Installer: pihole + root-ca-server + fix bitwarden cert issuer name
diff --git a/charts/pihole/templates/_helpers.tpl b/charts/pihole/templates/_helpers.tpl
new file mode 100644
index 0000000..063b2b4
--- /dev/null
+++ b/charts/pihole/templates/_helpers.tpl
@@ -0,0 +1,7 @@
+{{- define "clientSecret" -}}
+{{- if .Values.oauth2.clientSecret -}}
+{{- .Values.oauth2.clientSecret -}}
+{{- else -}}
+{{- randAlphaNum 32 -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/pihole/templates/oauth2-client.yaml b/charts/pihole/templates/oauth2-client.yaml
new file mode 100644
index 0000000..da80ddf
--- /dev/null
+++ b/charts/pihole/templates/oauth2-client.yaml
@@ -0,0 +1,19 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: {{ .Values.oauth2.clientId }}
+ namespace: {{ .Release.Namespace }}
+spec:
+ grantTypes:
+ - authorization_code
+ responseTypes:
+ - code
+ scope: "openid email profile"
+ secretName: {{ .Values.oauth2.secretName }}
+ redirectUris:
+ - https://pihole.{{ .Values.domain }}/oauth2/callback
+ hydraAdmin:
+ url: {{ .Values.oauth2.hydraAdmin }}
+ port: 80
+ endpoint: /clients
+ forwardedProto: https
diff --git a/charts/pihole/templates/oauth2-proxy-config.yaml b/charts/pihole/templates/oauth2-proxy-config.yaml
new file mode 100644
index 0000000..1365162
--- /dev/null
+++ b/charts/pihole/templates/oauth2-proxy-config.yaml
@@ -0,0 +1,62 @@
+{{- $secret := include "clientSecret" . -}}
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+ name: {{ .Values.oauth2.secretName }}
+ namespace: {{ .Release.Namespace }}
+data:
+ client_id: {{ .Values.oauth2.clientId | b64enc }}
+ client_secret: {{ $secret | b64enc }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ .Values.oauth2.configName }}
+ namespace: {{ .Release.Namespace }}
+data:
+ oauth2-proxy.cfg: |
+ http_address = "0.0.0.0:8080"
+
+ reverse_proxy = true
+
+ ## the OAuth Redirect URL.
+ # defaults to the "https://" + requested host header + "/oauth2/callback"
+ # redirect_url = "http://pihole.pcloud/oauth2/callback"
+
+ upstreams = [
+ "http://pihole-web.{{ .Release.Namespace}}.svc"
+ ]
+
+ email_domains = [
+ "*"
+ ]
+
+ standard_logging = false
+ request_logging = false
+ auth_logging = false
+
+ pass_basic_auth = true
+ pass_user_headers = true
+ pass_host_header = true
+
+ ## The OAuth Client ID, Secret
+ client_id = "{{ .Values.oauth2.clientId }}"
+ client_secret = "{{ $secret }}"
+
+ ## Pass OAuth Access token to upstream via "X-Forwarded-Access-Token"
+ pass_access_token = false
+
+ cookie_name = "_oauth2_proxy_pihole"
+ cookie_secret = "123456789012345678901234567890--"
+ cookie_domains = "pihole.{{ .Values.domain }}"
+ cookie_expire = "168h"
+ cookie_refresh = "100h"
+ cookie_secure = true
+ cookie_httponly = true
+
+ provider = "oidc"
+ oidc_issuer_url = "{{ .Values.hydraPublic }}"
+ provider_display_name = "PCloud"
+ profile_url = "{{ .Values.profileUrl }}"
diff --git a/charts/pihole/templates/oauth2-proxy.yaml b/charts/pihole/templates/oauth2-proxy.yaml
new file mode 100644
index 0000000..8f4541b
--- /dev/null
+++ b/charts/pihole/templates/oauth2-proxy.yaml
@@ -0,0 +1,88 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: pihole-oauth2-proxy
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: ClusterIP
+ selector:
+ app: pihole-oauth2-proxy
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ cert-manager.io/cluster-issuer: "{{ .Values.certificateIssuer }}"
+ acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+ ingressClassName: {{ .Values.ingressClassName }}
+ tls:
+ - hosts:
+ - pihole.{{ .Values.domain }}
+ secretName: cert-pihole.{{ .Values.domain }}
+ rules:
+ - host: pihole.{{ .Values.domain }}
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: pihole-oauth2-proxy
+ port:
+ name: http
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: pihole-oauth2-proxy
+ namespace: {{ .Release.Namespace }}
+spec:
+ selector:
+ matchLabels:
+ app: pihole-oauth2-proxy
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: pihole-oauth2-proxy
+ spec:
+ volumes:
+ - name: config
+ configMap:
+ name: {{ .Values.oauth2.configName }}
+ containers:
+ - name: pihole-oauth2-proxy
+ image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0-arm64
+ imagePullPolicy: Always
+ ports:
+ - name: http
+ containerPort: 8080
+ protocol: TCP
+ command:
+ - oauth2-proxy
+ - --config=/etc/oauth2-proxy/oauth2-proxy.cfg
+ volumeMounts:
+ - name: config
+ mountPath: /etc/oauth2-proxy
+ readOnly: true
+ resources:
+ requests:
+ memory: "10Mi"
+ cpu: "10m"
+ limits:
+ memory: "20Mi"
+ cpu: "100m"
+ tolerations:
+ - key: "pcloud"
+ operator: "Equal"
+ value: "role"
+ effect: "NoSchedule"