From 97e7ce7fb41be7bf5811532ef8105ceb9fc97610 Mon Sep 17 00:00:00 2001 From: Ibrahim Mkusa Date: Mon, 18 Nov 2024 09:06:13 -0500 Subject: [PATCH] pihole running on k8s --- manifests/pihole/README.md | 12 + manifests/pihole/install.yaml | 14 +- manifests/pihole/values.yaml | 554 ++++++++++++++++++++++++++++++++++ 3 files changed, 569 insertions(+), 11 deletions(-) create mode 100644 manifests/pihole/README.md create mode 100644 manifests/pihole/values.yaml diff --git a/manifests/pihole/README.md b/manifests/pihole/README.md new file mode 100644 index 0000000..2beadc7 --- /dev/null +++ b/manifests/pihole/README.md @@ -0,0 +1,12 @@ +Add the repo `https://mojo2600.github.io/pihole-kubernetes/` from `mojo 2600` +Edit the values by pulling the chart(if desired) +``` +helm repo add mojo2600 https://mojo2600.github.io/pihole-kubernetes/ + +helm install pihole mojo2600/pihole --values values.yaml +``` + +NOTE: if you want to install pihole solo, you must edit the network policy to +allow external internal traffic to the pod. See +[externalNetworkpolicy](https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/08-allow-external-traffic.md) + diff --git a/manifests/pihole/install.yaml b/manifests/pihole/install.yaml index 98a0e4a..3579d6e 100644 --- a/manifests/pihole/install.yaml +++ b/manifests/pihole/install.yaml @@ -32,24 +32,16 @@ spec: app: pihole spec: containers: - - image: pihole/pihole:latest + - image: pihole/pihole name: pihole - ports: - - containerPort: 80 - - containerPort: 53 resources: {} env: - name: TZ value: "America/New_York" - name: WEBPASSWORD value: "initial" - #volumeMounts: - #- name: etc-dir - #mountPath: /etc - #volumes: - #- name: etc-dir - #persistentVolumeClaim: - #claimName: pihole-longhorn-volv-pvc + - name: DNSMASQ_LISTENING + value: "all" status: {} --- diff --git a/manifests/pihole/values.yaml b/manifests/pihole/values.yaml new file mode 100644 index 0000000..ae8c2bf --- /dev/null +++ b/manifests/pihole/values.yaml @@ -0,0 +1,554 @@ +# Default values for pihole. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- The number of replicas +replicaCount: 1 + +# -- The `spec.strategyTpye` for updates +strategyType: RollingUpdate + +# -- The maximum number of Pods that can be created over the desired number of `ReplicaSet` during updating. +maxSurge: 1 + +# -- The maximum number of Pods that can be unavailable during updating +maxUnavailable: 1 + +image: + # -- the repostory to pull the image from + repository: "pihole/pihole" + # -- the docker tag, if left empty it will get it from the chart's appVersion + tag: "" + # -- the pull policy + pullPolicy: IfNotPresent + +dualStack: + # -- set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` + enabled: false + +dnsHostPort: + # -- set this to true to enable dnsHostPort + enabled: false + # -- default port for this pod + port: 53 + +# -- Configuration for the DNS service on port 53 +serviceDns: + # -- deploys a mixed (TCP + UDP) Service instead of separate ones + mixedService: true + + # -- `spec.type` for the DNS Service + type: LoadBalancer + + # -- The port of the DNS service + port: 53 + + # -- Optional node port for the DNS service + nodePort: "" + + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the DNS Service + loadBalancerIP: "192.168.0.234" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service + loadBalancerIPv6: "" + + # -- Annotations for the DNS service + annotations: {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + + # -- Labels for the DNS service + extraLabels: + {} + +# -- Configuration for the DHCP service on port 67 +serviceDhcp: + # -- Generate a Service resource for DHCP traffic + enabled: false + + # -- `spec.type` for the DHCP Service + type: NodePort + + # -- The port of the DHCP service + port: 67 + + # -- Optional node port for the DHCP service + nodePort: "" + + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the DHCP Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service + loadBalancerIPv6: "" + + # -- Annotations for the DHCP service + annotations: {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + # -- Labels for the DHCP service + extraLabels: + {} + +# -- Configuration for the web interface service +serviceWeb: + # -- Configuration for the HTTP web interface listener + http: + # -- Generate a service for HTTP traffic + enabled: true + + # -- The port of the web HTTP service + port: 80 + + # -- Optional node port for the web HTTP service + nodePort: "32010" + + # -- Configuration for the HTTPS web interface listener + https: + # -- Generate a service for HTTPS traffic + enabled: true + + # -- The port of the web HTTPS service + port: 443 + + # -- Optional node port for the web HTTPS service + nodePort: "" + + # -- `spec.type` for the web interface Service + type: ClusterIP + + # -- `spec.externalTrafficPolicy` for the web interface Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the web interface Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service + loadBalancerIPv6: "" + + # -- Annotations for the DHCP service + annotations: {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + + # -- Labels for the web interface service + extraLabels: + {} + +virtualHost: pi.hole + +# -- Configuration for the Ingress +ingress: + # -- Generate a Ingress resource + enabled: false + + # -- Specify an ingressClassName + # ingressClassName: nginx + + # -- Annotations for the ingress + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + # virtualHost (default value is pi.hole) will be appended to the hosts + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # #- virtualHost (default value is pi.hole) will be appended to the hosts + # - chart-example.local + +# -- Probes configuration +probes: + # -- probes.liveness -- Configure the healthcheck for the ingress controller + liveness: + # -- Generate a liveness probe + # 'type' defaults to httpGet, can be set to 'command' to use a command type liveness probe. + type: httpGet + # command: + # - /bin/bash + # - -c + # - /bin/true + enabled: true + # -- wait time before trying the liveness probe + initialDelaySeconds: 60 + # -- threshold until the probe is considered failing + failureThreshold: 10 + # -- timeout in seconds + timeoutSeconds: 5 + port: http + scheme: HTTP + readiness: + # -- Generate a readiness probe + enabled: true + # -- Initial delay to wait for readiness check + initialDelaySeconds: 60 + # -- The failure threshold + failureThreshold: 3 + # -- The timeout in seconds + timeoutSeconds: 5 + # -- The port + port: http + scheme: HTTP + +# -- We usually recommend not to specify default resources and to leave this as a conscious +# -- choice for the user. This also increases chances charts run on environments with little +# -- resources, such as Minikube. If you do want to specify resources, uncomment the following +# -- lines, adjust them as necessary, and remove the curly braces after 'resources:'. +resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# -- `spec.PersitentVolumeClaim` configuration +persistentVolumeClaim: + # -- set to true to use pvc + enabled: false + + # -- specify an existing `PersistentVolumeClaim` to use + # existingClaim: "" + + # -- Annotations for the `PersitentVolumeClaim` + annotations: {} + + accessModes: + - ReadWriteOnce + + # -- volume claim size + size: "500Mi" + + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + + ## subPath: "pihole" + +# -- Node selector values +nodeSelector: {} + +# -- Toleration +tolerations: [] + +# -- Specify a priorityClassName +# priorityClassName: "" + +# Reference: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: [] +# - maxSkew: +# topologyKey: +# whenUnsatisfiable: +# labelSelector: + +affinity: {} + +# -- Administrator password when not using an existing secret (see below) +adminPassword: "admin" + +# -- Use an existing secret for the admin password. +admin: + # -- If set to false admin password will be disabled, adminPassword specified above and the pre-existing secret (if specified) will be ignored. + enabled: true + # -- Specify an existing secret to use as admin password + existingSecret: "" + # -- Specify the key inside the secret to use + passwordKey: "password" + # -- Specify [annotations](docs/Values.md#admin.annotations) to be added to the secret + annotations: + # reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + # reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "external-dns" + +# -- extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use +extraEnvVars: {} + # TZ: UTC + +# -- extraEnvVarsSecret is a list of secrets to load in as environment variables. +extraEnvVarsSecret: {} + # env_var: + # name: secret-name + # key: secret-key + +# -- default upstream DNS 1 server to use +DNS1: "8.8.8.8" +# -- default upstream DNS 2 server to use +DNS2: "8.8.4.4" + +antiaff: + # -- set to true to enable antiaffinity (example: 2 pihole DNS in the same cluster) + enabled: false + # -- Here you can set the pihole release (you set in `helm install ...`) + # you want to avoid + avoidRelease: pihole1 + # -- Here you can choose between preferred or required + strict: true + # -- Here you can pass namespaces to be part of those inclueded in anti-affinity + namespaces: [] + +doh: + # -- set to true to enabled DNS over HTTPs via cloudflared + enabled: false + # -- name + name: "cloudflared" + # -- repository + repository: "crazymax/cloudflared" + tag: latest + # -- Pull policy + pullPolicy: IfNotPresent + # -- Here you can pass environment variables to the DoH container, for example: + envVars: {} + # TUNNEL_DNS_UPSTREAM: "https://1.1.1.2/dns-query,https://1.0.0.2/dns-query" + + # -- Probes configuration + probes: + # -- Configure the healthcheck for the doh container + liveness: + # -- set to true to enable liveness probe + enabled: true + # -- customize the liveness probe + probe: + exec: + command: + - nslookup + - -po=5053 + - cloudflare.com + - "127.0.0.1" + # -- defines the initial delay for the liveness probe + initialDelaySeconds: 60 + # -- defines the failure threshold for the liveness probe + failureThreshold: 10 + # -- defines the timeout in secondes for the liveness probe + timeoutSeconds: 5 + +# -- DNS MASQ settings +dnsmasq: + # -- Add upstream dns servers. All lines will be added to the pihole dnsmasq configuration + upstreamServers: [] + # - server=/foo.bar/192.168.178.10 + # - server=/bar.foo/192.168.178.11 + + # -- Add custom dns entries to override the dns resolution. All lines will be added to the pihole dnsmasq configuration. + customDnsEntries: [] + # - address=/foo.bar/192.168.178.10 + # - address=/bar.foo/192.168.178.11 + + # -- Dnsmasq reads the /etc/hosts file to resolve ips. You can add additional entries if you like + additionalHostsEntries: + - 192.168.0.117 baxter2 + - 192.168.0.106 baxter + - 192.168.0.109 docker0 omada + - 192.168.0.102 node1 + - 192.168.0.111 node2 + - 192.168.0.110 node3 + - 192.168.0.113 node4 + - 192.168.0.114 node5 + - 192.168.0.115 node6 + + # -- Static DHCP config + staticDhcpEntries: [] + # staticDhcpEntries: + # - dhcp-host=MAC_ADDRESS,IP_ADDRESS,HOSTNAME + + # -- Other options + customSettings: + # otherSettings: | + # rebind-domain-ok=/plex.direct/ + + # -- Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + customCnameEntries: [] + # Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + +# -- list of adlists to import during initial start of the container +adlists: {} + # If you want to provide blocklists, add them here. + # - https://hosts-file.net/grm.txt + # - https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts + +# -- list of whitelisted domains to import during initial start of the container +whitelist: {} + # If you want to provide whitelisted domains, add them here. + # - clients4.google.com + +# -- list of blacklisted domains to import during initial start of the container +blacklist: {} + # If you want to have special domains blacklisted, add them here + # - *.blackist.com + +# -- list of blacklisted regex expressions to import during initial start of the container +regex: {} + # Add regular expression blacklist items + # - (^|\.)facebook\.com$ + +# -- values that should be added to pihole-FTL.conf +ftl: {} + # Add values for pihole-FTL.conf + # MAXDBDAYS: 14 + +# -- port the container should use to expose HTTP traffic +webHttp: "80" + +# -- port the container should use to expose HTTPS traffic +webHttps: "443" + +# -- hostname of pod +hostname: "" + +# -- should the container use host network +hostNetwork: "false" + +# -- should container run in privileged mode +privileged: "false" + +# linux capabilities container should run with +capabilities: {} + # add: + # - NET_ADMIN + +customVolumes: + # -- set this to true to enable custom volumes + enabled: false + # -- any volume type can be used here + config: {} + # hostPath: + # path: "/mnt/data" + +# -- any extra volumes you might want +extraVolumes: {} + # external-conf: + # configMap: + # name: pi-hole-lighttpd-external-conf + +# -- any extra volume mounts you might want +extraVolumeMounts: {} + # external-conf: + # mountPath: /etc/lighttpd/external.conf + # subPath: external.conf + +extraContainers: [] + # - name: pihole-logwatcher + # image: your-registry/pihole-logwatcher + # imagePullPolicy: Always + # resources: + # requests: + # cpu: 100m + # memory: 5Mi + # limits: + # cpu: 100m + # memory: 5Mi + # volumeMounts: + # - name: pihole-logs + # mountPath: /var/log/pihole + +# -- any extra kubernetes manifests you might want +extraObjects: [] + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: pi-hole-lighttpd-external-conf + # data: + # external.conf: | + # $HTTP["host"] =~ "example.foo" { + # # If we're using a non-standard host for pihole, ensure the Pi-hole + # # Block Page knows that this is not a blocked domain + # setenv.add-environment = ("fqdn" => "true") + # + # # Enable the SSL engine with a cert, only for this specific host + # $SERVER["socket"] == ":443" { + # ssl.engine = "enable" + # ssl.pemfile = "/etc/ssl/lighttpd-private/tls.crt" + # ssl.privkey = "/etc/ssl/lighttpd-private/tls.key" + # ssl.ca-file = "/etc/ssl/lighttpd-private/ca.crt" + # ssl.honor-cipher-order = "enable" + # ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" + # ssl.use-sslv2 = "disable" + # ssl.use-sslv3 = "disable" + # } + # } + # + # # Redirect HTTP to HTTPS + # $HTTP["scheme"] == "http" { + # $HTTP["host"] =~ ".*" { + # url.redirect = (".*" => "https://%0$0") + # } + # } + +# -- Additional annotations for pods +podAnnotations: {} + # Example below allows Prometheus to scape on metric port (requires pihole-exporter sidecar enabled) + # prometheus.io/port: '9617' + # prometheus.io/scrape: 'true' + +# -- any initContainers you might want to run before starting pihole +extraInitContainers: [] + # - name: copy-config + # image: busybox + # args: + # - sh + # - -c + # - | + # cp /etc/lighttpd-cm/external.conf /etc/lighttpd/ + # ls -l /etc/lighttpd/ + # volumeMounts: + # - name: external-conf-cm + # mountPath: /etc/lighttpd-cm/ + # - name: external-conf + # mountPath: /etc/lighttpd/ + +monitoring: + # -- Preferably adding prometheus scrape annotations rather than enabling podMonitor. + podMonitor: + # -- set this to true to enable podMonitor + enabled: false + # -- Sidecar configuration + sidecar: + # -- set this to true to enable podMonitor as sidecar + enabled: false + port: 9617 + image: + # -- the repository to use + repository: ekofr/pihole-exporter + tag: v0.3.0 + pullPolicy: IfNotPresent + resources: + limits: + memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +podDnsConfig: + enabled: true + policy: "None" + nameservers: + - 127.0.0.1 + - 8.8.8.8 + +# -- configure a Pod Disruption Budget +podDisruptionBudget: + # -- set to true to enable creating the PDB + enabled: false + # -- minimum number of pods Kubernetes should try to have running at all times + minAvailable: 1 + # -- maximum number of pods Kubernetes will allow to be unavailable. Cannot set both `minAvailable` and `maxAvailable` + # maxUnavailable: 1