From b0001063db5039389eff6a479269535fedf3b79a Mon Sep 17 00:00:00 2001 From: jon Date: Thu, 21 Dec 2023 15:07:26 +0000 Subject: [PATCH 01/18] add cmdlist method for configuration (squash commits) update chart version minor cosmetic updates test tes add default comments test test test test test test update postStart command test test test test use bash test corrections move from sidecar to lifecycle handler move cmdline configurator out of initContainer use Sidecar init cmdlist initContainers correction update values file correction single quote regex correct capcase correction fix indentation add cmdlist method for permit deny lists --- charts/pihole/Chart.yaml | 30 +- .../pihole/templates/configmap-cmdlist.yaml | 56 + charts/pihole/templates/configmap.yaml | 64 +- charts/pihole/templates/deployment.yaml | 704 ++++++----- charts/pihole/values.yaml | 1108 +++++++++-------- 5 files changed, 1038 insertions(+), 924 deletions(-) create mode 100644 charts/pihole/templates/configmap-cmdlist.yaml diff --git a/charts/pihole/Chart.yaml b/charts/pihole/Chart.yaml index 401af5f5..ad6fcd48 100644 --- a/charts/pihole/Chart.yaml +++ b/charts/pihole/Chart.yaml @@ -1,15 +1,15 @@ -apiVersion: v1 -description: Installs pihole in kubernetes -home: https://github.com/MoJo2600/pihole-kubernetes/tree/master/charts/pihole -name: pihole -appVersion: "2023.11.0" -version: 2.20.0 -sources: - - https://github.com/MoJo2600/pihole-kubernetes/tree/master/charts/pihole - - https://pi-hole.net/ - - https://github.com/pi-hole - - https://github.com/pi-hole/docker-pi-hole -icon: https://i2.wp.com/pi-hole.net/wp-content/uploads/2016/12/Vortex-R.png -maintainers: - - name: MoJo2600 - email: christian.erhardt@mojo2k.de +apiVersion: v1 +description: Installs pihole in kubernetes +home: https://github.com/MoJo2600/pihole-kubernetes/tree/master/charts/pihole +name: pihole +appVersion: "2023.11.0" +version: 2.21.0 +sources: + - https://github.com/MoJo2600/pihole-kubernetes/tree/master/charts/pihole + - https://pi-hole.net/ + - https://github.com/pi-hole + - https://github.com/pi-hole/docker-pi-hole +icon: https://i2.wp.com/pi-hole.net/wp-content/uploads/2016/12/Vortex-R.png +maintainers: + - name: MoJo2600 + email: christian.erhardt@mojo2k.de diff --git a/charts/pihole/templates/configmap-cmdlist.yaml b/charts/pihole/templates/configmap-cmdlist.yaml new file mode 100644 index 00000000..7c272911 --- /dev/null +++ b/charts/pihole/templates/configmap-cmdlist.yaml @@ -0,0 +1,56 @@ +{{ if .Values.cmdlist }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "pihole.fullname" . }}-cmdlist + labels: + app: {{ template "pihole.name" . }} + chart: {{ template "pihole.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + cmdlist.sh: | + # List of pihole commands to configure / reconfigure permit and deny lists + {{- if eq .Values.cmdlist.alwaysNuke true }} + pihole -w --nuke --noreload + pihole -b --nuke --noreload + pihole --white-wild --nuke --noreload + pihole --wild --nuke --noreload + pihole --white-regex --nuke --noreload + pihole --regex --nuke --noreload + pihole restartdns reload + sleep 5 + {{- end }} + {{- if .Values.cmdlist.permit }} + {{- range .Values.cmdlist.permit }} + pihole -w --noreload {{ . }} --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.deny }} + {{- range .Values.cmdlist.deny }} + pihole -b --noreload {{ . }} --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.permitWild }} + {{- range .Values.cmdlist.permitWild }} + pihole --white-wild --noreload {{ . }} --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.denyWild }} + {{- range .Values.cmdlist.denyWild }} + pihole --wild --noreload {{ . }} --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.permitRegex }} + {{- range .Values.cmdlist.permitRegex }} + pihole --white-regex --noreload '{{ . }}' --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.denyRegex }} + {{- range .Values.cmdlist.denyRegex }} + pihole --regex --noreload '{{ . }}' --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + pihole restartdns reload + # End of list +{{ end }} diff --git a/charts/pihole/templates/configmap.yaml b/charts/pihole/templates/configmap.yaml index af63f873..70e2dcc9 100644 --- a/charts/pihole/templates/configmap.yaml +++ b/charts/pihole/templates/configmap.yaml @@ -1,32 +1,32 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "pihole.fullname" . }}-custom-dnsmasq - labels: - app: {{ template "pihole.name" . }} - chart: {{ template "pihole.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: - 02-custom.conf: | - addn-hosts=/etc/addn-hosts - {{- range .Values.dnsmasq.upstreamServers }} - {{ . }} - {{- end }} - {{- range .Values.dnsmasq.customDnsEntries }} - {{ . }} - {{- end }} - {{- if .Values.serviceDns.loadBalancerIP }} - dhcp-option=6,{{ .Values.serviceDns.loadBalancerIP }} - {{- end }} - {{- range .Values.dnsmasq.customSettings }} - {{ . }} - {{- end }} - addn-hosts: | - {{- range .Values.dnsmasq.additionalHostsEntries }} - {{ . }} - {{- end }} - 05-pihole-custom-cname.conf: | - {{- range .Values.dnsmasq.customCnameEntries }} - {{ . }} - {{- end }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "pihole.fullname" . }}-custom-dnsmasq + labels: + app: {{ template "pihole.name" . }} + chart: {{ template "pihole.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + 02-custom.conf: | + addn-hosts=/etc/addn-hosts + {{- range .Values.dnsmasq.upstreamServers }} + {{ . }} + {{- end }} + {{- range .Values.dnsmasq.customDnsEntries }} + {{ . }} + {{- end }} + {{- if .Values.serviceDns.loadBalancerIP }} + dhcp-option=6,{{ .Values.serviceDns.loadBalancerIP }} + {{- end }} + {{- range .Values.dnsmasq.customSettings }} + {{ . }} + {{- end }} + addn-hosts: | + {{- range .Values.dnsmasq.additionalHostsEntries }} + {{ . }} + {{- end }} + 05-pihole-custom-cname.conf: | + {{- range .Values.dnsmasq.customCnameEntries }} + {{ . }} + {{- end }} diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index f80481f8..02c2dc87 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -1,341 +1,363 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "pihole.fullname" . }} - labels: - app: {{ template "pihole.name" . }} - chart: {{ template "pihole.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - strategy: - type: {{ .Values.strategyType }} - {{- if eq .Values.strategyType "RollingUpdate" }} - rollingUpdate: - maxSurge: {{ .Values.maxSurge }} - maxUnavailable: {{ .Values.maxUnavailable }} - {{- end }} - selector: - matchLabels: - app: {{ template "pihole.name" . }} - release: {{ .Release.Name }} - template: - metadata: - annotations: - checksum.config.adlists: {{ include (print $.Template.BasePath "/configmap-adlists.yaml") . | sha256sum | trunc 63 }} - checksum.config.blacklist: {{ include (print $.Template.BasePath "/configmap-blacklist.yaml") . | sha256sum | trunc 63 }} - checksum.config.regex: {{ include (print $.Template.BasePath "/configmap-regex.yaml") . | sha256sum | trunc 63 }} - checksum.config.whitelist: {{ include (print $.Template.BasePath "/configmap-whitelist.yaml") . | sha256sum | trunc 63 }} - checksum.config.dnsmasqConfig: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }} - checksum.config.staticDhcpConfig: {{ include (print $.Template.BasePath "/configmap-static-dhcp.yaml") . | sha256sum | trunc 63 }} -{{- with .Values.podAnnotations }} -{{ toYaml . | indent 8 }} -{{- end }} - labels: - app: {{ template "pihole.name" . }} - release: {{ .Release.Name }} - spec: - {{- if .Values.antiaff.enabled }} - affinity: - podAntiAffinity: - {{- if .Values.antiaff.strict }} - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - {{- else }} - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - {{- end }} - matchExpressions: - - key: release - operator: In - values: - - {{ .Values.antiaff.avoidRelease }} - {{- if .Values.antiaff.namespaces}} - namespaces: - {{- toYaml .Values.antiaff.namespaces | nindent 14 }} - {{- end }} - topologyKey: "kubernetes.io/hostname" - {{- end }} - {{- if .Values.podDnsConfig.enabled }} - dnsPolicy: {{ .Values.podDnsConfig.policy }} - dnsConfig: - nameservers: - {{- toYaml .Values.podDnsConfig.nameservers | nindent 8 }} - {{- end }} - hostname: {{ .Values.hostname }} - hostNetwork: {{ .Values.hostNetwork }} - {{- with .Values.extraInitContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - {{- if .Values.extraContainers }} - {{- toYaml .Values.extraContainers | nindent 8 }} - {{- end }} - {{- if .Values.monitoring.sidecar.enabled }} - - name: exporter - image: "{{ .Values.monitoring.sidecar.image.repository }}:{{ .Values.monitoring.sidecar.image.tag }}" - imagePullPolicy: {{ .Values.monitoring.sidecar.image.pullPolicy }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - env: - - name: PIHOLE_HOSTNAME - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: PIHOLE_PORT - value: "{{ .Values.webHttp }}" - - name: PIHOLE_PASSWORD - valueFrom: - secretKeyRef: - key: {{ .Values.admin.passwordKey | default "password" }} - name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }} - resources: -{{ toYaml .Values.monitoring.sidecar.resources | indent 12 }} - ports: - - containerPort: {{ .Values.monitoring.sidecar.port }} - name: prometheus - protocol: TCP - {{- end }} - {{- if .Values.doh.enabled }} - - name: cloudflared - image: "{{ .Values.doh.repository }}:{{ .Values.doh.tag }}" - imagePullPolicy: {{ .Values.doh.pullPolicy }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - resources: - limits: - memory: 128Mi - ports: - - containerPort: 5053 - name: cloudflared-udp - protocol: UDP - - containerPort: 49312 - name: cloudflared-met - protocol: TCP - {{- if .Values.doh.envVars }} - env: - {{- range $key, $value := .Values.doh.envVars }} - - name: {{ $key | quote }} - value: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if .Values.doh.probes.liveness.enabled }} - livenessProbe: -{{ toYaml .Values.doh.probes.liveness.probe | indent 12 }} - initialDelaySeconds: {{ .Values.doh.probes.liveness.initialDelaySeconds }} - failureThreshold: {{ .Values.doh.probes.liveness.failureThreshold }} - timeoutSeconds: {{ .Values.doh.probes.liveness.timeoutSeconds }} - {{- end }} - {{- end }} - - name: {{ .Chart.Name }} - env: - - name: 'WEB_PORT' - value: "{{ .Values.webHttp }}" - - name: VIRTUAL_HOST - value: {{ .Values.virtualHost }} - - name: WEBPASSWORD - valueFrom: - secretKeyRef: - key: {{ .Values.admin.passwordKey | default "password" }} - name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }} - {{- range $key, $value := .Values.extraEnvVars }} - - name: {{ $key | quote }} - value: {{ $value | quote }} - {{- end }} - {{- range $key, $value := .Values.extraEnvVarsSecret }} - - name: {{ $key | quote }} - valueFrom: - secretKeyRef: - key: {{ $value.key | quote }} - name: {{ $value.name | quote }} - {{- end }} - {{- if .Values.doh.enabled }} - - name: 'DNS1' - value: "127.0.0.1#5053" - - name: DNS2 - value: "127.0.0.1#5053" - {{- else }} - {{- if .Values.DNS1 }} - - name: 'PIHOLE_DNS_' - value: {{ if .Values.DNS2 }}{{ ( printf "%v;%v" .Values.DNS1 .Values.DNS2 ) | squote }}{{ else }}{{ .Values.DNS1 | squote }}{{ end }} - {{- end }} - {{- end }} - {{- range $key, $value := .Values.ftl }} - - name: 'FTLCONF_{{ $key }}' - value: {{ $value | quote }} - {{- end }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - privileged: {{ .Values.privileged }} - {{- if .Values.capabilities }} - capabilities: - {{- toYaml .Values.capabilities | nindent 14 }} - {{- end }} - ports: - - containerPort: {{ .Values.webHttp }} - name: http - protocol: TCP - - containerPort: 53 - name: dns - protocol: TCP - {{- if .Values.dnsHostPort.enabled }} - hostPort: {{ .Values.dnsHostPort.port }} - {{- end }} - - containerPort: 53 - name: dns-udp - protocol: UDP - {{- if .Values.dnsHostPort.enabled }} - hostPort: {{ .Values.dnsHostPort.port }} - {{- end }} - - containerPort: {{ .Values.webHttps }} - name: https - protocol: TCP - - containerPort: 67 - name: client-udp - protocol: UDP - {{- if .Values.probes.liveness.enabled }} - livenessProbe: - {{- if eq .Values.probes.liveness.type "command" }} - exec: - command: {{ .Values.probes.liveness.command | required "An array of command(s) is required if 'type' is set to 'command'." | toYaml | nindent 16 }} - {{- else }} - httpGet: - path: /admin/index.php - port: {{ .Values.probes.liveness.port }} - scheme: {{ .Values.probes.liveness.scheme }} - {{- end }} - initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} - failureThreshold: {{ .Values.probes.liveness.failureThreshold }} - timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} - - {{- end }} - {{- if .Values.probes.readiness.enabled }} - readinessProbe: - httpGet: - path: /admin/index.php - port: {{ .Values.probes.readiness.port }} - scheme: {{ .Values.probes.readiness.scheme }} - initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} - failureThreshold: {{ .Values.probes.readiness.failureThreshold }} - timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} - {{- end }} - volumeMounts: - - mountPath: /etc/pihole - name: config - {{- if .Values.persistentVolumeClaim.subPath }} - subPath: {{ .Values.persistentVolumeClaim.subPath }} - {{- end }} - - mountPath: /etc/dnsmasq.d/02-custom.conf - name: custom-dnsmasq - subPath: 02-custom.conf - - mountPath: /etc/addn-hosts - name: custom-dnsmasq - subPath: addn-hosts - {{- if .Values.dnsmasq.customCnameEntries }} - - mountPath: /etc/dnsmasq.d/05-pihole-custom-cname.conf - name: custom-dnsmasq - subPath: 05-pihole-custom-cname.conf - {{- end }} - {{- if .Values.adlists }} - - mountPath: /etc/pihole/adlists.list - name: adlists - subPath: adlists.list - {{- end }} - {{- if .Values.blacklist }} - - mountPath: /etc/pihole/blacklist.txt - name: blacklist - subPath: blacklist.txt - {{- end }} - {{- if .Values.regex }} - - mountPath: /etc/pihole/regex.list - name: regex - subPath: regex.list - {{- end }} - {{- if .Values.whitelist }} - - mountPath: /etc/pihole/whitelist.txt - name: whitelist - subPath: whitelist.txt - {{- end }} - {{- if .Values.dnsmasq.staticDhcpEntries }} - - mountPath: /etc/dnsmasq.d/04-pihole-static-dhcp.conf - name: static-dhcp - subPath: pihole-static-dhcp.conf - {{- end }} - {{- range $key, $value := .Values.extraVolumeMounts }} - - name: {{ $key }} -{{- toYaml $value | nindent 12 }} - {{- end }} - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - - name: config - {{- if .Values.persistentVolumeClaim.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.persistentVolumeClaim.existingClaim }}{{ .Values.persistentVolumeClaim.existingClaim }}{{- else }}{{ template "pihole.fullname" . }}{{- end }} - {{- else if .Values.customVolumes.enabled }} -{{- toYaml .Values.customVolumes.config | nindent 8 }} - {{- else }} - emptyDir: {} - {{- end }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-custom-dnsmasq - name: custom-dnsmasq - {{- if .Values.adlists }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-adlists - name: adlists - {{- end }} - {{- if .Values.whitelist }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-whitelist - name: whitelist - {{- end }} - {{- if .Values.dnsmasq.staticDhcpEntries }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-static-dhcp - name: static-dhcp - {{- end }} - {{- if .Values.blacklist }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-blacklist - name: blacklist - {{- end }} - {{- if .Values.regex }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-regex - name: regex - {{- end }} - {{- range $key, $value := .Values.extraVolumes }} - - name: {{ $key }} -{{- toYaml $value | nindent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "pihole.fullname" . }} + labels: + app: {{ template "pihole.name" . }} + chart: {{ template "pihole.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.strategyType }} + {{- if eq .Values.strategyType "RollingUpdate" }} + rollingUpdate: + maxSurge: {{ .Values.maxSurge }} + maxUnavailable: {{ .Values.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app: {{ template "pihole.name" . }} + release: {{ .Release.Name }} + template: + metadata: + annotations: + checksum.config.adlists: {{ include (print $.Template.BasePath "/configmap-adlists.yaml") . | sha256sum | trunc 63 }} + checksum.config.blacklist: {{ include (print $.Template.BasePath "/configmap-blacklist.yaml") . | sha256sum | trunc 63 }} + checksum.config.regex: {{ include (print $.Template.BasePath "/configmap-regex.yaml") . | sha256sum | trunc 63 }} + checksum.config.whitelist: {{ include (print $.Template.BasePath "/configmap-whitelist.yaml") . | sha256sum | trunc 63 }} + checksum.config.dnsmasqConfig: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }} + checksum.config.staticDhcpConfig: {{ include (print $.Template.BasePath "/configmap-static-dhcp.yaml") . | sha256sum | trunc 63 }} + checksum.config.cmdlist: {{ include (print $.Template.BasePath "/configmap-cmdlist.yaml") . | sha256sum | trunc 63 }} +{{- with .Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + labels: + app: {{ template "pihole.name" . }} + release: {{ .Release.Name }} + spec: + {{- if .Values.antiaff.enabled }} + affinity: + podAntiAffinity: + {{- if .Values.antiaff.strict }} + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + {{- else }} + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + {{- end }} + matchExpressions: + - key: release + operator: In + values: + - {{ .Values.antiaff.avoidRelease }} + {{- if .Values.antiaff.namespaces}} + namespaces: + {{- toYaml .Values.antiaff.namespaces | nindent 14 }} + {{- end }} + topologyKey: "kubernetes.io/hostname" + {{- end }} + {{- if .Values.podDnsConfig.enabled }} + dnsPolicy: {{ .Values.podDnsConfig.policy }} + dnsConfig: + nameservers: + {{- toYaml .Values.podDnsConfig.nameservers | nindent 8 }} + {{- end }} + hostname: {{ .Values.hostname }} + hostNetwork: {{ .Values.hostNetwork }} + {{- with .Values.extraInitContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + {{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.monitoring.sidecar.enabled }} + - name: exporter + image: "{{ .Values.monitoring.sidecar.image.repository }}:{{ .Values.monitoring.sidecar.image.tag }}" + imagePullPolicy: {{ .Values.monitoring.sidecar.image.pullPolicy }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + env: + - name: PIHOLE_HOSTNAME + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: PIHOLE_PORT + value: "{{ .Values.webHttp }}" + - name: PIHOLE_PASSWORD + valueFrom: + secretKeyRef: + key: {{ .Values.admin.passwordKey | default "password" }} + name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }} + resources: +{{ toYaml .Values.monitoring.sidecar.resources | indent 12 }} + ports: + - containerPort: {{ .Values.monitoring.sidecar.port }} + name: prometheus + protocol: TCP + {{- end }} + {{- if .Values.doh.enabled }} + - name: cloudflared + image: "{{ .Values.doh.repository }}:{{ .Values.doh.tag }}" + imagePullPolicy: {{ .Values.doh.pullPolicy }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + resources: + limits: + memory: 128Mi + ports: + - containerPort: 5053 + name: cloudflared-udp + protocol: UDP + - containerPort: 49312 + name: cloudflared-met + protocol: TCP + {{- if .Values.doh.envVars }} + env: + {{- range $key, $value := .Values.doh.envVars }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + {{- if .Values.doh.probes.liveness.enabled }} + livenessProbe: +{{ toYaml .Values.doh.probes.liveness.probe | indent 12 }} + initialDelaySeconds: {{ .Values.doh.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.doh.probes.liveness.failureThreshold }} + timeoutSeconds: {{ .Values.doh.probes.liveness.timeoutSeconds }} + {{- end }} + {{- end }} + - name: {{ .Chart.Name }} + env: + - name: 'WEB_PORT' + value: "{{ .Values.webHttp }}" + - name: VIRTUAL_HOST + value: {{ .Values.virtualHost }} + - name: WEBPASSWORD + valueFrom: + secretKeyRef: + key: {{ .Values.admin.passwordKey | default "password" }} + name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }} + {{- range $key, $value := .Values.extraEnvVars }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.extraEnvVarsSecret }} + - name: {{ $key | quote }} + valueFrom: + secretKeyRef: + key: {{ $value.key | quote }} + name: {{ $value.name | quote }} + {{- end }} + {{- if .Values.doh.enabled }} + - name: 'DNS1' + value: "127.0.0.1#5053" + - name: DNS2 + value: "127.0.0.1#5053" + {{- else }} + {{- if .Values.DNS1 }} + - name: 'PIHOLE_DNS_' + value: {{ if .Values.DNS2 }}{{ ( printf "%v;%v" .Values.DNS1 .Values.DNS2 ) | squote }}{{ else }}{{ .Values.DNS1 | squote }}{{ end }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.ftl }} + - name: 'FTLCONF_{{ $key }}' + value: {{ $value | quote }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + privileged: {{ .Values.privileged }} + {{- if .Values.capabilities }} + capabilities: + {{- toYaml .Values.capabilities | nindent 14 }} + {{- end }} + ports: + - containerPort: {{ .Values.webHttp }} + name: http + protocol: TCP + - containerPort: 53 + name: dns + protocol: TCP + {{- if .Values.dnsHostPort.enabled }} + hostPort: {{ .Values.dnsHostPort.port }} + {{- end }} + - containerPort: 53 + name: dns-udp + protocol: UDP + {{- if .Values.dnsHostPort.enabled }} + hostPort: {{ .Values.dnsHostPort.port }} + {{- end }} + - containerPort: {{ .Values.webHttps }} + name: https + protocol: TCP + - containerPort: 67 + name: client-udp + protocol: UDP + {{- if .Values.probes.liveness.enabled }} + livenessProbe: + {{- if eq .Values.probes.liveness.type "command" }} + exec: + command: {{ .Values.probes.liveness.command | required "An array of command(s) is required if 'type' is set to 'command'." | toYaml | nindent 16 }} + {{- else }} + httpGet: + path: /admin/index.php + port: {{ .Values.probes.liveness.port }} + scheme: {{ .Values.probes.liveness.scheme }} + {{- end }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} + + {{- end }} + {{- if .Values.probes.readiness.enabled }} + readinessProbe: + httpGet: + path: /admin/index.php + port: {{ .Values.probes.readiness.port }} + scheme: {{ .Values.probes.readiness.scheme }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} + {{- end }} + {{- if .Values.cmdlist }} + # Using bash for the convenience of source + lifecycle: + postStart: + exec: + command: + - 'bash' + - '-c' + - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' + {{ end }} + volumeMounts: + - mountPath: /etc/pihole + name: config + {{- if .Values.persistentVolumeClaim.subPath }} + subPath: {{ .Values.persistentVolumeClaim.subPath }} + {{- end }} + - mountPath: /etc/dnsmasq.d/02-custom.conf + name: custom-dnsmasq + subPath: 02-custom.conf + - mountPath: /etc/addn-hosts + name: custom-dnsmasq + subPath: addn-hosts + {{- if .Values.dnsmasq.customCnameEntries }} + - mountPath: /etc/dnsmasq.d/05-pihole-custom-cname.conf + name: custom-dnsmasq + subPath: 05-pihole-custom-cname.conf + {{- end }} + {{- if .Values.adlists }} + - mountPath: /etc/pihole/adlists.list + name: adlists + subPath: adlists.list + {{- end }} + {{- if .Values.blacklist }} + - mountPath: /etc/pihole/blacklist.txt + name: blacklist + subPath: blacklist.txt + {{- end }} + {{- if .Values.regex }} + - mountPath: /etc/pihole/regex.list + name: regex + subPath: regex.list + {{- end }} + {{- if .Values.whitelist }} + - mountPath: /etc/pihole/whitelist.txt + name: whitelist + subPath: whitelist.txt + {{- end }} + {{- if .Values.cmdlist }} + - mountPath: /etc/pihole/cmdlist.sh + name: cmdlist + subPath: cmdlist.sh + {{- end }} + {{- if .Values.dnsmasq.staticDhcpEntries }} + - mountPath: /etc/dnsmasq.d/04-pihole-static-dhcp.conf + name: static-dhcp + subPath: pihole-static-dhcp.conf + {{- end }} + {{- range $key, $value := .Values.extraVolumeMounts }} + - name: {{ $key }} +{{- toYaml $value | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: config + {{- if .Values.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.persistentVolumeClaim.existingClaim }}{{ .Values.persistentVolumeClaim.existingClaim }}{{- else }}{{ template "pihole.fullname" . }}{{- end }} + {{- else if .Values.customVolumes.enabled }} +{{- toYaml .Values.customVolumes.config | nindent 8 }} + {{- else }} + emptyDir: {} + {{- end }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-custom-dnsmasq + name: custom-dnsmasq + {{- if .Values.adlists }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-adlists + name: adlists + {{- end }} + {{- if .Values.whitelist }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-whitelist + name: whitelist + {{- end }} + {{- if .Values.dnsmasq.staticDhcpEntries }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-static-dhcp + name: static-dhcp + {{- end }} + {{- if .Values.blacklist }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-blacklist + name: blacklist + {{- end }} + {{- if .Values.regex }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-regex + name: regex + {{- end }} + {{- if .Values.cmdlist }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-cmdlist + name: cmdlist + {{- end }} + {{- range $key, $value := .Values.extraVolumes }} + - name: {{ $key }} +{{- toYaml $value | nindent 8 }} + {{- end }} diff --git a/charts/pihole/values.yaml b/charts/pihole/values.yaml index d16d571a..fd2e0cf2 100644 --- a/charts/pihole/values.yaml +++ b/charts/pihole/values.yaml @@ -1,536 +1,572 @@ -# Default values for pihole. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- The number of replicas -replicaCount: 1 - -# -- The `spec.strategyTpye` for updates -strategyType: RollingUpdate - -# -- The maximum number of Pods that can be created over the desired number of `ReplicaSet` during updating. -maxSurge: 1 - -# -- The maximum number of Pods that can be unavailable during updating -maxUnavailable: 1 - -image: - # -- the repostory to pull the image from - repository: "pihole/pihole" - # -- the docker tag, if left empty it will get it from the chart's appVersion - tag: "" - # -- the pull policy - pullPolicy: IfNotPresent - -dualStack: - # -- set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` - enabled: false - -dnsHostPort: - # -- set this to true to enable dnsHostPort - enabled: false - # -- default port for this pod - port: 53 - -# -- Configuration for the DNS service on port 53 -serviceDns: - # -- deploys a mixed (TCP + UDP) Service instead of separate ones - mixedService: false - - # -- `spec.type` for the DNS Service - type: NodePort - - # -- The port of the DNS service - port: 53 - - # -- Optional node port for the DNS service - nodePort: "" - - # -- `spec.externalTrafficPolicy` for the DHCP Service - externalTrafficPolicy: Local - - # -- A fixed `spec.loadBalancerIP` for the DNS Service - loadBalancerIP: "" - # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service - loadBalancerIPv6: "" - - # -- Annotations for the DNS service - annotations: - {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc - -# -- Configuration for the DHCP service on port 67 -serviceDhcp: - # -- Generate a Service resource for DHCP traffic - enabled: true - - # -- `spec.type` for the DHCP Service - type: NodePort - - # -- The port of the DHCP service - port: 67 - - # -- Optional node port for the DHCP service - nodePort: "" - - # -- `spec.externalTrafficPolicy` for the DHCP Service - externalTrafficPolicy: Local - - # -- A fixed `spec.loadBalancerIP` for the DHCP Service - loadBalancerIP: "" - # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service - loadBalancerIPv6: "" - - # -- Annotations for the DHCP service - annotations: - {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc - -# -- Configuration for the web interface service -serviceWeb: - # -- Configuration for the HTTP web interface listener - http: - # -- Generate a service for HTTP traffic - enabled: true - - # -- The port of the web HTTP service - port: 80 - - # -- Optional node port for the web HTTP service - nodePort: "" - - # -- Configuration for the HTTPS web interface listener - https: - # -- Generate a service for HTTPS traffic - enabled: true - - # -- The port of the web HTTPS service - port: 443 - - # -- Optional node port for the web HTTPS service - nodePort: "" - - # -- `spec.type` for the web interface Service - type: ClusterIP - - # -- `spec.externalTrafficPolicy` for the web interface Service - externalTrafficPolicy: Local - - # -- A fixed `spec.loadBalancerIP` for the web interface Service - loadBalancerIP: "" - # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service - loadBalancerIPv6: "" - - # -- Annotations for the DHCP service - annotations: - {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc - -virtualHost: pi.hole - -# -- Configuration for the Ingress -ingress: - # -- Generate a Ingress resource - enabled: false - - # -- Specify an ingressClassName - # ingressClassName: nginx - - # -- Annotations for the ingress - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - path: / - hosts: - # virtualHost (default value is pi.hole) will be appended to the hosts - - chart-example.local - tls: [] - # - secretName: chart-example-tls - # hosts: - # #- virtualHost (default value is pi.hole) will be appended to the hosts - # - chart-example.local - -# -- Probes configuration -probes: - # -- probes.liveness -- Configure the healthcheck for the ingress controller - liveness: - # -- Generate a liveness probe - # 'type' defaults to httpGet, can be set to 'command' to use a command type liveness probe. - type: httpGet - # command: - # - /bin/bash - # - -c - # - /bin/true - enabled: true - initialDelaySeconds: 60 - failureThreshold: 10 - timeoutSeconds: 5 - port: http - scheme: HTTP - readiness: - # -- Generate a readiness probe - enabled: true - initialDelaySeconds: 60 - failureThreshold: 3 - timeoutSeconds: 5 - port: http - scheme: HTTP - -# -- We usually recommend not to specify default resources and to leave this as a conscious -# -- choice for the user. This also increases chances charts run on environments with little -# -- resources, such as Minikube. If you do want to specify resources, uncomment the following -# -- lines, adjust them as necessary, and remove the curly braces after 'resources:'. -resources: - {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -# -- `spec.PersitentVolumeClaim` configuration -persistentVolumeClaim: - # -- set to true to use pvc - enabled: false - - # -- specify an existing `PersistentVolumeClaim` to use - # existingClaim: "" - - # -- Annotations for the `PersitentVolumeClaim` - annotations: {} - - accessModes: - - ReadWriteOnce - - size: "500Mi" - - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - - ## If subPath is set mount a sub folder of a volume instead of the root of the volume. - ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). - - ## subPath: "pihole" - -nodeSelector: {} - -tolerations: [] - -# -- Specify a priorityClassName -# priorityClassName: "" - -# Reference: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -topologySpreadConstraints: [] -# - maxSkew: -# topologyKey: -# whenUnsatisfiable: -# labelSelector: - -affinity: {} - -# -- Administrator password when not using an existing secret (see below) -adminPassword: "admin" - -# -- Use an existing secret for the admin password. -admin: - # -- Specify an existing secret to use as admin password - existingSecret: "" - # -- Specify the key inside the secret to use - passwordKey: "password" - -# -- extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use -extraEnvVars: - {} - # TZ: UTC - -# -- extraEnvVarsSecret is a list of secrets to load in as environment variables. -extraEnvVarsSecret: - {} - # env_var: - # name: secret-name - # key: secret-key - -# -- default upstream DNS 1 server to use -DNS1: "8.8.8.8" -# -- default upstream DNS 2 server to use -DNS2: "8.8.4.4" - -antiaff: - # -- set to true to enable antiaffinity (example: 2 pihole DNS in the same cluster) - enabled: false - # -- Here you can set the pihole release (you set in `helm install ...`) - # you want to avoid - avoidRelease: pihole1 - # -- Here you can choose between preferred or required - strict: true - # -- Here you can pass namespaces to be part of those inclueded in anti-affinity - namespaces: [] - -doh: - # -- set to true to enabled DNS over HTTPs via cloudflared - enabled: false - name: "cloudflared" - repository: "crazymax/cloudflared" - tag: latest - pullPolicy: IfNotPresent - # -- Here you can pass environment variables to the DoH container, for example: - envVars: - {} - # TUNNEL_DNS_UPSTREAM: "https://1.1.1.2/dns-query,https://1.0.0.2/dns-query" - - # -- Probes configuration - probes: - # -- Configure the healthcheck for the doh container - liveness: - # -- set to true to enable liveness probe - enabled: true - # -- customize the liveness probe - probe: - exec: - command: - - nslookup - - -po=5053 - - cloudflare.com - - "127.0.0.1" - # -- defines the initial delay for the liveness probe - initialDelaySeconds: 60 - # -- defines the failure threshold for the liveness probe - failureThreshold: 10 - # -- defines the timeout in secondes for the liveness probe - timeoutSeconds: 5 - -dnsmasq: - # -- Add upstream dns servers. All lines will be added to the pihole dnsmasq configuration - upstreamServers: [] - # - server=/foo.bar/192.168.178.10 - # - server=/bar.foo/192.168.178.11 - - # -- Add custom dns entries to override the dns resolution. All lines will be added to the pihole dnsmasq configuration. - customDnsEntries: [] - # - address=/foo.bar/192.168.178.10 - # - address=/bar.foo/192.168.178.11 - - # -- Dnsmasq reads the /etc/hosts file to resolve ips. You can add additional entries if you like - additionalHostsEntries: [] - # - 192.168.0.3 host4 - # - 192.168.0.4 host5 - - # -- Static DHCP config - staticDhcpEntries: [] - # staticDhcpEntries: - # - dhcp-host=MAC_ADDRESS,IP_ADDRESS,HOSTNAME - - # -- Other options - customSettings: - # otherSettings: - # - rebind-domain-ok=/plex.direct/ - - # -- Here we specify custom cname entries that should point to `A` records or - # elements in customDnsEntries array. - # The format should be: - # - cname=cname.foo.bar,foo.bar - # - cname=cname.bar.foo,bar.foo - # - cname=cname record,dns record - customCnameEntries: [] - # Here we specify custom cname entries that should point to `A` records or - # elements in customDnsEntries array. - # The format should be: - # - cname=cname.foo.bar,foo.bar - # - cname=cname.bar.foo,bar.foo - # - cname=cname record,dns record - -# -- list of adlists to import during initial start of the container -adlists: - {} - # If you want to provide blocklists, add them here. - # - https://hosts-file.net/grm.txt - # - https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts - -# -- list of whitelisted domains to import during initial start of the container -whitelist: - {} - # If you want to provide whitelisted domains, add them here. - # - clients4.google.com - -# -- list of blacklisted domains to import during initial start of the container -blacklist: - {} - # If you want to have special domains blacklisted, add them here - # - *.blackist.com - -# -- list of blacklisted regex expressions to import during initial start of the container -regex: - {} - # Add regular expression blacklist items - # - (^|\.)facebook\.com$ - -# -- values that should be added to pihole-FTL.conf -ftl: - {} - # Add values for pihole-FTL.conf - # MAXDBDAYS: 14 - -# -- port the container should use to expose HTTP traffic -webHttp: "80" - -# -- port the container should use to expose HTTPS traffic -webHttps: "443" - -# -- hostname of pod -hostname: "" - -# -- should the container use host network -hostNetwork: "false" - -# -- should container run in privileged mode -privileged: "false" - -# linux capabilities container should run with -capabilities: - {} - # add: - # - NET_ADMIN - -customVolumes: - # -- set this to true to enable custom volumes - enabled: false - # -- any volume type can be used here - config: - {} - # hostPath: - # path: "/mnt/data" - -# -- any extra volumes you might want -extraVolumes: - {} - # external-conf: - # configMap: - # name: pi-hole-lighttpd-external-conf - -# -- any extra volume mounts you might want -extraVolumeMounts: - {} - # external-conf: - # mountPath: /etc/lighttpd/external.conf - # subPath: external.conf - -extraContainers: - [] - # - name: pihole-logwatcher - # image: your-registry/pihole-logwatcher - # imagePullPolicy: Always - # resources: - # requests: - # cpu: 100m - # memory: 5Mi - # limits: - # cpu: 100m - # memory: 5Mi - # volumeMounts: - # - name: pihole-logs - # mountPath: /var/log/pihole - -# -- any extra kubernetes manifests you might want -extraObjects: - [] - # - apiVersion: v1 - # kind: ConfigMap - # metadata: - # name: pi-hole-lighttpd-external-conf - # data: - # external.conf: | - # $HTTP["host"] =~ "example.foo" { - # # If we're using a non-standard host for pihole, ensure the Pi-hole - # # Block Page knows that this is not a blocked domain - # setenv.add-environment = ("fqdn" => "true") - # - # # Enable the SSL engine with a cert, only for this specific host - # $SERVER["socket"] == ":443" { - # ssl.engine = "enable" - # ssl.pemfile = "/etc/ssl/lighttpd-private/tls.crt" - # ssl.privkey = "/etc/ssl/lighttpd-private/tls.key" - # ssl.ca-file = "/etc/ssl/lighttpd-private/ca.crt" - # ssl.honor-cipher-order = "enable" - # ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" - # ssl.use-sslv2 = "disable" - # ssl.use-sslv3 = "disable" - # } - # } - # - # # Redirect HTTP to HTTPS - # $HTTP["scheme"] == "http" { - # $HTTP["host"] =~ ".*" { - # url.redirect = (".*" => "https://%0$0") - # } - # } - -# -- Additional annotations for pods -podAnnotations: - {} - # Example below allows Prometheus to scape on metric port (requires pihole-exporter sidecar enabled) - # prometheus.io/port: '9617' - # prometheus.io/scrape: 'true' - -# -- any initContainers you might want to run before starting pihole -extraInitContainers: - [] - # - name: copy-config - # image: busybox - # args: - # - sh - # - -c - # - | - # cp /etc/lighttpd-cm/external.conf /etc/lighttpd/ - # ls -l /etc/lighttpd/ - # volumeMounts: - # - name: external-conf-cm - # mountPath: /etc/lighttpd-cm/ - # - name: external-conf - # mountPath: /etc/lighttpd/ - -monitoring: - # -- Preferably adding prometheus scrape annotations rather than enabling podMonitor. - podMonitor: - # -- set this to true to enable podMonitor - enabled: false - # -- Sidecar configuration - sidecar: - # -- set this to true to enable podMonitor as sidecar - enabled: false - port: 9617 - image: - repository: ekofr/pihole-exporter - tag: v0.3.0 - pullPolicy: IfNotPresent - resources: - limits: - memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -podDnsConfig: - enabled: true - policy: "None" - nameservers: - - 127.0.0.1 - - 8.8.8.8 - -# -- configure a Pod Disruption Budget -podDisruptionBudget: - # -- set to true to enable creating the PDB - enabled: false - # -- minimum number of pods Kubernetes should try to have running at all times - minAvailable: 1 - # -- maximum number of pods Kubernetes will allow to be unavailable. Cannot set both `minAvailable` and `maxAvailable` - # maxUnavailable: 1 +# Default values for pihole. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- The number of replicas +replicaCount: 1 + +# -- The `spec.strategyTpye` for updates +strategyType: RollingUpdate + +# -- The maximum number of Pods that can be created over the desired number of `ReplicaSet` during updating. +maxSurge: 1 + +# -- The maximum number of Pods that can be unavailable during updating +maxUnavailable: 1 + +image: + # -- the repostory to pull the image from + repository: "pihole/pihole" + # -- the docker tag, if left empty it will get it from the chart's appVersion + tag: "" + # -- the pull policy + pullPolicy: IfNotPresent + +dualStack: + # -- set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` + enabled: false + +dnsHostPort: + # -- set this to true to enable dnsHostPort + enabled: false + # -- default port for this pod + port: 53 + +# -- Configuration for the DNS service on port 53 +serviceDns: + # -- deploys a mixed (TCP + UDP) Service instead of separate ones + mixedService: false + + # -- `spec.type` for the DNS Service + type: NodePort + + # -- The port of the DNS service + port: 53 + + # -- Optional node port for the DNS service + nodePort: "" + + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the DNS Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service + loadBalancerIPv6: "" + + # -- Annotations for the DNS service + annotations: + {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + +# -- Configuration for the DHCP service on port 67 +serviceDhcp: + # -- Generate a Service resource for DHCP traffic + enabled: true + + # -- `spec.type` for the DHCP Service + type: NodePort + + # -- The port of the DHCP service + port: 67 + + # -- Optional node port for the DHCP service + nodePort: "" + + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the DHCP Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service + loadBalancerIPv6: "" + + # -- Annotations for the DHCP service + annotations: + {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + +# -- Configuration for the web interface service +serviceWeb: + # -- Configuration for the HTTP web interface listener + http: + # -- Generate a service for HTTP traffic + enabled: true + + # -- The port of the web HTTP service + port: 80 + + # -- Optional node port for the web HTTP service + nodePort: "" + + # -- Configuration for the HTTPS web interface listener + https: + # -- Generate a service for HTTPS traffic + enabled: true + + # -- The port of the web HTTPS service + port: 443 + + # -- Optional node port for the web HTTPS service + nodePort: "" + + # -- `spec.type` for the web interface Service + type: ClusterIP + + # -- `spec.externalTrafficPolicy` for the web interface Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the web interface Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service + loadBalancerIPv6: "" + + # -- Annotations for the DHCP service + annotations: + {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + +virtualHost: pi.hole + +# -- Configuration for the Ingress +ingress: + # -- Generate a Ingress resource + enabled: false + + # -- Specify an ingressClassName + # ingressClassName: nginx + + # -- Annotations for the ingress + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + # virtualHost (default value is pi.hole) will be appended to the hosts + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # #- virtualHost (default value is pi.hole) will be appended to the hosts + # - chart-example.local + +# -- Probes configuration +probes: + # -- probes.liveness -- Configure the healthcheck for the ingress controller + liveness: + # -- Generate a liveness probe + # 'type' defaults to httpGet, can be set to 'command' to use a command type liveness probe. + type: httpGet + # command: + # - /bin/bash + # - -c + # - /bin/true + enabled: true + initialDelaySeconds: 60 + failureThreshold: 10 + timeoutSeconds: 5 + port: http + scheme: HTTP + readiness: + # -- Generate a readiness probe + enabled: true + initialDelaySeconds: 60 + failureThreshold: 3 + timeoutSeconds: 5 + port: http + scheme: HTTP + +# -- We usually recommend not to specify default resources and to leave this as a conscious +# -- choice for the user. This also increases chances charts run on environments with little +# -- resources, such as Minikube. If you do want to specify resources, uncomment the following +# -- lines, adjust them as necessary, and remove the curly braces after 'resources:'. +resources: + {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# -- `spec.PersitentVolumeClaim` configuration +persistentVolumeClaim: + # -- set to true to use pvc + enabled: false + + # -- specify an existing `PersistentVolumeClaim` to use + # existingClaim: "" + + # -- Annotations for the `PersitentVolumeClaim` + annotations: {} + + accessModes: + - ReadWriteOnce + + size: "500Mi" + + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + + ## subPath: "pihole" + +nodeSelector: {} + +tolerations: [] + +# -- Specify a priorityClassName +# priorityClassName: "" + +# Reference: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: [] +# - maxSkew: +# topologyKey: +# whenUnsatisfiable: +# labelSelector: + +affinity: {} + +# -- Administrator password when not using an existing secret (see below) +adminPassword: "admin" + +# -- Use an existing secret for the admin password. +admin: + # -- Specify an existing secret to use as admin password + existingSecret: "" + # -- Specify the key inside the secret to use + passwordKey: "password" + +# -- extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use +extraEnvVars: + {} + # TZ: UTC + +# -- extraEnvVarsSecret is a list of secrets to load in as environment variables. +extraEnvVarsSecret: + {} + # env_var: + # name: secret-name + # key: secret-key + +# -- default upstream DNS 1 server to use +DNS1: "8.8.8.8" +# -- default upstream DNS 2 server to use +DNS2: "8.8.4.4" + +antiaff: + # -- set to true to enable antiaffinity (example: 2 pihole DNS in the same cluster) + enabled: false + # -- Here you can set the pihole release (you set in `helm install ...`) + # you want to avoid + avoidRelease: pihole1 + # -- Here you can choose between preferred or required + strict: true + # -- Here you can pass namespaces to be part of those inclueded in anti-affinity + namespaces: [] + +doh: + # -- set to true to enabled DNS over HTTPs via cloudflared + enabled: false + name: "cloudflared" + repository: "crazymax/cloudflared" + tag: latest + pullPolicy: IfNotPresent + # -- Here you can pass environment variables to the DoH container, for example: + envVars: + {} + # TUNNEL_DNS_UPSTREAM: "https://1.1.1.2/dns-query,https://1.0.0.2/dns-query" + + # -- Probes configuration + probes: + # -- Configure the healthcheck for the doh container + liveness: + # -- set to true to enable liveness probe + enabled: true + # -- customize the liveness probe + probe: + exec: + command: + - nslookup + - -po=5053 + - cloudflare.com + - "127.0.0.1" + # -- defines the initial delay for the liveness probe + initialDelaySeconds: 60 + # -- defines the failure threshold for the liveness probe + failureThreshold: 10 + # -- defines the timeout in secondes for the liveness probe + timeoutSeconds: 5 + +dnsmasq: + # -- Add upstream dns servers. All lines will be added to the pihole dnsmasq configuration + upstreamServers: [] + # - server=/foo.bar/192.168.178.10 + # - server=/bar.foo/192.168.178.11 + + # -- Add custom dns entries to override the dns resolution. All lines will be added to the pihole dnsmasq configuration. + customDnsEntries: [] + # - address=/foo.bar/192.168.178.10 + # - address=/bar.foo/192.168.178.11 + + # -- Dnsmasq reads the /etc/hosts file to resolve ips. You can add additional entries if you like + additionalHostsEntries: [] + # - 192.168.0.3 host4 + # - 192.168.0.4 host5 + + # -- Static DHCP config + staticDhcpEntries: [] + # staticDhcpEntries: + # - dhcp-host=MAC_ADDRESS,IP_ADDRESS,HOSTNAME + + # -- Other options + customSettings: + # otherSettings: + # - rebind-domain-ok=/plex.direct/ + + # -- Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + customCnameEntries: [] + # Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + +# -- list of adlists to import during initial start of the container +adlists: + {} + # If you want to provide blocklists, add them here. + # - https://hosts-file.net/grm.txt + # - https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts + +# -- list of whitelisted domains to import during initial start of the container +whitelist: + {} + # If you want to provide whitelisted domains, add them here. + # - clients4.google.com + +# -- list of blacklisted domains to import during initial start of the container +blacklist: + {} + # If you want to have special domains blacklisted, add them here + # - *.blackist.com + +# -- list of blacklisted regex expressions to import during initial start of the container +regex: + {} + # Add regular expression blacklist items + # - (^|\.)facebook\.com$ + +# -- An alternate method of configuration using pihole cmd script rather than reading legacy files at startup +# This will allow for permit wildcards which can't be done with the old config manner +cmdlist: + + # alwaysNuke will delete all existing list content before loading this configuration + # This will also delete any permit and denies you have added with the legacy method + # This is set false by default, but true is recommended if you are using this config method and not the old one + alwaysNuke: false + + # Standard Permit List + permit: [] + # - example.com + + # Standard Deny List + deny: [] + # - example.com + + # Wildcard Permit List + # These will be converted by Pihole into regex allowing the domain and it's subdomains + # So the below example will end up as regex permit liek '(^|\.)permitwildexample\.com$'' + permitWild: [] + # - permitwildexample.com + + # Wildcard Deny List + # These will be converted by Pihole into regex as above + denyWild: [] + # - denywildexample.com + + # Regex Permit List + permitRegex: [] + # - (^|\.)permitregexexample\.com$ + + # Regex Deny List + denyRegex: [] + # - (^|\.)denyregexexample\.com$ + +# -- values that should be added to pihole-FTL.conf +ftl: + {} + # Add values for pihole-FTL.conf + # MAXDBDAYS: 14 + +# -- port the container should use to expose HTTP traffic +webHttp: "80" + +# -- port the container should use to expose HTTPS traffic +webHttps: "443" + +# -- hostname of pod +hostname: "" + +# -- should the container use host network +hostNetwork: "false" + +# -- should container run in privileged mode +privileged: "false" + +# linux capabilities container should run with +capabilities: + {} + # add: + # - NET_ADMIN + +customVolumes: + # -- set this to true to enable custom volumes + enabled: false + # -- any volume type can be used here + config: + {} + # hostPath: + # path: "/mnt/data" + +# -- any extra volumes you might want +extraVolumes: + {} + # external-conf: + # configMap: + # name: pi-hole-lighttpd-external-conf + +# -- any extra volume mounts you might want +extraVolumeMounts: + {} + # external-conf: + # mountPath: /etc/lighttpd/external.conf + # subPath: external.conf + +extraContainers: + [] + # - name: pihole-logwatcher + # image: your-registry/pihole-logwatcher + # imagePullPolicy: Always + # resources: + # requests: + # cpu: 100m + # memory: 5Mi + # limits: + # cpu: 100m + # memory: 5Mi + # volumeMounts: + # - name: pihole-logs + # mountPath: /var/log/pihole + +# -- any extra kubernetes manifests you might want +extraObjects: + [] + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: pi-hole-lighttpd-external-conf + # data: + # external.conf: | + # $HTTP["host"] =~ "example.foo" { + # # If we're using a non-standard host for pihole, ensure the Pi-hole + # # Block Page knows that this is not a blocked domain + # setenv.add-environment = ("fqdn" => "true") + # + # # Enable the SSL engine with a cert, only for this specific host + # $SERVER["socket"] == ":443" { + # ssl.engine = "enable" + # ssl.pemfile = "/etc/ssl/lighttpd-private/tls.crt" + # ssl.privkey = "/etc/ssl/lighttpd-private/tls.key" + # ssl.ca-file = "/etc/ssl/lighttpd-private/ca.crt" + # ssl.honor-cipher-order = "enable" + # ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" + # ssl.use-sslv2 = "disable" + # ssl.use-sslv3 = "disable" + # } + # } + # + # # Redirect HTTP to HTTPS + # $HTTP["scheme"] == "http" { + # $HTTP["host"] =~ ".*" { + # url.redirect = (".*" => "https://%0$0") + # } + # } + +# -- Additional annotations for pods +podAnnotations: + {} + # Example below allows Prometheus to scape on metric port (requires pihole-exporter sidecar enabled) + # prometheus.io/port: '9617' + # prometheus.io/scrape: 'true' + +# -- any initContainers you might want to run before starting pihole +extraInitContainers: + [] + # - name: copy-config + # image: busybox + # args: + # - sh + # - -c + # - | + # cp /etc/lighttpd-cm/external.conf /etc/lighttpd/ + # ls -l /etc/lighttpd/ + # volumeMounts: + # - name: external-conf-cm + # mountPath: /etc/lighttpd-cm/ + # - name: external-conf + # mountPath: /etc/lighttpd/ + +monitoring: + # -- Preferably adding prometheus scrape annotations rather than enabling podMonitor. + podMonitor: + # -- set this to true to enable podMonitor + enabled: false + # -- Sidecar configuration + sidecar: + # -- set this to true to enable podMonitor as sidecar + enabled: false + port: 9617 + image: + repository: ekofr/pihole-exporter + tag: v0.3.0 + pullPolicy: IfNotPresent + resources: + limits: + memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +podDnsConfig: + enabled: true + policy: "None" + nameservers: + - 127.0.0.1 + - 8.8.8.8 + +# -- configure a Pod Disruption Budget +podDisruptionBudget: + # -- set to true to enable creating the PDB + enabled: false + # -- minimum number of pods Kubernetes should try to have running at all times + minAvailable: 1 + # -- maximum number of pods Kubernetes will allow to be unavailable. Cannot set both `minAvailable` and `maxAvailable` + # maxUnavailable: 1 From 2328c5c128b502bcd53c56515f8461792e1fee03 Mon Sep 17 00:00:00 2001 From: jon Date: Sun, 24 Dec 2023 11:56:08 +0000 Subject: [PATCH 02/18] fix line breaks --- charts/pihole/Chart.yaml | 30 +- .../pihole/templates/configmap-cmdlist.yaml | 115 +- charts/pihole/templates/deployment.yaml | 726 +++++------ charts/pihole/values.yaml | 1144 ++++++++--------- 4 files changed, 1009 insertions(+), 1006 deletions(-) diff --git a/charts/pihole/Chart.yaml b/charts/pihole/Chart.yaml index ad6fcd48..f14d1091 100644 --- a/charts/pihole/Chart.yaml +++ b/charts/pihole/Chart.yaml @@ -1,15 +1,15 @@ -apiVersion: v1 -description: Installs pihole in kubernetes -home: https://github.com/MoJo2600/pihole-kubernetes/tree/master/charts/pihole -name: pihole -appVersion: "2023.11.0" -version: 2.21.0 -sources: - - https://github.com/MoJo2600/pihole-kubernetes/tree/master/charts/pihole - - https://pi-hole.net/ - - https://github.com/pi-hole - - https://github.com/pi-hole/docker-pi-hole -icon: https://i2.wp.com/pi-hole.net/wp-content/uploads/2016/12/Vortex-R.png -maintainers: - - name: MoJo2600 - email: christian.erhardt@mojo2k.de +apiVersion: v1 +description: Installs pihole in kubernetes +home: https://github.com/MoJo2600/pihole-kubernetes/tree/master/charts/pihole +name: pihole +appVersion: "2023.11.0" +version: 2.21.0 +sources: + - https://github.com/MoJo2600/pihole-kubernetes/tree/master/charts/pihole + - https://pi-hole.net/ + - https://github.com/pi-hole + - https://github.com/pi-hole/docker-pi-hole +icon: https://i2.wp.com/pi-hole.net/wp-content/uploads/2016/12/Vortex-R.png +maintainers: + - name: MoJo2600 + email: christian.erhardt@mojo2k.de diff --git a/charts/pihole/templates/configmap-cmdlist.yaml b/charts/pihole/templates/configmap-cmdlist.yaml index 7c272911..028faf04 100644 --- a/charts/pihole/templates/configmap-cmdlist.yaml +++ b/charts/pihole/templates/configmap-cmdlist.yaml @@ -1,56 +1,59 @@ -{{ if .Values.cmdlist }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "pihole.fullname" . }}-cmdlist - labels: - app: {{ template "pihole.name" . }} - chart: {{ template "pihole.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: - cmdlist.sh: | - # List of pihole commands to configure / reconfigure permit and deny lists - {{- if eq .Values.cmdlist.alwaysNuke true }} - pihole -w --nuke --noreload - pihole -b --nuke --noreload - pihole --white-wild --nuke --noreload - pihole --wild --nuke --noreload - pihole --white-regex --nuke --noreload - pihole --regex --nuke --noreload - pihole restartdns reload - sleep 5 - {{- end }} - {{- if .Values.cmdlist.permit }} - {{- range .Values.cmdlist.permit }} - pihole -w --noreload {{ . }} --comment "Added by pihole Helm chart" - {{- end }} - {{- end }} - {{- if .Values.cmdlist.deny }} - {{- range .Values.cmdlist.deny }} - pihole -b --noreload {{ . }} --comment "Added by pihole Helm chart" - {{- end }} - {{- end }} - {{- if .Values.cmdlist.permitWild }} - {{- range .Values.cmdlist.permitWild }} - pihole --white-wild --noreload {{ . }} --comment "Added by pihole Helm chart" - {{- end }} - {{- end }} - {{- if .Values.cmdlist.denyWild }} - {{- range .Values.cmdlist.denyWild }} - pihole --wild --noreload {{ . }} --comment "Added by pihole Helm chart" - {{- end }} - {{- end }} - {{- if .Values.cmdlist.permitRegex }} - {{- range .Values.cmdlist.permitRegex }} - pihole --white-regex --noreload '{{ . }}' --comment "Added by pihole Helm chart" - {{- end }} - {{- end }} - {{- if .Values.cmdlist.denyRegex }} - {{- range .Values.cmdlist.denyRegex }} - pihole --regex --noreload '{{ . }}' --comment "Added by pihole Helm chart" - {{- end }} - {{- end }} - pihole restartdns reload - # End of list -{{ end }} +{{ if .Values.cmdlist }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "pihole.fullname" . }}-cmdlist + labels: + app: {{ template "pihole.name" . }} + chart: {{ template "pihole.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + cmdlist.sh: | + #!/usr/bin/env bash + # shellcheck disable=SC1090 + + # List of pihole commands to configure / reconfigure permit and deny lists + {{- if eq .Values.cmdlist.alwaysNuke true }} + pihole -w --nuke --noreload + pihole -b --nuke --noreload + pihole --white-wild --nuke --noreload + pihole --wild --nuke --noreload + pihole --white-regex --nuke --noreload + pihole --regex --nuke --noreload + pihole restartdns reload + sleep 5 + {{- end }} + {{- if .Values.cmdlist.permit }} + {{- range .Values.cmdlist.permit }} + pihole -w --noreload {{ . }} --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.deny }} + {{- range .Values.cmdlist.deny }} + pihole -b --noreload {{ . }} --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.permitWild }} + {{- range .Values.cmdlist.permitWild }} + pihole --white-wild --noreload {{ . }} --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.denyWild }} + {{- range .Values.cmdlist.denyWild }} + pihole --wild --noreload {{ . }} --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.permitRegex }} + {{- range .Values.cmdlist.permitRegex }} + pihole --white-regex --noreload '{{ . }}' --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + {{- if .Values.cmdlist.denyRegex }} + {{- range .Values.cmdlist.denyRegex }} + pihole --regex --noreload '{{ . }}' --comment "Added by pihole Helm chart" + {{- end }} + {{- end }} + pihole restartdns reload + # End of list +{{ end }} diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index 02c2dc87..f8c964de 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -1,363 +1,363 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "pihole.fullname" . }} - labels: - app: {{ template "pihole.name" . }} - chart: {{ template "pihole.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - strategy: - type: {{ .Values.strategyType }} - {{- if eq .Values.strategyType "RollingUpdate" }} - rollingUpdate: - maxSurge: {{ .Values.maxSurge }} - maxUnavailable: {{ .Values.maxUnavailable }} - {{- end }} - selector: - matchLabels: - app: {{ template "pihole.name" . }} - release: {{ .Release.Name }} - template: - metadata: - annotations: - checksum.config.adlists: {{ include (print $.Template.BasePath "/configmap-adlists.yaml") . | sha256sum | trunc 63 }} - checksum.config.blacklist: {{ include (print $.Template.BasePath "/configmap-blacklist.yaml") . | sha256sum | trunc 63 }} - checksum.config.regex: {{ include (print $.Template.BasePath "/configmap-regex.yaml") . | sha256sum | trunc 63 }} - checksum.config.whitelist: {{ include (print $.Template.BasePath "/configmap-whitelist.yaml") . | sha256sum | trunc 63 }} - checksum.config.dnsmasqConfig: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }} - checksum.config.staticDhcpConfig: {{ include (print $.Template.BasePath "/configmap-static-dhcp.yaml") . | sha256sum | trunc 63 }} - checksum.config.cmdlist: {{ include (print $.Template.BasePath "/configmap-cmdlist.yaml") . | sha256sum | trunc 63 }} -{{- with .Values.podAnnotations }} -{{ toYaml . | indent 8 }} -{{- end }} - labels: - app: {{ template "pihole.name" . }} - release: {{ .Release.Name }} - spec: - {{- if .Values.antiaff.enabled }} - affinity: - podAntiAffinity: - {{- if .Values.antiaff.strict }} - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - {{- else }} - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - {{- end }} - matchExpressions: - - key: release - operator: In - values: - - {{ .Values.antiaff.avoidRelease }} - {{- if .Values.antiaff.namespaces}} - namespaces: - {{- toYaml .Values.antiaff.namespaces | nindent 14 }} - {{- end }} - topologyKey: "kubernetes.io/hostname" - {{- end }} - {{- if .Values.podDnsConfig.enabled }} - dnsPolicy: {{ .Values.podDnsConfig.policy }} - dnsConfig: - nameservers: - {{- toYaml .Values.podDnsConfig.nameservers | nindent 8 }} - {{- end }} - hostname: {{ .Values.hostname }} - hostNetwork: {{ .Values.hostNetwork }} - {{- with .Values.extraInitContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - {{- if .Values.extraContainers }} - {{- toYaml .Values.extraContainers | nindent 8 }} - {{- end }} - {{- if .Values.monitoring.sidecar.enabled }} - - name: exporter - image: "{{ .Values.monitoring.sidecar.image.repository }}:{{ .Values.monitoring.sidecar.image.tag }}" - imagePullPolicy: {{ .Values.monitoring.sidecar.image.pullPolicy }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - env: - - name: PIHOLE_HOSTNAME - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: PIHOLE_PORT - value: "{{ .Values.webHttp }}" - - name: PIHOLE_PASSWORD - valueFrom: - secretKeyRef: - key: {{ .Values.admin.passwordKey | default "password" }} - name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }} - resources: -{{ toYaml .Values.monitoring.sidecar.resources | indent 12 }} - ports: - - containerPort: {{ .Values.monitoring.sidecar.port }} - name: prometheus - protocol: TCP - {{- end }} - {{- if .Values.doh.enabled }} - - name: cloudflared - image: "{{ .Values.doh.repository }}:{{ .Values.doh.tag }}" - imagePullPolicy: {{ .Values.doh.pullPolicy }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - resources: - limits: - memory: 128Mi - ports: - - containerPort: 5053 - name: cloudflared-udp - protocol: UDP - - containerPort: 49312 - name: cloudflared-met - protocol: TCP - {{- if .Values.doh.envVars }} - env: - {{- range $key, $value := .Values.doh.envVars }} - - name: {{ $key | quote }} - value: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if .Values.doh.probes.liveness.enabled }} - livenessProbe: -{{ toYaml .Values.doh.probes.liveness.probe | indent 12 }} - initialDelaySeconds: {{ .Values.doh.probes.liveness.initialDelaySeconds }} - failureThreshold: {{ .Values.doh.probes.liveness.failureThreshold }} - timeoutSeconds: {{ .Values.doh.probes.liveness.timeoutSeconds }} - {{- end }} - {{- end }} - - name: {{ .Chart.Name }} - env: - - name: 'WEB_PORT' - value: "{{ .Values.webHttp }}" - - name: VIRTUAL_HOST - value: {{ .Values.virtualHost }} - - name: WEBPASSWORD - valueFrom: - secretKeyRef: - key: {{ .Values.admin.passwordKey | default "password" }} - name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }} - {{- range $key, $value := .Values.extraEnvVars }} - - name: {{ $key | quote }} - value: {{ $value | quote }} - {{- end }} - {{- range $key, $value := .Values.extraEnvVarsSecret }} - - name: {{ $key | quote }} - valueFrom: - secretKeyRef: - key: {{ $value.key | quote }} - name: {{ $value.name | quote }} - {{- end }} - {{- if .Values.doh.enabled }} - - name: 'DNS1' - value: "127.0.0.1#5053" - - name: DNS2 - value: "127.0.0.1#5053" - {{- else }} - {{- if .Values.DNS1 }} - - name: 'PIHOLE_DNS_' - value: {{ if .Values.DNS2 }}{{ ( printf "%v;%v" .Values.DNS1 .Values.DNS2 ) | squote }}{{ else }}{{ .Values.DNS1 | squote }}{{ end }} - {{- end }} - {{- end }} - {{- range $key, $value := .Values.ftl }} - - name: 'FTLCONF_{{ $key }}' - value: {{ $value | quote }} - {{- end }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - privileged: {{ .Values.privileged }} - {{- if .Values.capabilities }} - capabilities: - {{- toYaml .Values.capabilities | nindent 14 }} - {{- end }} - ports: - - containerPort: {{ .Values.webHttp }} - name: http - protocol: TCP - - containerPort: 53 - name: dns - protocol: TCP - {{- if .Values.dnsHostPort.enabled }} - hostPort: {{ .Values.dnsHostPort.port }} - {{- end }} - - containerPort: 53 - name: dns-udp - protocol: UDP - {{- if .Values.dnsHostPort.enabled }} - hostPort: {{ .Values.dnsHostPort.port }} - {{- end }} - - containerPort: {{ .Values.webHttps }} - name: https - protocol: TCP - - containerPort: 67 - name: client-udp - protocol: UDP - {{- if .Values.probes.liveness.enabled }} - livenessProbe: - {{- if eq .Values.probes.liveness.type "command" }} - exec: - command: {{ .Values.probes.liveness.command | required "An array of command(s) is required if 'type' is set to 'command'." | toYaml | nindent 16 }} - {{- else }} - httpGet: - path: /admin/index.php - port: {{ .Values.probes.liveness.port }} - scheme: {{ .Values.probes.liveness.scheme }} - {{- end }} - initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} - failureThreshold: {{ .Values.probes.liveness.failureThreshold }} - timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} - - {{- end }} - {{- if .Values.probes.readiness.enabled }} - readinessProbe: - httpGet: - path: /admin/index.php - port: {{ .Values.probes.readiness.port }} - scheme: {{ .Values.probes.readiness.scheme }} - initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} - failureThreshold: {{ .Values.probes.readiness.failureThreshold }} - timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} - {{- end }} - {{- if .Values.cmdlist }} - # Using bash for the convenience of source - lifecycle: - postStart: - exec: - command: - - 'bash' - - '-c' - - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' - {{ end }} - volumeMounts: - - mountPath: /etc/pihole - name: config - {{- if .Values.persistentVolumeClaim.subPath }} - subPath: {{ .Values.persistentVolumeClaim.subPath }} - {{- end }} - - mountPath: /etc/dnsmasq.d/02-custom.conf - name: custom-dnsmasq - subPath: 02-custom.conf - - mountPath: /etc/addn-hosts - name: custom-dnsmasq - subPath: addn-hosts - {{- if .Values.dnsmasq.customCnameEntries }} - - mountPath: /etc/dnsmasq.d/05-pihole-custom-cname.conf - name: custom-dnsmasq - subPath: 05-pihole-custom-cname.conf - {{- end }} - {{- if .Values.adlists }} - - mountPath: /etc/pihole/adlists.list - name: adlists - subPath: adlists.list - {{- end }} - {{- if .Values.blacklist }} - - mountPath: /etc/pihole/blacklist.txt - name: blacklist - subPath: blacklist.txt - {{- end }} - {{- if .Values.regex }} - - mountPath: /etc/pihole/regex.list - name: regex - subPath: regex.list - {{- end }} - {{- if .Values.whitelist }} - - mountPath: /etc/pihole/whitelist.txt - name: whitelist - subPath: whitelist.txt - {{- end }} - {{- if .Values.cmdlist }} - - mountPath: /etc/pihole/cmdlist.sh - name: cmdlist - subPath: cmdlist.sh - {{- end }} - {{- if .Values.dnsmasq.staticDhcpEntries }} - - mountPath: /etc/dnsmasq.d/04-pihole-static-dhcp.conf - name: static-dhcp - subPath: pihole-static-dhcp.conf - {{- end }} - {{- range $key, $value := .Values.extraVolumeMounts }} - - name: {{ $key }} -{{- toYaml $value | nindent 12 }} - {{- end }} - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - - name: config - {{- if .Values.persistentVolumeClaim.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.persistentVolumeClaim.existingClaim }}{{ .Values.persistentVolumeClaim.existingClaim }}{{- else }}{{ template "pihole.fullname" . }}{{- end }} - {{- else if .Values.customVolumes.enabled }} -{{- toYaml .Values.customVolumes.config | nindent 8 }} - {{- else }} - emptyDir: {} - {{- end }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-custom-dnsmasq - name: custom-dnsmasq - {{- if .Values.adlists }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-adlists - name: adlists - {{- end }} - {{- if .Values.whitelist }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-whitelist - name: whitelist - {{- end }} - {{- if .Values.dnsmasq.staticDhcpEntries }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-static-dhcp - name: static-dhcp - {{- end }} - {{- if .Values.blacklist }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-blacklist - name: blacklist - {{- end }} - {{- if .Values.regex }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-regex - name: regex - {{- end }} - {{- if .Values.cmdlist }} - - configMap: - defaultMode: 420 - name: {{ template "pihole.fullname" . }}-cmdlist - name: cmdlist - {{- end }} - {{- range $key, $value := .Values.extraVolumes }} - - name: {{ $key }} -{{- toYaml $value | nindent 8 }} - {{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "pihole.fullname" . }} + labels: + app: {{ template "pihole.name" . }} + chart: {{ template "pihole.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.strategyType }} + {{- if eq .Values.strategyType "RollingUpdate" }} + rollingUpdate: + maxSurge: {{ .Values.maxSurge }} + maxUnavailable: {{ .Values.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app: {{ template "pihole.name" . }} + release: {{ .Release.Name }} + template: + metadata: + annotations: + checksum.config.adlists: {{ include (print $.Template.BasePath "/configmap-adlists.yaml") . | sha256sum | trunc 63 }} + checksum.config.blacklist: {{ include (print $.Template.BasePath "/configmap-blacklist.yaml") . | sha256sum | trunc 63 }} + checksum.config.regex: {{ include (print $.Template.BasePath "/configmap-regex.yaml") . | sha256sum | trunc 63 }} + checksum.config.whitelist: {{ include (print $.Template.BasePath "/configmap-whitelist.yaml") . | sha256sum | trunc 63 }} + checksum.config.dnsmasqConfig: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }} + checksum.config.staticDhcpConfig: {{ include (print $.Template.BasePath "/configmap-static-dhcp.yaml") . | sha256sum | trunc 63 }} + checksum.config.cmdlist: {{ include (print $.Template.BasePath "/configmap-cmdlist.yaml") . | sha256sum | trunc 63 }} +{{- with .Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + labels: + app: {{ template "pihole.name" . }} + release: {{ .Release.Name }} + spec: + {{- if .Values.antiaff.enabled }} + affinity: + podAntiAffinity: + {{- if .Values.antiaff.strict }} + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + {{- else }} + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + {{- end }} + matchExpressions: + - key: release + operator: In + values: + - {{ .Values.antiaff.avoidRelease }} + {{- if .Values.antiaff.namespaces}} + namespaces: + {{- toYaml .Values.antiaff.namespaces | nindent 14 }} + {{- end }} + topologyKey: "kubernetes.io/hostname" + {{- end }} + {{- if .Values.podDnsConfig.enabled }} + dnsPolicy: {{ .Values.podDnsConfig.policy }} + dnsConfig: + nameservers: + {{- toYaml .Values.podDnsConfig.nameservers | nindent 8 }} + {{- end }} + hostname: {{ .Values.hostname }} + hostNetwork: {{ .Values.hostNetwork }} + {{- with .Values.extraInitContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + {{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.monitoring.sidecar.enabled }} + - name: exporter + image: "{{ .Values.monitoring.sidecar.image.repository }}:{{ .Values.monitoring.sidecar.image.tag }}" + imagePullPolicy: {{ .Values.monitoring.sidecar.image.pullPolicy }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + env: + - name: PIHOLE_HOSTNAME + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: PIHOLE_PORT + value: "{{ .Values.webHttp }}" + - name: PIHOLE_PASSWORD + valueFrom: + secretKeyRef: + key: {{ .Values.admin.passwordKey | default "password" }} + name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }} + resources: +{{ toYaml .Values.monitoring.sidecar.resources | indent 12 }} + ports: + - containerPort: {{ .Values.monitoring.sidecar.port }} + name: prometheus + protocol: TCP + {{- end }} + {{- if .Values.doh.enabled }} + - name: cloudflared + image: "{{ .Values.doh.repository }}:{{ .Values.doh.tag }}" + imagePullPolicy: {{ .Values.doh.pullPolicy }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + resources: + limits: + memory: 128Mi + ports: + - containerPort: 5053 + name: cloudflared-udp + protocol: UDP + - containerPort: 49312 + name: cloudflared-met + protocol: TCP + {{- if .Values.doh.envVars }} + env: + {{- range $key, $value := .Values.doh.envVars }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + {{- if .Values.doh.probes.liveness.enabled }} + livenessProbe: +{{ toYaml .Values.doh.probes.liveness.probe | indent 12 }} + initialDelaySeconds: {{ .Values.doh.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.doh.probes.liveness.failureThreshold }} + timeoutSeconds: {{ .Values.doh.probes.liveness.timeoutSeconds }} + {{- end }} + {{- end }} + - name: {{ .Chart.Name }} + env: + - name: 'WEB_PORT' + value: "{{ .Values.webHttp }}" + - name: VIRTUAL_HOST + value: {{ .Values.virtualHost }} + - name: WEBPASSWORD + valueFrom: + secretKeyRef: + key: {{ .Values.admin.passwordKey | default "password" }} + name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }} + {{- range $key, $value := .Values.extraEnvVars }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + {{- range $key, $value := .Values.extraEnvVarsSecret }} + - name: {{ $key | quote }} + valueFrom: + secretKeyRef: + key: {{ $value.key | quote }} + name: {{ $value.name | quote }} + {{- end }} + {{- if .Values.doh.enabled }} + - name: 'DNS1' + value: "127.0.0.1#5053" + - name: DNS2 + value: "127.0.0.1#5053" + {{- else }} + {{- if .Values.DNS1 }} + - name: 'PIHOLE_DNS_' + value: {{ if .Values.DNS2 }}{{ ( printf "%v;%v" .Values.DNS1 .Values.DNS2 ) | squote }}{{ else }}{{ .Values.DNS1 | squote }}{{ end }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.ftl }} + - name: 'FTLCONF_{{ $key }}' + value: {{ $value | quote }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + privileged: {{ .Values.privileged }} + {{- if .Values.capabilities }} + capabilities: + {{- toYaml .Values.capabilities | nindent 14 }} + {{- end }} + ports: + - containerPort: {{ .Values.webHttp }} + name: http + protocol: TCP + - containerPort: 53 + name: dns + protocol: TCP + {{- if .Values.dnsHostPort.enabled }} + hostPort: {{ .Values.dnsHostPort.port }} + {{- end }} + - containerPort: 53 + name: dns-udp + protocol: UDP + {{- if .Values.dnsHostPort.enabled }} + hostPort: {{ .Values.dnsHostPort.port }} + {{- end }} + - containerPort: {{ .Values.webHttps }} + name: https + protocol: TCP + - containerPort: 67 + name: client-udp + protocol: UDP + {{- if .Values.probes.liveness.enabled }} + livenessProbe: + {{- if eq .Values.probes.liveness.type "command" }} + exec: + command: {{ .Values.probes.liveness.command | required "An array of command(s) is required if 'type' is set to 'command'." | toYaml | nindent 16 }} + {{- else }} + httpGet: + path: /admin/index.php + port: {{ .Values.probes.liveness.port }} + scheme: {{ .Values.probes.liveness.scheme }} + {{- end }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} + + {{- end }} + {{- if .Values.probes.readiness.enabled }} + readinessProbe: + httpGet: + path: /admin/index.php + port: {{ .Values.probes.readiness.port }} + scheme: {{ .Values.probes.readiness.scheme }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} + {{- end }} + {{- if .Values.cmdlist }} + # Using bash for the convenience of source + lifecycle: + postStart: + exec: + command: + - 'bash' + - '-c' + - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' + {{ end }} + volumeMounts: + - mountPath: /etc/pihole + name: config + {{- if .Values.persistentVolumeClaim.subPath }} + subPath: {{ .Values.persistentVolumeClaim.subPath }} + {{- end }} + - mountPath: /etc/dnsmasq.d/02-custom.conf + name: custom-dnsmasq + subPath: 02-custom.conf + - mountPath: /etc/addn-hosts + name: custom-dnsmasq + subPath: addn-hosts + {{- if .Values.dnsmasq.customCnameEntries }} + - mountPath: /etc/dnsmasq.d/05-pihole-custom-cname.conf + name: custom-dnsmasq + subPath: 05-pihole-custom-cname.conf + {{- end }} + {{- if .Values.adlists }} + - mountPath: /etc/pihole/adlists.list + name: adlists + subPath: adlists.list + {{- end }} + {{- if .Values.blacklist }} + - mountPath: /etc/pihole/blacklist.txt + name: blacklist + subPath: blacklist.txt + {{- end }} + {{- if .Values.regex }} + - mountPath: /etc/pihole/regex.list + name: regex + subPath: regex.list + {{- end }} + {{- if .Values.whitelist }} + - mountPath: /etc/pihole/whitelist.txt + name: whitelist + subPath: whitelist.txt + {{- end }} + {{- if .Values.cmdlist }} + - mountPath: /etc/pihole/cmdlist.sh + name: cmdlist + subPath: cmdlist.sh + {{- end }} + {{- if .Values.dnsmasq.staticDhcpEntries }} + - mountPath: /etc/dnsmasq.d/04-pihole-static-dhcp.conf + name: static-dhcp + subPath: pihole-static-dhcp.conf + {{- end }} + {{- range $key, $value := .Values.extraVolumeMounts }} + - name: {{ $key }} +{{- toYaml $value | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: config + {{- if .Values.persistentVolumeClaim.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.persistentVolumeClaim.existingClaim }}{{ .Values.persistentVolumeClaim.existingClaim }}{{- else }}{{ template "pihole.fullname" . }}{{- end }} + {{- else if .Values.customVolumes.enabled }} +{{- toYaml .Values.customVolumes.config | nindent 8 }} + {{- else }} + emptyDir: {} + {{- end }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-custom-dnsmasq + name: custom-dnsmasq + {{- if .Values.adlists }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-adlists + name: adlists + {{- end }} + {{- if .Values.whitelist }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-whitelist + name: whitelist + {{- end }} + {{- if .Values.dnsmasq.staticDhcpEntries }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-static-dhcp + name: static-dhcp + {{- end }} + {{- if .Values.blacklist }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-blacklist + name: blacklist + {{- end }} + {{- if .Values.regex }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-regex + name: regex + {{- end }} + {{- if .Values.cmdlist }} + - configMap: + defaultMode: 420 + name: {{ template "pihole.fullname" . }}-cmdlist + name: cmdlist + {{- end }} + {{- range $key, $value := .Values.extraVolumes }} + - name: {{ $key }} +{{- toYaml $value | nindent 8 }} + {{- end }} diff --git a/charts/pihole/values.yaml b/charts/pihole/values.yaml index fd2e0cf2..ba3d3e05 100644 --- a/charts/pihole/values.yaml +++ b/charts/pihole/values.yaml @@ -1,572 +1,572 @@ -# Default values for pihole. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- The number of replicas -replicaCount: 1 - -# -- The `spec.strategyTpye` for updates -strategyType: RollingUpdate - -# -- The maximum number of Pods that can be created over the desired number of `ReplicaSet` during updating. -maxSurge: 1 - -# -- The maximum number of Pods that can be unavailable during updating -maxUnavailable: 1 - -image: - # -- the repostory to pull the image from - repository: "pihole/pihole" - # -- the docker tag, if left empty it will get it from the chart's appVersion - tag: "" - # -- the pull policy - pullPolicy: IfNotPresent - -dualStack: - # -- set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` - enabled: false - -dnsHostPort: - # -- set this to true to enable dnsHostPort - enabled: false - # -- default port for this pod - port: 53 - -# -- Configuration for the DNS service on port 53 -serviceDns: - # -- deploys a mixed (TCP + UDP) Service instead of separate ones - mixedService: false - - # -- `spec.type` for the DNS Service - type: NodePort - - # -- The port of the DNS service - port: 53 - - # -- Optional node port for the DNS service - nodePort: "" - - # -- `spec.externalTrafficPolicy` for the DHCP Service - externalTrafficPolicy: Local - - # -- A fixed `spec.loadBalancerIP` for the DNS Service - loadBalancerIP: "" - # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service - loadBalancerIPv6: "" - - # -- Annotations for the DNS service - annotations: - {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc - -# -- Configuration for the DHCP service on port 67 -serviceDhcp: - # -- Generate a Service resource for DHCP traffic - enabled: true - - # -- `spec.type` for the DHCP Service - type: NodePort - - # -- The port of the DHCP service - port: 67 - - # -- Optional node port for the DHCP service - nodePort: "" - - # -- `spec.externalTrafficPolicy` for the DHCP Service - externalTrafficPolicy: Local - - # -- A fixed `spec.loadBalancerIP` for the DHCP Service - loadBalancerIP: "" - # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service - loadBalancerIPv6: "" - - # -- Annotations for the DHCP service - annotations: - {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc - -# -- Configuration for the web interface service -serviceWeb: - # -- Configuration for the HTTP web interface listener - http: - # -- Generate a service for HTTP traffic - enabled: true - - # -- The port of the web HTTP service - port: 80 - - # -- Optional node port for the web HTTP service - nodePort: "" - - # -- Configuration for the HTTPS web interface listener - https: - # -- Generate a service for HTTPS traffic - enabled: true - - # -- The port of the web HTTPS service - port: 443 - - # -- Optional node port for the web HTTPS service - nodePort: "" - - # -- `spec.type` for the web interface Service - type: ClusterIP - - # -- `spec.externalTrafficPolicy` for the web interface Service - externalTrafficPolicy: Local - - # -- A fixed `spec.loadBalancerIP` for the web interface Service - loadBalancerIP: "" - # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service - loadBalancerIPv6: "" - - # -- Annotations for the DHCP service - annotations: - {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc - -virtualHost: pi.hole - -# -- Configuration for the Ingress -ingress: - # -- Generate a Ingress resource - enabled: false - - # -- Specify an ingressClassName - # ingressClassName: nginx - - # -- Annotations for the ingress - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - path: / - hosts: - # virtualHost (default value is pi.hole) will be appended to the hosts - - chart-example.local - tls: [] - # - secretName: chart-example-tls - # hosts: - # #- virtualHost (default value is pi.hole) will be appended to the hosts - # - chart-example.local - -# -- Probes configuration -probes: - # -- probes.liveness -- Configure the healthcheck for the ingress controller - liveness: - # -- Generate a liveness probe - # 'type' defaults to httpGet, can be set to 'command' to use a command type liveness probe. - type: httpGet - # command: - # - /bin/bash - # - -c - # - /bin/true - enabled: true - initialDelaySeconds: 60 - failureThreshold: 10 - timeoutSeconds: 5 - port: http - scheme: HTTP - readiness: - # -- Generate a readiness probe - enabled: true - initialDelaySeconds: 60 - failureThreshold: 3 - timeoutSeconds: 5 - port: http - scheme: HTTP - -# -- We usually recommend not to specify default resources and to leave this as a conscious -# -- choice for the user. This also increases chances charts run on environments with little -# -- resources, such as Minikube. If you do want to specify resources, uncomment the following -# -- lines, adjust them as necessary, and remove the curly braces after 'resources:'. -resources: - {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -# -- `spec.PersitentVolumeClaim` configuration -persistentVolumeClaim: - # -- set to true to use pvc - enabled: false - - # -- specify an existing `PersistentVolumeClaim` to use - # existingClaim: "" - - # -- Annotations for the `PersitentVolumeClaim` - annotations: {} - - accessModes: - - ReadWriteOnce - - size: "500Mi" - - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - - ## If subPath is set mount a sub folder of a volume instead of the root of the volume. - ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). - - ## subPath: "pihole" - -nodeSelector: {} - -tolerations: [] - -# -- Specify a priorityClassName -# priorityClassName: "" - -# Reference: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -topologySpreadConstraints: [] -# - maxSkew: -# topologyKey: -# whenUnsatisfiable: -# labelSelector: - -affinity: {} - -# -- Administrator password when not using an existing secret (see below) -adminPassword: "admin" - -# -- Use an existing secret for the admin password. -admin: - # -- Specify an existing secret to use as admin password - existingSecret: "" - # -- Specify the key inside the secret to use - passwordKey: "password" - -# -- extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use -extraEnvVars: - {} - # TZ: UTC - -# -- extraEnvVarsSecret is a list of secrets to load in as environment variables. -extraEnvVarsSecret: - {} - # env_var: - # name: secret-name - # key: secret-key - -# -- default upstream DNS 1 server to use -DNS1: "8.8.8.8" -# -- default upstream DNS 2 server to use -DNS2: "8.8.4.4" - -antiaff: - # -- set to true to enable antiaffinity (example: 2 pihole DNS in the same cluster) - enabled: false - # -- Here you can set the pihole release (you set in `helm install ...`) - # you want to avoid - avoidRelease: pihole1 - # -- Here you can choose between preferred or required - strict: true - # -- Here you can pass namespaces to be part of those inclueded in anti-affinity - namespaces: [] - -doh: - # -- set to true to enabled DNS over HTTPs via cloudflared - enabled: false - name: "cloudflared" - repository: "crazymax/cloudflared" - tag: latest - pullPolicy: IfNotPresent - # -- Here you can pass environment variables to the DoH container, for example: - envVars: - {} - # TUNNEL_DNS_UPSTREAM: "https://1.1.1.2/dns-query,https://1.0.0.2/dns-query" - - # -- Probes configuration - probes: - # -- Configure the healthcheck for the doh container - liveness: - # -- set to true to enable liveness probe - enabled: true - # -- customize the liveness probe - probe: - exec: - command: - - nslookup - - -po=5053 - - cloudflare.com - - "127.0.0.1" - # -- defines the initial delay for the liveness probe - initialDelaySeconds: 60 - # -- defines the failure threshold for the liveness probe - failureThreshold: 10 - # -- defines the timeout in secondes for the liveness probe - timeoutSeconds: 5 - -dnsmasq: - # -- Add upstream dns servers. All lines will be added to the pihole dnsmasq configuration - upstreamServers: [] - # - server=/foo.bar/192.168.178.10 - # - server=/bar.foo/192.168.178.11 - - # -- Add custom dns entries to override the dns resolution. All lines will be added to the pihole dnsmasq configuration. - customDnsEntries: [] - # - address=/foo.bar/192.168.178.10 - # - address=/bar.foo/192.168.178.11 - - # -- Dnsmasq reads the /etc/hosts file to resolve ips. You can add additional entries if you like - additionalHostsEntries: [] - # - 192.168.0.3 host4 - # - 192.168.0.4 host5 - - # -- Static DHCP config - staticDhcpEntries: [] - # staticDhcpEntries: - # - dhcp-host=MAC_ADDRESS,IP_ADDRESS,HOSTNAME - - # -- Other options - customSettings: - # otherSettings: - # - rebind-domain-ok=/plex.direct/ - - # -- Here we specify custom cname entries that should point to `A` records or - # elements in customDnsEntries array. - # The format should be: - # - cname=cname.foo.bar,foo.bar - # - cname=cname.bar.foo,bar.foo - # - cname=cname record,dns record - customCnameEntries: [] - # Here we specify custom cname entries that should point to `A` records or - # elements in customDnsEntries array. - # The format should be: - # - cname=cname.foo.bar,foo.bar - # - cname=cname.bar.foo,bar.foo - # - cname=cname record,dns record - -# -- list of adlists to import during initial start of the container -adlists: - {} - # If you want to provide blocklists, add them here. - # - https://hosts-file.net/grm.txt - # - https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts - -# -- list of whitelisted domains to import during initial start of the container -whitelist: - {} - # If you want to provide whitelisted domains, add them here. - # - clients4.google.com - -# -- list of blacklisted domains to import during initial start of the container -blacklist: - {} - # If you want to have special domains blacklisted, add them here - # - *.blackist.com - -# -- list of blacklisted regex expressions to import during initial start of the container -regex: - {} - # Add regular expression blacklist items - # - (^|\.)facebook\.com$ - -# -- An alternate method of configuration using pihole cmd script rather than reading legacy files at startup -# This will allow for permit wildcards which can't be done with the old config manner -cmdlist: - - # alwaysNuke will delete all existing list content before loading this configuration - # This will also delete any permit and denies you have added with the legacy method - # This is set false by default, but true is recommended if you are using this config method and not the old one - alwaysNuke: false - - # Standard Permit List - permit: [] - # - example.com - - # Standard Deny List - deny: [] - # - example.com - - # Wildcard Permit List - # These will be converted by Pihole into regex allowing the domain and it's subdomains - # So the below example will end up as regex permit liek '(^|\.)permitwildexample\.com$'' - permitWild: [] - # - permitwildexample.com - - # Wildcard Deny List - # These will be converted by Pihole into regex as above - denyWild: [] - # - denywildexample.com - - # Regex Permit List - permitRegex: [] - # - (^|\.)permitregexexample\.com$ - - # Regex Deny List - denyRegex: [] - # - (^|\.)denyregexexample\.com$ - -# -- values that should be added to pihole-FTL.conf -ftl: - {} - # Add values for pihole-FTL.conf - # MAXDBDAYS: 14 - -# -- port the container should use to expose HTTP traffic -webHttp: "80" - -# -- port the container should use to expose HTTPS traffic -webHttps: "443" - -# -- hostname of pod -hostname: "" - -# -- should the container use host network -hostNetwork: "false" - -# -- should container run in privileged mode -privileged: "false" - -# linux capabilities container should run with -capabilities: - {} - # add: - # - NET_ADMIN - -customVolumes: - # -- set this to true to enable custom volumes - enabled: false - # -- any volume type can be used here - config: - {} - # hostPath: - # path: "/mnt/data" - -# -- any extra volumes you might want -extraVolumes: - {} - # external-conf: - # configMap: - # name: pi-hole-lighttpd-external-conf - -# -- any extra volume mounts you might want -extraVolumeMounts: - {} - # external-conf: - # mountPath: /etc/lighttpd/external.conf - # subPath: external.conf - -extraContainers: - [] - # - name: pihole-logwatcher - # image: your-registry/pihole-logwatcher - # imagePullPolicy: Always - # resources: - # requests: - # cpu: 100m - # memory: 5Mi - # limits: - # cpu: 100m - # memory: 5Mi - # volumeMounts: - # - name: pihole-logs - # mountPath: /var/log/pihole - -# -- any extra kubernetes manifests you might want -extraObjects: - [] - # - apiVersion: v1 - # kind: ConfigMap - # metadata: - # name: pi-hole-lighttpd-external-conf - # data: - # external.conf: | - # $HTTP["host"] =~ "example.foo" { - # # If we're using a non-standard host for pihole, ensure the Pi-hole - # # Block Page knows that this is not a blocked domain - # setenv.add-environment = ("fqdn" => "true") - # - # # Enable the SSL engine with a cert, only for this specific host - # $SERVER["socket"] == ":443" { - # ssl.engine = "enable" - # ssl.pemfile = "/etc/ssl/lighttpd-private/tls.crt" - # ssl.privkey = "/etc/ssl/lighttpd-private/tls.key" - # ssl.ca-file = "/etc/ssl/lighttpd-private/ca.crt" - # ssl.honor-cipher-order = "enable" - # ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" - # ssl.use-sslv2 = "disable" - # ssl.use-sslv3 = "disable" - # } - # } - # - # # Redirect HTTP to HTTPS - # $HTTP["scheme"] == "http" { - # $HTTP["host"] =~ ".*" { - # url.redirect = (".*" => "https://%0$0") - # } - # } - -# -- Additional annotations for pods -podAnnotations: - {} - # Example below allows Prometheus to scape on metric port (requires pihole-exporter sidecar enabled) - # prometheus.io/port: '9617' - # prometheus.io/scrape: 'true' - -# -- any initContainers you might want to run before starting pihole -extraInitContainers: - [] - # - name: copy-config - # image: busybox - # args: - # - sh - # - -c - # - | - # cp /etc/lighttpd-cm/external.conf /etc/lighttpd/ - # ls -l /etc/lighttpd/ - # volumeMounts: - # - name: external-conf-cm - # mountPath: /etc/lighttpd-cm/ - # - name: external-conf - # mountPath: /etc/lighttpd/ - -monitoring: - # -- Preferably adding prometheus scrape annotations rather than enabling podMonitor. - podMonitor: - # -- set this to true to enable podMonitor - enabled: false - # -- Sidecar configuration - sidecar: - # -- set this to true to enable podMonitor as sidecar - enabled: false - port: 9617 - image: - repository: ekofr/pihole-exporter - tag: v0.3.0 - pullPolicy: IfNotPresent - resources: - limits: - memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -podDnsConfig: - enabled: true - policy: "None" - nameservers: - - 127.0.0.1 - - 8.8.8.8 - -# -- configure a Pod Disruption Budget -podDisruptionBudget: - # -- set to true to enable creating the PDB - enabled: false - # -- minimum number of pods Kubernetes should try to have running at all times - minAvailable: 1 - # -- maximum number of pods Kubernetes will allow to be unavailable. Cannot set both `minAvailable` and `maxAvailable` - # maxUnavailable: 1 +# Default values for pihole. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- The number of replicas +replicaCount: 1 + +# -- The `spec.strategyTpye` for updates +strategyType: RollingUpdate + +# -- The maximum number of Pods that can be created over the desired number of `ReplicaSet` during updating. +maxSurge: 1 + +# -- The maximum number of Pods that can be unavailable during updating +maxUnavailable: 1 + +image: + # -- the repostory to pull the image from + repository: "pihole/pihole" + # -- the docker tag, if left empty it will get it from the chart's appVersion + tag: "" + # -- the pull policy + pullPolicy: IfNotPresent + +dualStack: + # -- set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` + enabled: false + +dnsHostPort: + # -- set this to true to enable dnsHostPort + enabled: false + # -- default port for this pod + port: 53 + +# -- Configuration for the DNS service on port 53 +serviceDns: + # -- deploys a mixed (TCP + UDP) Service instead of separate ones + mixedService: false + + # -- `spec.type` for the DNS Service + type: NodePort + + # -- The port of the DNS service + port: 53 + + # -- Optional node port for the DNS service + nodePort: "" + + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the DNS Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service + loadBalancerIPv6: "" + + # -- Annotations for the DNS service + annotations: + {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + +# -- Configuration for the DHCP service on port 67 +serviceDhcp: + # -- Generate a Service resource for DHCP traffic + enabled: true + + # -- `spec.type` for the DHCP Service + type: NodePort + + # -- The port of the DHCP service + port: 67 + + # -- Optional node port for the DHCP service + nodePort: "" + + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the DHCP Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service + loadBalancerIPv6: "" + + # -- Annotations for the DHCP service + annotations: + {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + +# -- Configuration for the web interface service +serviceWeb: + # -- Configuration for the HTTP web interface listener + http: + # -- Generate a service for HTTP traffic + enabled: true + + # -- The port of the web HTTP service + port: 80 + + # -- Optional node port for the web HTTP service + nodePort: "" + + # -- Configuration for the HTTPS web interface listener + https: + # -- Generate a service for HTTPS traffic + enabled: true + + # -- The port of the web HTTPS service + port: 443 + + # -- Optional node port for the web HTTPS service + nodePort: "" + + # -- `spec.type` for the web interface Service + type: ClusterIP + + # -- `spec.externalTrafficPolicy` for the web interface Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the web interface Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service + loadBalancerIPv6: "" + + # -- Annotations for the DHCP service + annotations: + {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + +virtualHost: pi.hole + +# -- Configuration for the Ingress +ingress: + # -- Generate a Ingress resource + enabled: false + + # -- Specify an ingressClassName + # ingressClassName: nginx + + # -- Annotations for the ingress + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + # virtualHost (default value is pi.hole) will be appended to the hosts + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # #- virtualHost (default value is pi.hole) will be appended to the hosts + # - chart-example.local + +# -- Probes configuration +probes: + # -- probes.liveness -- Configure the healthcheck for the ingress controller + liveness: + # -- Generate a liveness probe + # 'type' defaults to httpGet, can be set to 'command' to use a command type liveness probe. + type: httpGet + # command: + # - /bin/bash + # - -c + # - /bin/true + enabled: true + initialDelaySeconds: 60 + failureThreshold: 10 + timeoutSeconds: 5 + port: http + scheme: HTTP + readiness: + # -- Generate a readiness probe + enabled: true + initialDelaySeconds: 60 + failureThreshold: 3 + timeoutSeconds: 5 + port: http + scheme: HTTP + +# -- We usually recommend not to specify default resources and to leave this as a conscious +# -- choice for the user. This also increases chances charts run on environments with little +# -- resources, such as Minikube. If you do want to specify resources, uncomment the following +# -- lines, adjust them as necessary, and remove the curly braces after 'resources:'. +resources: + {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# -- `spec.PersitentVolumeClaim` configuration +persistentVolumeClaim: + # -- set to true to use pvc + enabled: false + + # -- specify an existing `PersistentVolumeClaim` to use + # existingClaim: "" + + # -- Annotations for the `PersitentVolumeClaim` + annotations: {} + + accessModes: + - ReadWriteOnce + + size: "500Mi" + + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + + ## subPath: "pihole" + +nodeSelector: {} + +tolerations: [] + +# -- Specify a priorityClassName +# priorityClassName: "" + +# Reference: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: [] +# - maxSkew: +# topologyKey: +# whenUnsatisfiable: +# labelSelector: + +affinity: {} + +# -- Administrator password when not using an existing secret (see below) +adminPassword: "admin" + +# -- Use an existing secret for the admin password. +admin: + # -- Specify an existing secret to use as admin password + existingSecret: "" + # -- Specify the key inside the secret to use + passwordKey: "password" + +# -- extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use +extraEnvVars: + {} + # TZ: UTC + +# -- extraEnvVarsSecret is a list of secrets to load in as environment variables. +extraEnvVarsSecret: + {} + # env_var: + # name: secret-name + # key: secret-key + +# -- default upstream DNS 1 server to use +DNS1: "8.8.8.8" +# -- default upstream DNS 2 server to use +DNS2: "8.8.4.4" + +antiaff: + # -- set to true to enable antiaffinity (example: 2 pihole DNS in the same cluster) + enabled: false + # -- Here you can set the pihole release (you set in `helm install ...`) + # you want to avoid + avoidRelease: pihole1 + # -- Here you can choose between preferred or required + strict: true + # -- Here you can pass namespaces to be part of those inclueded in anti-affinity + namespaces: [] + +doh: + # -- set to true to enabled DNS over HTTPs via cloudflared + enabled: false + name: "cloudflared" + repository: "crazymax/cloudflared" + tag: latest + pullPolicy: IfNotPresent + # -- Here you can pass environment variables to the DoH container, for example: + envVars: + {} + # TUNNEL_DNS_UPSTREAM: "https://1.1.1.2/dns-query,https://1.0.0.2/dns-query" + + # -- Probes configuration + probes: + # -- Configure the healthcheck for the doh container + liveness: + # -- set to true to enable liveness probe + enabled: true + # -- customize the liveness probe + probe: + exec: + command: + - nslookup + - -po=5053 + - cloudflare.com + - "127.0.0.1" + # -- defines the initial delay for the liveness probe + initialDelaySeconds: 60 + # -- defines the failure threshold for the liveness probe + failureThreshold: 10 + # -- defines the timeout in secondes for the liveness probe + timeoutSeconds: 5 + +dnsmasq: + # -- Add upstream dns servers. All lines will be added to the pihole dnsmasq configuration + upstreamServers: [] + # - server=/foo.bar/192.168.178.10 + # - server=/bar.foo/192.168.178.11 + + # -- Add custom dns entries to override the dns resolution. All lines will be added to the pihole dnsmasq configuration. + customDnsEntries: [] + # - address=/foo.bar/192.168.178.10 + # - address=/bar.foo/192.168.178.11 + + # -- Dnsmasq reads the /etc/hosts file to resolve ips. You can add additional entries if you like + additionalHostsEntries: [] + # - 192.168.0.3 host4 + # - 192.168.0.4 host5 + + # -- Static DHCP config + staticDhcpEntries: [] + # staticDhcpEntries: + # - dhcp-host=MAC_ADDRESS,IP_ADDRESS,HOSTNAME + + # -- Other options + customSettings: + # otherSettings: + # - rebind-domain-ok=/plex.direct/ + + # -- Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + customCnameEntries: [] + # Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + +# -- list of adlists to import during initial start of the container +adlists: + {} + # If you want to provide blocklists, add them here. + # - https://hosts-file.net/grm.txt + # - https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts + +# -- list of whitelisted domains to import during initial start of the container +whitelist: + {} + # If you want to provide whitelisted domains, add them here. + # - clients4.google.com + +# -- list of blacklisted domains to import during initial start of the container +blacklist: + {} + # If you want to have special domains blacklisted, add them here + # - *.blackist.com + +# -- list of blacklisted regex expressions to import during initial start of the container +regex: + {} + # Add regular expression blacklist items + # - (^|\.)facebook\.com$ + +# -- An alternate method of configuration using pihole cmd script rather than reading legacy files at startup +# This will allow for permit wildcards which can't be done with the old config manner +cmdlist: + + # alwaysNuke will delete all existing list content before loading this configuration + # This will also delete any permit and denies you have added with the legacy method + # This is set false by default, but true is recommended if you are using this config method and not the old one + alwaysNuke: false + + # Standard Permit List + permit: [] + # - example.com + + # Standard Deny List + deny: [] + # - example.com + + # Wildcard Permit List + # These will be converted by Pihole into regex allowing the domain and it's subdomains + # So the below example will end up as regex permit liek '(^|\.)permitwildexample\.com$'' + permitWild: [] + # - permitwildexample.com + + # Wildcard Deny List + # These will be converted by Pihole into regex as above + denyWild: [] + # - denywildexample.com + + # Regex Permit List + permitRegex: [] + # - (^|\.)permitregexexample\.com$ + + # Regex Deny List + denyRegex: [] + # - (^|\.)denyregexexample\.com$ + +# -- values that should be added to pihole-FTL.conf +ftl: + {} + # Add values for pihole-FTL.conf + # MAXDBDAYS: 14 + +# -- port the container should use to expose HTTP traffic +webHttp: "80" + +# -- port the container should use to expose HTTPS traffic +webHttps: "443" + +# -- hostname of pod +hostname: "" + +# -- should the container use host network +hostNetwork: "false" + +# -- should container run in privileged mode +privileged: "false" + +# linux capabilities container should run with +capabilities: + {} + # add: + # - NET_ADMIN + +customVolumes: + # -- set this to true to enable custom volumes + enabled: false + # -- any volume type can be used here + config: + {} + # hostPath: + # path: "/mnt/data" + +# -- any extra volumes you might want +extraVolumes: + {} + # external-conf: + # configMap: + # name: pi-hole-lighttpd-external-conf + +# -- any extra volume mounts you might want +extraVolumeMounts: + {} + # external-conf: + # mountPath: /etc/lighttpd/external.conf + # subPath: external.conf + +extraContainers: + [] + # - name: pihole-logwatcher + # image: your-registry/pihole-logwatcher + # imagePullPolicy: Always + # resources: + # requests: + # cpu: 100m + # memory: 5Mi + # limits: + # cpu: 100m + # memory: 5Mi + # volumeMounts: + # - name: pihole-logs + # mountPath: /var/log/pihole + +# -- any extra kubernetes manifests you might want +extraObjects: + [] + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: pi-hole-lighttpd-external-conf + # data: + # external.conf: | + # $HTTP["host"] =~ "example.foo" { + # # If we're using a non-standard host for pihole, ensure the Pi-hole + # # Block Page knows that this is not a blocked domain + # setenv.add-environment = ("fqdn" => "true") + # + # # Enable the SSL engine with a cert, only for this specific host + # $SERVER["socket"] == ":443" { + # ssl.engine = "enable" + # ssl.pemfile = "/etc/ssl/lighttpd-private/tls.crt" + # ssl.privkey = "/etc/ssl/lighttpd-private/tls.key" + # ssl.ca-file = "/etc/ssl/lighttpd-private/ca.crt" + # ssl.honor-cipher-order = "enable" + # ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" + # ssl.use-sslv2 = "disable" + # ssl.use-sslv3 = "disable" + # } + # } + # + # # Redirect HTTP to HTTPS + # $HTTP["scheme"] == "http" { + # $HTTP["host"] =~ ".*" { + # url.redirect = (".*" => "https://%0$0") + # } + # } + +# -- Additional annotations for pods +podAnnotations: + {} + # Example below allows Prometheus to scape on metric port (requires pihole-exporter sidecar enabled) + # prometheus.io/port: '9617' + # prometheus.io/scrape: 'true' + +# -- any initContainers you might want to run before starting pihole +extraInitContainers: + [] + # - name: copy-config + # image: busybox + # args: + # - sh + # - -c + # - | + # cp /etc/lighttpd-cm/external.conf /etc/lighttpd/ + # ls -l /etc/lighttpd/ + # volumeMounts: + # - name: external-conf-cm + # mountPath: /etc/lighttpd-cm/ + # - name: external-conf + # mountPath: /etc/lighttpd/ + +monitoring: + # -- Preferably adding prometheus scrape annotations rather than enabling podMonitor. + podMonitor: + # -- set this to true to enable podMonitor + enabled: false + # -- Sidecar configuration + sidecar: + # -- set this to true to enable podMonitor as sidecar + enabled: false + port: 9617 + image: + repository: ekofr/pihole-exporter + tag: v0.3.0 + pullPolicy: IfNotPresent + resources: + limits: + memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +podDnsConfig: + enabled: true + policy: "None" + nameservers: + - 127.0.0.1 + - 8.8.8.8 + +# -- configure a Pod Disruption Budget +podDisruptionBudget: + # -- set to true to enable creating the PDB + enabled: false + # -- minimum number of pods Kubernetes should try to have running at all times + minAvailable: 1 + # -- maximum number of pods Kubernetes will allow to be unavailable. Cannot set both `minAvailable` and `maxAvailable` + # maxUnavailable: 1 From c38efc9e1b2be481be39db54a31d4c6e5fadf589 Mon Sep 17 00:00:00 2001 From: jon Date: Sun, 24 Dec 2023 11:57:36 +0000 Subject: [PATCH 03/18] another line break fix --- charts/pihole/templates/configmap.yaml | 64 +++++++++++++------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/charts/pihole/templates/configmap.yaml b/charts/pihole/templates/configmap.yaml index 70e2dcc9..af63f873 100644 --- a/charts/pihole/templates/configmap.yaml +++ b/charts/pihole/templates/configmap.yaml @@ -1,32 +1,32 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "pihole.fullname" . }}-custom-dnsmasq - labels: - app: {{ template "pihole.name" . }} - chart: {{ template "pihole.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: - 02-custom.conf: | - addn-hosts=/etc/addn-hosts - {{- range .Values.dnsmasq.upstreamServers }} - {{ . }} - {{- end }} - {{- range .Values.dnsmasq.customDnsEntries }} - {{ . }} - {{- end }} - {{- if .Values.serviceDns.loadBalancerIP }} - dhcp-option=6,{{ .Values.serviceDns.loadBalancerIP }} - {{- end }} - {{- range .Values.dnsmasq.customSettings }} - {{ . }} - {{- end }} - addn-hosts: | - {{- range .Values.dnsmasq.additionalHostsEntries }} - {{ . }} - {{- end }} - 05-pihole-custom-cname.conf: | - {{- range .Values.dnsmasq.customCnameEntries }} - {{ . }} - {{- end }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "pihole.fullname" . }}-custom-dnsmasq + labels: + app: {{ template "pihole.name" . }} + chart: {{ template "pihole.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + 02-custom.conf: | + addn-hosts=/etc/addn-hosts + {{- range .Values.dnsmasq.upstreamServers }} + {{ . }} + {{- end }} + {{- range .Values.dnsmasq.customDnsEntries }} + {{ . }} + {{- end }} + {{- if .Values.serviceDns.loadBalancerIP }} + dhcp-option=6,{{ .Values.serviceDns.loadBalancerIP }} + {{- end }} + {{- range .Values.dnsmasq.customSettings }} + {{ . }} + {{- end }} + addn-hosts: | + {{- range .Values.dnsmasq.additionalHostsEntries }} + {{ . }} + {{- end }} + 05-pihole-custom-cname.conf: | + {{- range .Values.dnsmasq.customCnameEntries }} + {{ . }} + {{- end }} From ad2891a984d4732c5e2472362c612d13d55ea280 Mon Sep 17 00:00:00 2001 From: jon Date: Sun, 24 Dec 2023 12:21:54 +0000 Subject: [PATCH 04/18] use versions filewatch to trigger configuration --- charts/pihole/templates/deployment.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index f8c964de..b9e3e83a 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -233,7 +233,8 @@ spec: command: - 'bash' - '-c' - - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' + # - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' + - 'until [ -f /etc/pihole/versions ] ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' {{ end }} volumeMounts: - mountPath: /etc/pihole From aa4b2178285f4af461fd0fb5f06355962ca5119b Mon Sep 17 00:00:00 2001 From: jon Date: Sun, 24 Dec 2023 12:28:39 +0000 Subject: [PATCH 05/18] detect ready with grep of FTL.lg --- charts/pihole/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index b9e3e83a..4153fd96 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -234,7 +234,7 @@ spec: - 'bash' - '-c' # - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' - - 'until [ -f /etc/pihole/versions ] ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' + - 'until [ grep upstream /var/log/pihole/FTL.log ] ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' {{ end }} volumeMounts: - mountPath: /etc/pihole From 829cd4fa289c086b80700c0bb2373ac6777ee73e Mon Sep 17 00:00:00 2001 From: jon Date: Sun, 24 Dec 2023 12:36:20 +0000 Subject: [PATCH 06/18] change ready grep to match DB renaming --- charts/pihole/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index 4153fd96..35a30cd8 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -234,7 +234,7 @@ spec: - 'bash' - '-c' # - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' - - 'until [ grep upstream /var/log/pihole/FTL.log ] ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' + - 'until [ grep 'file renamed while open' /var/log/pihole/FTL.log ] ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' {{ end }} volumeMounts: - mountPath: /etc/pihole From 3e0a00d00b841564a66ec49268298ec442efc380 Mon Sep 17 00:00:00 2001 From: jon Date: Sun, 24 Dec 2023 12:41:02 +0000 Subject: [PATCH 07/18] syntax corrections --- charts/pihole/templates/deployment.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index 35a30cd8..6aa38c08 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -226,7 +226,9 @@ spec: timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} {{- end }} {{- if .Values.cmdlist }} - # Using bash for the convenience of source + # Using bash for the convenience of sourc + # This is not a very elegant way of checking that the DB is ready and isn't still being initialised + # but I couldn't find a more reliable way... lifecycle: postStart: exec: @@ -234,7 +236,7 @@ spec: - 'bash' - '-c' # - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' - - 'until [ grep 'file renamed while open' /var/log/pihole/FTL.log ] ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' + - 'until [ grep "file renamed while open" /var/log/pihole/FTL.log ] ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' {{ end }} volumeMounts: - mountPath: /etc/pihole From 6e3e9c1bfe6168fafa4de4b16f3bbb864c0b5642 Mon Sep 17 00:00:00 2001 From: jon Date: Sun, 24 Dec 2023 12:46:24 +0000 Subject: [PATCH 08/18] syntax correction --- charts/pihole/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index 6aa38c08..23384a51 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -236,7 +236,7 @@ spec: - 'bash' - '-c' # - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' - - 'until [ grep "file renamed while open" /var/log/pihole/FTL.log ] ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' + - 'until grep "file renamed while open" /var/log/pihole/FTL.log ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' {{ end }} volumeMounts: - mountPath: /etc/pihole From 6ad12694fc35f3d27a6d2cb724794954856119e6 Mon Sep 17 00:00:00 2001 From: jon Date: Thu, 28 Dec 2023 19:44:34 +0000 Subject: [PATCH 09/18] allow clusterIP to be specified for mixedService --- charts/pihole/templates/service-dns.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/pihole/templates/service-dns.yaml b/charts/pihole/templates/service-dns.yaml index 0772138e..7d5b7a67 100644 --- a/charts/pihole/templates/service-dns.yaml +++ b/charts/pihole/templates/service-dns.yaml @@ -17,6 +17,9 @@ spec: {{- if .Values.serviceDns.loadBalancerIP }} loadBalancerIP: {{ .Values.serviceDns.loadBalancerIP }} {{- end }} + {{- if .Values.serviceDns.clusterIP }} + clusterIP: {{ .Values.serviceDns.clusterIP }} + {{- end }} {{- if or (eq .Values.serviceDns.type "NodePort") (eq .Values.serviceDns.type "LoadBalancer") }} externalTrafficPolicy: {{ .Values.serviceDns.externalTrafficPolicy }} {{- end }} From 5dfc1770fc8aad05f7546e04276e9694ce387495 Mon Sep 17 00:00:00 2001 From: jon Date: Thu, 28 Dec 2023 19:57:47 +0000 Subject: [PATCH 10/18] allow ClusterIP in serviceWeb --- charts/pihole/templates/service-web.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/pihole/templates/service-web.yaml b/charts/pihole/templates/service-web.yaml index ace46032..dc4f9242 100644 --- a/charts/pihole/templates/service-web.yaml +++ b/charts/pihole/templates/service-web.yaml @@ -22,6 +22,9 @@ spec: {{- if .Values.serviceWeb.loadBalancerIP }} loadBalancerIP: {{ .Values.serviceWeb.loadBalancerIP }} {{- end }} + {{- if .Values.serviceWeb.clusterIP }} + clusterIP: {{ .Values.serviceWeb.clusterIP }} + {{- end }} {{- if or (eq .Values.serviceWeb.type "NodePort") (eq .Values.serviceWeb.type "LoadBalancer") }} externalTrafficPolicy: {{ .Values.serviceWeb.externalTrafficPolicy }} {{- end }} From 0304a8546d592521d1aac2e154376723eb33dac9 Mon Sep 17 00:00:00 2001 From: jon Date: Fri, 29 Dec 2023 16:54:51 +0000 Subject: [PATCH 11/18] allow specification of internalTrafficPolicy --- charts/pihole/templates/service-dhcp.yaml | 3 +++ charts/pihole/templates/service-dns.yaml | 3 +++ charts/pihole/templates/service-web.yaml | 3 +++ charts/pihole/values.yaml | 14 +++++++++++++- 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/charts/pihole/templates/service-dhcp.yaml b/charts/pihole/templates/service-dhcp.yaml index 3df2ad93..35db3e09 100644 --- a/charts/pihole/templates/service-dhcp.yaml +++ b/charts/pihole/templates/service-dhcp.yaml @@ -25,6 +25,9 @@ spec: {{- end }} {{- if or (eq .Values.serviceDhcp.type "NodePort") (eq .Values.serviceDhcp.type "LoadBalancer") }} externalTrafficPolicy: {{ .Values.serviceDhcp.externalTrafficPolicy }} + {{- if .Values.serviceDhcp.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.serviceDhcp.internalTrafficPolicy }} + {{- end }} {{- end }} ports: - port: {{ .Values.serviceDhcp.port }} diff --git a/charts/pihole/templates/service-dns.yaml b/charts/pihole/templates/service-dns.yaml index 7d5b7a67..d25dd6f9 100644 --- a/charts/pihole/templates/service-dns.yaml +++ b/charts/pihole/templates/service-dns.yaml @@ -22,6 +22,9 @@ spec: {{- end }} {{- if or (eq .Values.serviceDns.type "NodePort") (eq .Values.serviceDns.type "LoadBalancer") }} externalTrafficPolicy: {{ .Values.serviceDns.externalTrafficPolicy }} + {{- if .Values.serviceDns.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.serviceDns.internalTrafficPolicy }} + {{- end }} {{- end }} ports: - port: {{ .Values.serviceDns.port }} diff --git a/charts/pihole/templates/service-web.yaml b/charts/pihole/templates/service-web.yaml index dc4f9242..9130901b 100644 --- a/charts/pihole/templates/service-web.yaml +++ b/charts/pihole/templates/service-web.yaml @@ -27,6 +27,9 @@ spec: {{- end }} {{- if or (eq .Values.serviceWeb.type "NodePort") (eq .Values.serviceWeb.type "LoadBalancer") }} externalTrafficPolicy: {{ .Values.serviceWeb.externalTrafficPolicy }} + {{- if .Values.serviceWeb.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.serviceWeb.internalTrafficPolicy }} + {{- end }} {{- end }} ports: {{- if .Values.serviceWeb.http.enabled }} diff --git a/charts/pihole/values.yaml b/charts/pihole/values.yaml index ba3d3e05..bb080e37 100644 --- a/charts/pihole/values.yaml +++ b/charts/pihole/values.yaml @@ -46,9 +46,13 @@ serviceDns: # -- Optional node port for the DNS service nodePort: "" - # -- `spec.externalTrafficPolicy` for the DHCP Service + # -- `spec.externalTrafficPolicy` for the DNS Service externalTrafficPolicy: Local + # -- 'spec.internalTrafficPolicy' for the DNS Service + # Optional - will default to Cluster if not specified + # internalTrafficPolicy: Local + # -- A fixed `spec.loadBalancerIP` for the DNS Service loadBalancerIP: "" # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service @@ -77,6 +81,10 @@ serviceDhcp: # -- `spec.externalTrafficPolicy` for the DHCP Service externalTrafficPolicy: Local + # -- 'spec.internalTrafficPolicy' for the DHCP Service + # Optional - will default to Cluster if not specified + # internalTrafficPolicy: Local + # -- A fixed `spec.loadBalancerIP` for the DHCP Service loadBalancerIP: "" # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service @@ -118,6 +126,10 @@ serviceWeb: # -- `spec.externalTrafficPolicy` for the web interface Service externalTrafficPolicy: Local + # -- 'spec.internalTrafficPolicy' for the web interface Service + # Optional - will default to Cluster if not specified + # internalTrafficPolicy: Local + # -- A fixed `spec.loadBalancerIP` for the web interface Service loadBalancerIP: "" # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service From 41ec1ded93872dd66a7b31e53627bb83916a6b33 Mon Sep 17 00:00:00 2001 From: jon Date: Fri, 29 Dec 2023 17:50:04 +0000 Subject: [PATCH 12/18] allow externalIP in serviceDNS --- charts/pihole/templates/service-dns.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/pihole/templates/service-dns.yaml b/charts/pihole/templates/service-dns.yaml index d25dd6f9..815c109a 100644 --- a/charts/pihole/templates/service-dns.yaml +++ b/charts/pihole/templates/service-dns.yaml @@ -26,6 +26,10 @@ spec: internalTrafficPolicy: {{ .Values.serviceDns.internalTrafficPolicy }} {{- end }} {{- end }} + {{- if .Values.serviceDns.externalIPs }} + externalIPs: + {{- toYaml .Values.serviceDns.externalIPs | nindent 8 }} + {{- end }} ports: - port: {{ .Values.serviceDns.port }} targetPort: dns From dfcc185714153f38755aaa26e3489cc19f8b9b44 Mon Sep 17 00:00:00 2001 From: Christian Erhardt Date: Fri, 12 Jan 2024 10:01:25 +0000 Subject: [PATCH 13/18] chore: changed naming of variable --- charts/pihole/README.md | 21 ++++++------ ...ap-cmdlist.yaml => configmap-domains.yaml} | 32 +++++++++---------- charts/pihole/templates/deployment.yaml | 23 +++++++------ charts/pihole/values.yaml | 12 +++---- 4 files changed, 45 insertions(+), 43 deletions(-) rename charts/pihole/templates/{configmap-cmdlist.yaml => configmap-domains.yaml} (67%) diff --git a/charts/pihole/README.md b/charts/pihole/README.md index b8ee1a14..1689ef33 100644 --- a/charts/pihole/README.md +++ b/charts/pihole/README.md @@ -2,7 +2,7 @@ Installs pihole in kubernetes -![Version: 2.9.3](https://img.shields.io/badge/Version-2.9.3-informational?style=flat-square) ![AppVersion: 2022.09.1](https://img.shields.io/badge/AppVersion-2022.09.1-informational?style=flat-square) +![Version: 2.21.0](https://img.shields.io/badge/Version-2.21.0-informational?style=flat-square) ![AppVersion: 2023.11.0](https://img.shields.io/badge/AppVersion-2023.11.0-informational?style=flat-square) [![All Contributors](https://img.shields.io/badge/all_contributors-27-blue.svg?style=flat-square)](#contributors-) @@ -173,9 +173,10 @@ The following table lists the configurable parameters of the pihole chart and th | affinity | object | `{}` | | | antiaff.avoidRelease | string | `"pihole1"` | Here you can set the pihole release (you set in `helm install ...`) you want to avoid | | antiaff.enabled | bool | `false` | set to true to enable antiaffinity (example: 2 pihole DNS in the same cluster) | +| antiaff.namespaces | list | `[]` | Here you can pass namespaces to be part of those inclueded in anti-affinity | | antiaff.strict | bool | `true` | Here you can choose between preferred or required | -| antiaff.namespaces | '[]' | list of namespaces to include in anti-affinity settings | blacklist | object | `{}` | list of blacklisted domains to import during initial start of the container | +| capabilities | object | `{}` | | | customVolumes.config | object | `{}` | any volume type can be used here | | customVolumes.enabled | bool | `false` | set this to true to enable custom volumes | | dnsHostPort.enabled | bool | `false` | set this to true to enable dnsHostPort | @@ -199,7 +200,9 @@ The following table lists the configurable parameters of the pihole chart and th | doh.pullPolicy | string | `"IfNotPresent"` | | | doh.repository | string | `"crazymax/cloudflared"` | | | doh.tag | string | `"latest"` | | +| domains | object | `{"alwaysNuke":false,"deny":[],"denyRegex":[],"denyWildcard":[],"permit":[],"permitRegex":[],"permitWildcard":[]}` | An alternate method of configuration using pihole cmd script rather than reading legacy files at startup This will allow for permit wildcards which can't be done with the old config manner | | dualStack.enabled | bool | `false` | set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` | +| extraContainers | list | `[]` | | | extraEnvVars | object | `{}` | extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use | | extraEnvVarsSecret | object | `{}` | extraEnvVarsSecret is a list of secrets to load in as environment variables. | | extraInitContainers | list | `[]` | any initContainers you might want to run before starting pihole | @@ -226,16 +229,16 @@ The following table lists the configurable parameters of the pihole chart and th | persistentVolumeClaim.annotations | object | `{}` | Annotations for the `PersitentVolumeClaim` | | persistentVolumeClaim.enabled | bool | `false` | set to true to use pvc | | podAnnotations | object | `{}` | Additional annotations for pods | +| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | configure a Pod Disruption Budget | +| podDisruptionBudget.enabled | bool | `false` | set to true to enable creating the PDB | +| podDisruptionBudget.minAvailable | int | `1` | minimum number of pods Kubernetes should try to have running at all times | | podDnsConfig.enabled | bool | `true` | | | podDnsConfig.nameservers[0] | string | `"127.0.0.1"` | | | podDnsConfig.nameservers[1] | string | `"8.8.8.8"` | | | podDnsConfig.policy | string | `"None"` | | | privileged | string | `"false"` | should container run in privileged mode | -| capabilities | object | `{}` | Linux capabilities that container should run with | -| probes | object | `{"liveness":{"type": "httpGet","enabled":true,"failureThreshold":10,"initialDelaySeconds":60,"port":"http","scheme":"HTTP","timeoutSeconds":5},"readiness":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"port":"http","scheme":"HTTP","timeoutSeconds":5}}` | Probes configuration | -| probes.liveness.enabled | bool | `true` | Generate a liveness probe | -| probes.liveness.type | string | `httpGet` | Defines the type of liveness probe. (httpGet, command) | -| probes.liveness.command | list | [] | A list of commands to execute as a liveness probe (Requires `type` to be set to `command`) | +| probes | object | `{"liveness":{"enabled":true,"failureThreshold":10,"initialDelaySeconds":60,"port":"http","scheme":"HTTP","timeoutSeconds":5,"type":"httpGet"},"readiness":{"enabled":true,"failureThreshold":3,"initialDelaySeconds":60,"port":"http","scheme":"HTTP","timeoutSeconds":5}}` | Probes configuration | +| probes.liveness.type | string | `"httpGet"` | Generate a liveness probe 'type' defaults to httpGet, can be set to 'command' to use a command type liveness probe. | | probes.readiness.enabled | bool | `true` | Generate a readiness probe | | regex | object | `{}` | list of blacklisted regex expressions to import during initial start of the container | | replicaCount | int | `1` | The number of replicas | @@ -251,7 +254,7 @@ The following table lists the configurable parameters of the pihole chart and th | serviceDhcp.type | string | `"NodePort"` | `spec.type` for the DHCP Service | | serviceDns | object | `{"annotations":{},"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerIPv6":"","mixedService":false,"nodePort":"","port":53,"type":"NodePort"}` | Configuration for the DNS service on port 53 | | serviceDns.annotations | object | `{}` | Annotations for the DNS service | -| serviceDns.externalTrafficPolicy | string | `"Local"` | `spec.externalTrafficPolicy` for the DHCP Service | +| serviceDns.externalTrafficPolicy | string | `"Local"` | `spec.externalTrafficPolicy` for the DNS Service | | serviceDns.loadBalancerIP | string | `""` | A fixed `spec.loadBalancerIP` for the DNS Service | | serviceDns.loadBalancerIPv6 | string | `""` | A fixed `spec.loadBalancerIP` for the IPv6 DNS Service | | serviceDns.mixedService | bool | `false` | deploys a mixed (TCP + UDP) Service instead of separate ones | @@ -399,4 +402,4 @@ Thanks goes to these wonderful people: This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome! ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/pihole/templates/configmap-cmdlist.yaml b/charts/pihole/templates/configmap-domains.yaml similarity index 67% rename from charts/pihole/templates/configmap-cmdlist.yaml rename to charts/pihole/templates/configmap-domains.yaml index 028faf04..ba38615b 100644 --- a/charts/pihole/templates/configmap-cmdlist.yaml +++ b/charts/pihole/templates/configmap-domains.yaml @@ -1,20 +1,20 @@ -{{ if .Values.cmdlist }} +{{ if .Values.domains }} apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "pihole.fullname" . }}-cmdlist + name: {{ template "pihole.fullname" . }}-domains labels: app: {{ template "pihole.name" . }} chart: {{ template "pihole.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: - cmdlist.sh: | + domains.sh: | #!/usr/bin/env bash # shellcheck disable=SC1090 # List of pihole commands to configure / reconfigure permit and deny lists - {{- if eq .Values.cmdlist.alwaysNuke true }} + {{- if eq .Values.domains.alwaysNuke true }} pihole -w --nuke --noreload pihole -b --nuke --noreload pihole --white-wild --nuke --noreload @@ -24,33 +24,33 @@ data: pihole restartdns reload sleep 5 {{- end }} - {{- if .Values.cmdlist.permit }} - {{- range .Values.cmdlist.permit }} + {{- if .Values.domains.permit }} + {{- range .Values.domains.permit }} pihole -w --noreload {{ . }} --comment "Added by pihole Helm chart" {{- end }} {{- end }} - {{- if .Values.cmdlist.deny }} - {{- range .Values.cmdlist.deny }} + {{- if .Values.domains.deny }} + {{- range .Values.domains.deny }} pihole -b --noreload {{ . }} --comment "Added by pihole Helm chart" {{- end }} {{- end }} - {{- if .Values.cmdlist.permitWild }} - {{- range .Values.cmdlist.permitWild }} + {{- if .Values.domains.permitWildcard }} + {{- range .Values.domains.permitWildcard }} pihole --white-wild --noreload {{ . }} --comment "Added by pihole Helm chart" {{- end }} {{- end }} - {{- if .Values.cmdlist.denyWild }} - {{- range .Values.cmdlist.denyWild }} + {{- if .Values.domains.denyWildcard }} + {{- range .Values.domains.denyWildcard }} pihole --wild --noreload {{ . }} --comment "Added by pihole Helm chart" {{- end }} {{- end }} - {{- if .Values.cmdlist.permitRegex }} - {{- range .Values.cmdlist.permitRegex }} + {{- if .Values.domains.permitRegex }} + {{- range .Values.domains.permitRegex }} pihole --white-regex --noreload '{{ . }}' --comment "Added by pihole Helm chart" {{- end }} {{- end }} - {{- if .Values.cmdlist.denyRegex }} - {{- range .Values.cmdlist.denyRegex }} + {{- if .Values.domains.denyRegex }} + {{- range .Values.domains.denyRegex }} pihole --regex --noreload '{{ . }}' --comment "Added by pihole Helm chart" {{- end }} {{- end }} diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index 23384a51..8e029e61 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -29,7 +29,7 @@ spec: checksum.config.whitelist: {{ include (print $.Template.BasePath "/configmap-whitelist.yaml") . | sha256sum | trunc 63 }} checksum.config.dnsmasqConfig: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }} checksum.config.staticDhcpConfig: {{ include (print $.Template.BasePath "/configmap-static-dhcp.yaml") . | sha256sum | trunc 63 }} - checksum.config.cmdlist: {{ include (print $.Template.BasePath "/configmap-cmdlist.yaml") . | sha256sum | trunc 63 }} + checksum.config.domains: {{ include (print $.Template.BasePath "/configmap-domains.yaml") . | sha256sum | trunc 63 }} {{- with .Values.podAnnotations }} {{ toYaml . | indent 8 }} {{- end }} @@ -225,8 +225,8 @@ spec: failureThreshold: {{ .Values.probes.readiness.failureThreshold }} timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} {{- end }} - {{- if .Values.cmdlist }} - # Using bash for the convenience of sourc + {{- if .Values.domains }} + # Using bash for the convenience of source # This is not a very elegant way of checking that the DB is ready and isn't still being initialised # but I couldn't find a more reliable way... lifecycle: @@ -235,8 +235,7 @@ spec: command: - 'bash' - '-c' - # - 'until pihole status | grep enabled >> /var/log/cmdlist.log 2>&1; do echo Waiting for pihole; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' - - 'until grep "file renamed while open" /var/log/pihole/FTL.log ; do echo Waiting for pihole >> /var/log/cmdlist.log; sleep 2; done; sleep 20; source /etc/pihole/cmdlist.sh >> /var/log/cmdlist.log 2>&1' + - 'until grep "file renamed while open" /var/log/pihole/FTL.log ; do echo Waiting for pihole >> /var/log/domains.log; sleep 2; done; sleep 20; source /etc/pihole/domains.sh >> /var/log/domains.log 2>&1' {{ end }} volumeMounts: - mountPath: /etc/pihole @@ -275,10 +274,10 @@ spec: name: whitelist subPath: whitelist.txt {{- end }} - {{- if .Values.cmdlist }} - - mountPath: /etc/pihole/cmdlist.sh - name: cmdlist - subPath: cmdlist.sh + {{- if .Values.domains }} + - mountPath: /etc/pihole/domains.sh + name: domains + subPath: domains.sh {{- end }} {{- if .Values.dnsmasq.staticDhcpEntries }} - mountPath: /etc/dnsmasq.d/04-pihole-static-dhcp.conf @@ -354,11 +353,11 @@ spec: name: {{ template "pihole.fullname" . }}-regex name: regex {{- end }} - {{- if .Values.cmdlist }} + {{- if .Values.domains }} - configMap: defaultMode: 420 - name: {{ template "pihole.fullname" . }}-cmdlist - name: cmdlist + name: {{ template "pihole.fullname" . }}-domains + name: domains {{- end }} {{- range $key, $value := .Values.extraVolumes }} - name: {{ $key }} diff --git a/charts/pihole/values.yaml b/charts/pihole/values.yaml index bb080e37..e1ec12d4 100644 --- a/charts/pihole/values.yaml +++ b/charts/pihole/values.yaml @@ -388,7 +388,7 @@ regex: # -- An alternate method of configuration using pihole cmd script rather than reading legacy files at startup # This will allow for permit wildcards which can't be done with the old config manner -cmdlist: +domains: # alwaysNuke will delete all existing list content before loading this configuration # This will also delete any permit and denies you have added with the legacy method @@ -405,14 +405,14 @@ cmdlist: # Wildcard Permit List # These will be converted by Pihole into regex allowing the domain and it's subdomains - # So the below example will end up as regex permit liek '(^|\.)permitwildexample\.com$'' - permitWild: [] - # - permitwildexample.com + # So the below example will end up as regex permit liek '(^|\.)permitWildcardexample\.com$'' + permitWildcard: [] + # - permitWildcardexample.com # Wildcard Deny List # These will be converted by Pihole into regex as above - denyWild: [] - # - denywildexample.com + denyWildcard: [] + # - denyWildcardexample.com # Regex Permit List permitRegex: [] From 498eacd0645d002949901ed688aa3ba983fc62e2 Mon Sep 17 00:00:00 2001 From: jon Date: Wed, 8 May 2024 22:59:53 +0100 Subject: [PATCH 14/18] change postStart watcher text --- charts/pihole/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index fa3bb155..b246e55a 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -243,7 +243,7 @@ spec: command: - 'bash' - '-c' - - 'until grep "file renamed while open" /var/log/pihole/FTL.log ; do echo Waiting for pihole >> /var/log/domains.log; sleep 2; done; sleep 20; source /etc/pihole/domains.sh >> /var/log/domains.log 2>&1' + - 'until grep "Enabling blocking" /var/log/pihole/FTL.log ; do echo Waiting for pihole >> /var/log/domains.log; sleep 2; done; sleep 20; source /etc/pihole/domains.sh >> /var/log/domains.log 2>&1' {{ end }} volumeMounts: - mountPath: /etc/pihole From 040319685d0947b464f245b236038a010e055bb3 Mon Sep 17 00:00:00 2001 From: jon Date: Wed, 8 May 2024 23:12:41 +0100 Subject: [PATCH 15/18] revert --- charts/pihole/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml index b246e55a..fa3bb155 100644 --- a/charts/pihole/templates/deployment.yaml +++ b/charts/pihole/templates/deployment.yaml @@ -243,7 +243,7 @@ spec: command: - 'bash' - '-c' - - 'until grep "Enabling blocking" /var/log/pihole/FTL.log ; do echo Waiting for pihole >> /var/log/domains.log; sleep 2; done; sleep 20; source /etc/pihole/domains.sh >> /var/log/domains.log 2>&1' + - 'until grep "file renamed while open" /var/log/pihole/FTL.log ; do echo Waiting for pihole >> /var/log/domains.log; sleep 2; done; sleep 20; source /etc/pihole/domains.sh >> /var/log/domains.log 2>&1' {{ end }} volumeMounts: - mountPath: /etc/pihole From 33d01b34beba8463beedbf30bd2ab7c7417e71de Mon Sep 17 00:00:00 2001 From: github-actions Date: Sat, 6 Jul 2024 04:03:21 +0000 Subject: [PATCH 16/18] feat: bump pihole version to 2024.07.0 Bump program version [Workflow Run]: https://github.com/specialcircumstances/pihole-kubernetes/actions/runs/9816443223 Signed-off-by: github-actions --- charts/pihole/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pihole/Chart.yaml b/charts/pihole/Chart.yaml index 622d475f..789d2e6d 100644 --- a/charts/pihole/Chart.yaml +++ b/charts/pihole/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 description: Installs pihole in kubernetes home: https://github.com/MoJo2600/pihole-kubernetes/tree/main/charts/pihole name: pihole -appVersion: "2024.03.2" +appVersion: "2024.07.0" # Do not touch will be updated during release version: 2.23.0 sources: From 990f60727a442a5cd3655535663c95b8daed081e Mon Sep 17 00:00:00 2001 From: JonS Date: Fri, 9 May 2025 08:36:11 +0100 Subject: [PATCH 17/18] Update Chart.yaml - version bump to 2025.04.0 --- charts/pihole/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pihole/Chart.yaml b/charts/pihole/Chart.yaml index 622d475f..3916dc65 100644 --- a/charts/pihole/Chart.yaml +++ b/charts/pihole/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 description: Installs pihole in kubernetes home: https://github.com/MoJo2600/pihole-kubernetes/tree/main/charts/pihole name: pihole -appVersion: "2024.03.2" +appVersion: "2025.04.0" # Do not touch will be updated during release version: 2.23.0 sources: From d8e952f4d304e1c3d5045cbb7114cfabb41f184b Mon Sep 17 00:00:00 2001 From: JonS Date: Fri, 9 May 2025 08:43:31 +0100 Subject: [PATCH 18/18] Update Chart.yaml regress to 2024.07.0 --- charts/pihole/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pihole/Chart.yaml b/charts/pihole/Chart.yaml index 3916dc65..789d2e6d 100644 --- a/charts/pihole/Chart.yaml +++ b/charts/pihole/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 description: Installs pihole in kubernetes home: https://github.com/MoJo2600/pihole-kubernetes/tree/main/charts/pihole name: pihole -appVersion: "2025.04.0" +appVersion: "2024.07.0" # Do not touch will be updated during release version: 2.23.0 sources: