MoJo2600 · specialcircumstances · Dec 21, 2023 · Dec 24, 2023 · Dec 24, 2023 · Dec 24, 2023
diff --git a/charts/pihole/README.md b/charts/pihole/README.md
@@ -212,6 +212,7 @@ The following table lists the configurable parameters of the pihole chart and th
 | doh.pullPolicy | string | `"IfNotPresent"` | Pull policy |
 | doh.repository | string | `"crazymax/cloudflared"` | repository |
 | doh.tag | string | `"latest"` |  |
+| domains | object | `{"alwaysNuke":false,"deny":[],"denyRegex":[],"denyWildcard":[],"permit":[],"permitRegex":[],"permitWildcard":[]}` | An alternate method of configuration using pihole cmd script rather than reading legacy files at startup This will allow for permit wildcards which can't be done with the old config manner |
 | dualStack.enabled | bool | `false` | set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` |
 | extraContainers | list | `[]` |  |
 | extraEnvVars | object | `{"FTLCONF_dns_listeningMode":"all"}` | extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use. You can use either scalars or project cm, secrets or pod fields via valueFrom |

diff --git a/charts/pihole/templates/configmap-domains.yaml b/charts/pihole/templates/configmap-domains.yaml
@@ -0,0 +1,59 @@
+{{ if .Values.domains }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "pihole.fullname" . }}-domains
+  labels:
+    app: {{ template "pihole.name" . }}
+    chart: {{ template "pihole.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  domains.sh: |
+    #!/usr/bin/env bash
+    # shellcheck disable=SC1090
+
+    # List of pihole commands to configure / reconfigure permit and deny lists
+  {{- if eq .Values.domains.alwaysNuke true }}
+    pihole -w --nuke --noreload 
+    pihole -b --nuke --noreload 
+    pihole --white-wild --nuke --noreload 
+    pihole --wild --nuke --noreload 
+    pihole --white-regex --nuke --noreload 
+    pihole --regex --nuke --noreload 
+    pihole restartdns reload
+    sleep 5
+  {{- end }}
+  {{- if .Values.domains.permit }}
+    {{- range .Values.domains.permit }}
+    pihole -w --noreload {{ . }} --comment "Added by pihole Helm chart"
+    {{- end }}
+  {{- end }}
+  {{- if .Values.domains.deny }}
+    {{- range .Values.domains.deny }}
+    pihole -b --noreload {{ . }} --comment "Added by pihole Helm chart"
+    {{- end }}
+  {{- end }}
+  {{- if .Values.domains.permitWildcard }}
+    {{- range .Values.domains.permitWildcard }}
+    pihole --white-wild --noreload {{ . }} --comment "Added by pihole Helm chart"
+    {{- end }}
+  {{- end }}
+  {{- if .Values.domains.denyWildcard }}
+    {{- range .Values.domains.denyWildcard }}
+    pihole --wild --noreload {{ . }} --comment "Added by pihole Helm chart"
+    {{- end }}
+  {{- end }}
+  {{- if .Values.domains.permitRegex }}
+    {{- range .Values.domains.permitRegex }}
+    pihole --white-regex --noreload '{{ . }}' --comment "Added by pihole Helm chart"
+    {{- end }}
+  {{- end }}
+  {{- if .Values.domains.denyRegex }}
+    {{- range .Values.domains.denyRegex }}
+    pihole --regex --noreload '{{ . }}' --comment "Added by pihole Helm chart"
+    {{- end }}
+  {{- end }}
+    pihole restartdns reload
+    # End of list
+{{ end }}
diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml
@@ -37,6 +37,7 @@ spec:
         checksum.config.whitelist: {{ include (print $.Template.BasePath "/configmap-whitelist.yaml") . | sha256sum | trunc 63 }}
         checksum.config.dnsmasqConfig: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }}
         checksum.config.staticDhcpConfig: {{ include (print $.Template.BasePath "/configmap-static-dhcp.yaml") . | sha256sum | trunc 63 }}
+        checksum.config.domains: {{ include (print $.Template.BasePath "/configmap-domains.yaml") . | sha256sum | trunc 63 }}
 {{- with .Values.podAnnotations }}
 {{ toYaml . | indent 8 }}
 {{- end }}
@@ -269,6 +270,18 @@ spec:
             failureThreshold: {{ .Values.probes.readiness.failureThreshold }}
             timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }}
           {{- end }}
+          {{- if .Values.domains }}
+          # Using bash for the convenience of source
+          # This is not a very elegant way of checking that the DB is ready and isn't still being initialised
+          # but I couldn't find a more reliable way...         
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  - 'bash'
+                  - '-c'
+                  - 'until grep "file renamed while open" /var/log/pihole/FTL.log ; do echo Waiting for pihole >> /var/log/domains.log; sleep 2; done; sleep 20; source /etc/pihole/domains.sh >> /var/log/domains.log 2>&1'  
+          {{ end }}
           volumeMounts:
           - mountPath: /etc/pihole
             name: config
@@ -306,6 +319,11 @@ spec:
             name: whitelist
             subPath: whitelist.txt
           {{- end }}
+          {{- if .Values.domains }}
+          - mountPath: /etc/pihole/domains.sh
+            name: domains
+            subPath: domains.sh
+          {{- end }}
           {{- if .Values.dnsmasq.staticDhcpEntries }}
           - mountPath: /etc/dnsmasq.d/04-pihole-static-dhcp.conf
             name: static-dhcp
@@ -316,7 +334,7 @@ spec:
 {{- toYaml $value | nindent 12 }}
           {{- end }}
           resources:
-{{ toYaml .Values.resources | indent 12 }}
+{{ toYaml .Values.resources | indent 12 }}  
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}
@@ -380,6 +398,12 @@ spec:
           name: {{ template "pihole.fullname" . }}-regex
         name: regex
       {{- end }}
+      {{- if .Values.domains }}
+      - configMap:
+          defaultMode: 420
+          name: {{ template "pihole.fullname" . }}-domains
+        name: domains
+      {{- end }}
       {{- range $key, $value := .Values.extraVolumes }}
       - name: {{ $key }}
 {{- toYaml $value | nindent 8 }}

diff --git a/charts/pihole/templates/service-dhcp.yaml b/charts/pihole/templates/service-dhcp.yaml
@@ -32,6 +32,9 @@ spec:
   {{- end }}
   {{- if or (eq .Values.serviceDhcp.type "NodePort") (eq .Values.serviceDhcp.type "LoadBalancer") }}
   externalTrafficPolicy: {{ .Values.serviceDhcp.externalTrafficPolicy }}
+    {{- if .Values.serviceDhcp.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.serviceDhcp.internalTrafficPolicy }}
+    {{- end }}
   {{- end }}
   ports:
     - port: {{ .Values.serviceDhcp.port }}

diff --git a/charts/pihole/templates/service-dns.yaml b/charts/pihole/templates/service-dns.yaml
@@ -26,6 +26,13 @@ spec:
   {{- end }}
   {{- if or (eq .Values.serviceDns.type "NodePort") (eq .Values.serviceDns.type "LoadBalancer") }}
   externalTrafficPolicy: {{ .Values.serviceDns.externalTrafficPolicy }}
+    {{- if .Values.serviceDns.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.serviceDns.internalTrafficPolicy }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.serviceDns.externalIPs  }}
+  externalIPs:
+    {{- toYaml .Values.serviceDns.externalIPs | nindent 8 }}
   {{- end }}
   ports:
     - port: {{ .Values.serviceDns.port }}

diff --git a/charts/pihole/templates/service-web.yaml b/charts/pihole/templates/service-web.yaml
@@ -32,6 +32,9 @@ spec:
   {{- end }}
   {{- if or (eq .Values.serviceWeb.type "NodePort") (eq .Values.serviceWeb.type "LoadBalancer") }}
   externalTrafficPolicy: {{ .Values.serviceWeb.externalTrafficPolicy }}
+    {{- if .Values.serviceWeb.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ .Values.serviceWeb.internalTrafficPolicy }}
+    {{- end }}
   {{- end }}
   ports:
     {{- if .Values.serviceWeb.http.enabled }}

diff --git a/charts/pihole/values.yaml b/charts/pihole/values.yaml
@@ -49,9 +49,13 @@
   # -- Optional node port for the DNS service
   nodePort: ""
 
-  # -- `spec.externalTrafficPolicy` for the DHCP Service
+  # -- `spec.externalTrafficPolicy` for the DNS Service
   externalTrafficPolicy: Local
 
+  # -- 'spec.internalTrafficPolicy' for the DNS Service
+  # Optional - will default to Cluster if not specified
+  # internalTrafficPolicy: Local
+
   # -- A fixed `spec.loadBalancerIP` for the DNS Service
   loadBalancerIP: ""
   # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service
@@ -85,6 +89,10 @@
   # -- `spec.externalTrafficPolicy` for the DHCP Service
   externalTrafficPolicy: Local
 
+  # -- 'spec.internalTrafficPolicy' for the DHCP Service
+  # Optional - will default to Cluster if not specified
+  # internalTrafficPolicy: Local
+
   # -- A fixed `spec.loadBalancerIP` for the DHCP Service
   loadBalancerIP: ""
   # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service
@@ -130,6 +138,10 @@
   # -- `spec.externalTrafficPolicy` for the web interface Service
   externalTrafficPolicy: Local
 
+  # -- 'spec.internalTrafficPolicy' for the web interface Service
+  # Optional - will default to Cluster if not specified
+  # internalTrafficPolicy: Local
+
   # -- A fixed `spec.loadBalancerIP` for the web interface Service
   loadBalancerIP: ""
   # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service
@@ -438,6 +450,42 @@
 regex: {}
   # Add regular expression blacklist items
   # - (^|\.)facebook\.com$
+
+# -- An alternate method of configuration using pihole cmd script rather than reading legacy files at startup
+# This will allow for permit wildcards which can't be done with the old config manner
+domains:
+
+  # alwaysNuke will delete all existing list content before loading this configuration
+  # This will also delete any permit and denies you have added with the legacy method
+  # This is set false by default, but true is recommended if you are using this config method and not the old one
+  alwaysNuke: false
+
+  # Standard Permit List
+  permit: []
+  # - example.com
+
+  # Standard Deny List
+  deny: []
+  # - example.com
+
+  # Wildcard Permit List
+  # These will be converted by Pihole into regex allowing the domain and it's subdomains
+  # So the below example will end up as regex permit liek '(^|\.)permitWildcardexample\.com$''
+  permitWildcard: []
+  # - permitWildcardexample.com
+
+  # Wildcard Deny List
+  # These will be converted by Pihole into regex as above
+  denyWildcard: []
+  # - denyWildcardexample.com
+
+  # Regex Permit List
+  permitRegex: []
+  # - (^|\.)permitregexexample\.com$
+
+  # Regex Deny List
+  denyRegex: []
+  # - (^|\.)denyregexexample\.com$
 
 # -- values that should be added to pihole-FTL.conf. You can use either scalars or project cm, secrets or pod fields via valueFrom
 ftl: {}