From 38602f79747b106ee54bacc169f341c610f2a50f Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 17 May 2026 10:13:37 +0000
Subject: [PATCH] wireguard: switch to iptables-nft so PostUp MASQUERADE works
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wireguard pod CrashLoopBackOff'd for hours with wg-quick's PostUp failing:

    iptables v1.8.4 (legacy): can't initialize iptables table `nat':
    Table does not exist (do you need to insmod?)

sclevine/wg's default `iptables` symlink points to iptables-legacy, which
talks to the kernel's xt-tables. K8s nodes nowadays initialize their
nat table via nftables (calico-node sets it up), so iptables-legacy in
the container sees "no nat table" and bails. Reproduced by ephemerally
debugging the live pod's namespaces (kubectl debug --copy-to + same
mounts as the real pod) — wg-quick output matched verbatim.

Fix: postStart now calls update-alternatives to point iptables and
ip6tables at iptables-nft/ip6tables-nft (already present in the image)
before exec'ing wg-quick. The wg0.conf PostUp MASQUERADE then writes
to the nftables-backed nat table calico already populated. Verified:
new pod went 2/2 Running with 0 restarts after apply.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/wireguard/modules/wireguard/main.tf | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/stacks/wireguard/modules/wireguard/main.tf b/stacks/wireguard/modules/wireguard/main.tf
index aab1ac6f..c81b05d4 100644
--- a/stacks/wireguard/modules/wireguard/main.tf
+++ b/stacks/wireguard/modules/wireguard/main.tf
@@ -110,8 +110,20 @@ resource "kubernetes_deployment" "wireguard" {
           image_pull_policy = "IfNotPresent"
           lifecycle {
             post_start {
+              # Switch the container's `iptables` symlink to iptables-nft
+              # before running wg-quick. The Debian-based sclevine/wg image
+              # defaults to iptables-legacy, which talks to the kernel's
+              # xt-tables interface. K8s nodes initialize their nat table
+              # via nftables (kernel `nf_tables`), so iptables-legacy in the
+              # container fails the wg0.conf PostUp MASQUERADE with:
+              #     can't initialize iptables table `nat': Table does not
+              #     exist (do you need to insmod?)
+              # Reproduced inside the live pod's namespaces 2026-05-17. The
+              # `update-alternatives` call points iptables/ip6tables at the
+              # `-nft` binaries so the same wg0.conf PostUp/PostDown writes
+              # to the nftables-backed nat table calico already set up.
               exec {
-                command = ["wg-quick", "up", "wg0"]
+                command = ["sh", "-c", "update-alternatives --set iptables /usr/sbin/iptables-nft >/dev/null && update-alternatives --set ip6tables /usr/sbin/ip6tables-nft >/dev/null && exec wg-quick up wg0"]
               }
             }
             pre_stop {