K8s has a mild solution to chicken and egg situations for nodes - the nodes support ‘static manifests’ which can be pods they know how to bring up before ever connecting to the API server. So you could have your wireguard peer be brought up this way. Downside is while those static manifests show up in k8s APIs, they aren’t fully manageable since they are defined by files on disk.