apiVersion: apps/v1
kind: Deployment
metadata:
  name: zerotier-router
  namespace: zerotier
  labels:
    app: zerotier-router
spec:
  selector:
    matchLabels:
      app: zerotier-router
  replicas: 1
  template:
    metadata:
      labels:
        app: zerotier-router
    spec:
      containers:
        - name: zerotier-router
          image: zerotier/zerotier:latest  # TODO use tag
          command:
            - "sh"
            - "-c"
          args: # TODO optimize this
            - |
              # TODO install this on upstream image?
              apt-get install -y iptables

              # TODO is there a better way to get the interface name?
              export PHY_IFACE="$(ip route | grep ${POD_IP} | cut -d ' ' -f 3)"
              export ZT_IFACE=zt0

              # Override the default random interface name
              mkdir -p /var/lib/zerotier-one
              echo "${ZEROTIER_NETWORK_ID}=${ZT_IFACE}" >> /var/lib/zerotier-one/devicemap

              iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
              iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
              iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT

              /entrypoint.sh "${ZEROTIER_NETWORK_ID}"
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
          env:
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
          envFrom:
            - secretRef:
                name: zerotier-router
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
          volumeMounts:
            - name: dev-net-tun
              mountPath: /dev/net/tun
      volumes:
        - name: dev-net-tun
          hostPath:
            path: /dev/net/tun
            type: CharDevice