maabara/manifests/pihole/docs/Values.md

3.0 KiB

Values

admin

admin.annotations

By allowing annotations to be added to the password secret, we can use tools like Reflector to synchronize secrets across namespaces.

This is interesting e.g. with the ExternalDNS 0.14+'s Pi-Hole integration that can automatically expose Ingress host names to the Local DNS configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-dns
spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: external-dns
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      serviceAccountName: external-dns
      containers:
      - name: external-dns
        image: registry.k8s.io/external-dns/external-dns:v0.14.0
        # If authentication is disabled and/or you didn't create
        # a secret, you can remove this block.
        envFrom:
          - secretRef:
              # Change this if you gave the secret a different name
              name: pihole-password
        args:
          - --source=service
          - --source=ingress
          # Pihole only supports A/CNAME records so there is no mechanism to track ownership.
          # You don't need to set this flag, but if you leave it unset, you will receive warning
          # logs when ExternalDNS attempts to create TXT records.
          - --registry=noop
          # IMPORTANT: If you have records that you manage manually in Pi-hole, set
          # the policy to upsert-only so they do not get deleted.
          - --policy=upsert-only
          - --provider=pihole
          # Change this to the actual address of your Pi-hole web server
          - --pihole-server=http://pihole-web.pihole.svc.cluster.local
        resources:
          limits:
            cpu: 1
            memory: 1Gi
          requests:
            cpu: 100m
            memory: 256M
      securityContext:
        fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes token files

Since the Secret reference can only refer to a secret in the same namespace as ExternalDNS, using Reflector is a viable option to synchronize the two secrets. This can now be done via

admin:
  enabled: true
  existingSecret: ""
  passwordKey: "password"
  annotations:
    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "external-dns"

For Reflector to work we also need to create the mirror (target) secret in ExternalDNS' namespace like this:

apiVersion: v1
kind: Secret
metadata:
  # Change this to match the secretRef used in the ExternalDNS deployment:
  name: pihole-password
  # Change this to ExternalDNS' namespace:
  namespace: external-dns
  annotations:
    # Change this to address the pihole password secret: 'namespace/secret-name':
    reflector.v1.k8s.emberstack.com/reflects: "pihole/pihole-password"
data: {}  # Will be overwritten by Reflector