extra ports that can be attached to the service object, these are passed directly to the port array on the service and must be well formed to the specification |
+| service.ipFamilyPolicy | string | `"SingleStack"` | ipFamilyPolicy enables single or dual stack services |
 | service.loadBalancerClass | string | `""` | loadBalancerClass for Service Controllers that support it |
 | service.loadBalancerIP | string | `""` | IP to assign to the LoadBalancer service |
 | service.nodePort | int | `31820` | Node port, only valid with service type: NodePort |
@@ -153,6 +154,7 @@ A Helm chart for managing a wireguard vpn in kubernetes
 | volumeMounts | object | `{}` | Passthrough pod volume mounts |
 | volumes | object | `{}` | Passthrough pod volumes |
 | wireguard.clients | list | `[]` | A collection of clients that will be added to wg0.conf, accepts objects with keys PublicKey and AllowedIPs (mandatory) and optional FriendlyName or FriendlyJson (https://github.com/MindFlavor/prometheus_wireguard_exporter#friendly-tags) and PersistentKeepalive (https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence), stored in secret |
+| wireguard.forwardIPv6 | bool | `false` | If true, calls sysctl -w net.ipv6.conf.all.forwarding=1 |
 | wireguard.interfaceOpts | object | `{}` | A collection of extraopts for wireguard interface |
 | wireguard.natAddSourceNet | bool | `true` | Add the serverCidr to the nat source net option |
 | wireguard.serverAddress | string | `"10.34.0.1/24"` | Address of the VPN server |
diff --git a/helm/wireguard/templates/deployment.yaml b/helm/wireguard/templates/deployment.yaml
@@ -134,7 +134,11 @@ spec:
           command:
           - sh
           - -c
+          {{- if .Values.forwardIPv6 }}
+          - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1 && sysctl -w net.ipv6.conf.all.forwarding=1
+          {{- else }}
           - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
+          {{- end }}
           securityContext: {{ include "init.securitycontext" . | nindent 12 }}
           resources: {{ .Values.initContainer.resources | toYaml | nindent 12 }}
       containers:
diff --git a/helm/wireguard/templates/service.yaml b/helm/wireguard/templates/service.yaml
@@ -33,4 +33,7 @@ spec:
   {{- if and .Values.service.loadBalancerClass (semverCompare ">=1.24-0" .Capabilities.KubeVersion.Version) }}
   loadBalancerClass: {{ .Values.service.loadBalancerClass }}
   {{- end }}
-{{- end }}
+  {{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+  {{- end }}
+{{- end }}
diff --git a/helm/wireguard/values.yaml b/helm/wireguard/values.yaml
@@ -85,6 +85,8 @@ wireguard:
     #   PublicKey: QTxoajwVHWZ7qqVwY2F9T1L04M0j5GSNC15++LZw1iA=
     #   # Normally PersistentKeepalive is not required
     #   #PersistentKeepalive: 25
+  # -- If true, calls sysctl -w net.ipv6.conf.all.forwarding=1
+  forwardIPv6: false
 securityContext:
   runAsNonRoot: true
   runAsUser: 1000
@@ -110,6 +112,8 @@ service:
   extraPorts: []
   # -- loadBalancerClass for Service Controllers that support it
   loadBalancerClass: ""
+  # -- ipFamilyPolicy enables single or dual stack services
+  ipFamilyPolicy: "SingleStack"
 # -- Name of a secret with a wireguard private key on key privatekey, if not provided on first install a hook generates one.
 secretName: ~
 replicaCount: 3
