auth-proxy: proxies only authenticated requests to upstream, redirects to login page otherwise (#103)

* auth-proxy: inspects authenticated user

* ingress: chart and use in rpuppy

* auth-proxy: make it optional in rpuppy

* kratos: whitelist env pub/priv domains for auth return_to addr

* url-shortener: put behind auth-proxy

* pihole: replace oauth2-client with auth-proxy

* auth-proxy: fix upstream uri generation

* pihole: remove old chart using oauth2

* auth-proxy: remove temporary values file

* url-shortener: check x-user header for authentication

* auth: fix allowed_return_urls list

* auth-proxy: fix current address generation logic

---------

Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml
new file mode 100644
index 0000000..082f767
--- /dev/null
+++ b/charts/pihole/templates/deployment.yaml
@@ -0,0 +1,349 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "pihole.fullname" . }}
+  labels:
+    app: {{ template "pihole.name" . }}
+    chart: {{ template "pihole.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  strategy:
+    type: {{ .Values.strategyType }}
+    {{- if eq .Values.strategyType "RollingUpdate" }}
+    rollingUpdate:
+      maxSurge: {{ .Values.maxSurge }}
+      maxUnavailable: {{ .Values.maxUnavailable }}
+    {{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "pihole.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      annotations:
+        checksum.config.adlists: {{ include (print $.Template.BasePath "/configmap-adlists.yaml") . | sha256sum | trunc 63 }}
+        checksum.config.blacklist: {{ include (print $.Template.BasePath "/configmap-blacklist.yaml") . | sha256sum | trunc 63 }}
+        checksum.config.regex: {{ include (print $.Template.BasePath "/configmap-regex.yaml") . | sha256sum | trunc 63 }}
+        checksum.config.whitelist: {{ include (print $.Template.BasePath "/configmap-whitelist.yaml") . | sha256sum | trunc 63 }}
+        checksum.config.dnsmasqConfig: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }}
+        checksum.config.staticDhcpConfig: {{ include (print $.Template.BasePath "/configmap-static-dhcp.yaml") . | sha256sum | trunc 63 }}
+{{- with .Values.podAnnotations }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+      labels:
+        app: {{ template "pihole.name" . }}
+        release: {{ .Release.Name }}
+    spec:
+      {{- if .Values.antiaff.enabled }}
+      affinity:
+        podAntiAffinity:
+        {{- if .Values.antiaff.strict }}
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+        {{- else }}
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+        {{- end }}
+                matchExpressions:
+                - key: release
+                  operator: In
+                  values:
+                  - {{ .Values.antiaff.avoidRelease }}
+        {{- if .Values.antiaff.namespaces}}
+              namespaces:
+              {{- toYaml .Values.antiaff.namespaces | nindent 14 }}
+        {{- end }}
+              topologyKey: "kubernetes.io/hostname"
+      {{- end }}
+      {{- if .Values.podDnsConfig.enabled }}
+      dnsPolicy: {{ .Values.podDnsConfig.policy }}
+      dnsConfig:
+        nameservers:
+        {{- toYaml .Values.podDnsConfig.nameservers | nindent 8 }}
+      {{- end }}
+      hostname: {{ .Values.hostname }}
+      hostNetwork: {{ .Values.hostNetwork }}
+      {{- with .Values.extraInitContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        {{- if .Values.extraContainers }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
+        {{- if .Values.monitoring.sidecar.enabled }}
+        - name: exporter
+          image: "{{ .Values.monitoring.sidecar.image.repository }}:{{ .Values.monitoring.sidecar.image.tag }}"
+          imagePullPolicy: {{ .Values.monitoring.sidecar.image.pullPolicy }}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          env:
+            - name: PIHOLE_HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: PIHOLE_PORT
+              value: "{{ .Values.webHttp }}"
+            - name: PIHOLE_PASSWORD
+              {{- if .Values.admin.enabled }}
+              valueFrom:
+                secretKeyRef:
+                  key: {{ .Values.admin.passwordKey | default "password" }}
+                  name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }}
+              {{- else }}
+              value: ""
+              {{- end }}
+          resources:
+{{ toYaml .Values.monitoring.sidecar.resources | indent 12 }}
+          ports:
+            - containerPort: {{ .Values.monitoring.sidecar.port }}
+              name: prometheus
+              protocol: TCP
+        {{- end }}
+        {{- if .Values.doh.enabled }}
+        - name: cloudflared
+          image: "{{ .Values.doh.repository }}:{{ .Values.doh.tag }}"
+          imagePullPolicy: {{ .Values.doh.pullPolicy }}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          resources:
+            limits:
+              memory: 128Mi
+          ports:
+            - containerPort: 5053
+              name: cloudflared-udp
+              protocol: UDP
+            - containerPort: 49312
+              name: cloudflared-met
+              protocol: TCP
+          {{- if .Values.doh.envVars }}
+          env:
+            {{- range $key, $value := .Values.doh.envVars }}
+          - name: {{ $key | quote }}
+            value: {{ $value | quote }}
+            {{- end }}
+          {{- end }}
+          {{- if .Values.doh.probes.liveness.enabled }}
+          livenessProbe:
+{{ toYaml .Values.doh.probes.liveness.probe | indent 12 }}
+            initialDelaySeconds: {{ .Values.doh.probes.liveness.initialDelaySeconds }}
+            failureThreshold: {{ .Values.doh.probes.liveness.failureThreshold }}
+            timeoutSeconds: {{ .Values.doh.probes.liveness.timeoutSeconds }}
+          {{- end }}
+        {{- end }}
+        - name: {{ .Chart.Name }}
+          env:
+          - name: 'WEB_PORT'
+            value: "{{ .Values.webHttp }}"
+          - name: VIRTUAL_HOST
+            value: {{ .Values.virtualHost }}
+          - name: WEBPASSWORD
+            {{- if .Values.admin.enabled }}
+            valueFrom:
+              secretKeyRef:
+                key: {{ .Values.admin.passwordKey | default "password" }}
+                name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }}
+            {{- else }}
+            value: ""
+            {{- end }}
+          {{- range $key, $value := .Values.extraEnvVars }}
+          - name: {{ $key | quote }}
+            value: {{ $value | quote }}
+          {{- end }}
+          {{- range $key, $value := .Values.extraEnvVarsSecret }}
+          - name: {{ $key | quote }}
+            valueFrom:
+              secretKeyRef:
+                key: {{ $value.key | quote }}
+                name: {{ $value.name | quote }}
+          {{- end }}
+          {{- if .Values.doh.enabled }}
+          - name: 'DNS1'
+            value: "127.0.0.1#5053"
+          - name: DNS2
+            value: "127.0.0.1#5053"
+          {{- else }}
+          {{- if .Values.DNS1 }}
+          - name: 'PIHOLE_DNS_'
+            value: {{ if .Values.DNS2 }}{{ ( printf "%v;%v" .Values.DNS1 .Values.DNS2 ) | squote }}{{ else }}{{ .Values.DNS1 | squote }}{{ end }}
+         {{- end }}
+         {{- end }}
+         {{- range $key, $value := .Values.ftl }}
+          - name: 'FTLCONF_{{ $key }}'
+            value: {{ $value | quote }}
+         {{- end }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            privileged: {{ .Values.privileged }}
+          {{- if .Values.capabilities }}
+            capabilities:
+            {{- toYaml .Values.capabilities | nindent 14 }}
+          {{- end }}
+          ports:
+          - containerPort: {{ .Values.webHttp }}
+            name: http
+            protocol: TCP
+          - containerPort: 53
+            name: dns
+            protocol: TCP
+          {{- if .Values.dnsHostPort.enabled }}
+            hostPort: {{ .Values.dnsHostPort.port }}
+          {{- end }}
+          - containerPort: 53
+            name: dns-udp
+            protocol: UDP
+          {{- if .Values.dnsHostPort.enabled }}
+            hostPort: {{ .Values.dnsHostPort.port }}
+          {{- end }}
+          - containerPort:  {{ .Values.webHttps }}
+            name: https
+            protocol: TCP
+          - containerPort: 67
+            name: client-udp
+            protocol: UDP
+          {{- if .Values.probes.liveness.enabled }}
+          livenessProbe:
+            {{- if eq .Values.probes.liveness.type "command" }}
+            exec:
+              command: {{ .Values.probes.liveness.command | required "An array of command(s) is required if 'type' is set to 'command'." | toYaml | nindent 16 }}
+            {{- else }}
+            httpGet:
+              path: /admin/index.php
+              port: {{ .Values.probes.liveness.port }}
+              scheme: {{ .Values.probes.liveness.scheme }}
+            {{- end }}
+            initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
+            failureThreshold: {{ .Values.probes.liveness.failureThreshold }}
+            timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }}
+            
+          {{- end }}
+          {{- if .Values.probes.readiness.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /admin/index.php
+              port: {{ .Values.probes.readiness.port }}
+              scheme: {{ .Values.probes.readiness.scheme }}
+            initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
+            failureThreshold: {{ .Values.probes.readiness.failureThreshold }}
+            timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }}
+          {{- end }}
+          volumeMounts:
+          - mountPath: /etc/pihole
+            name: config
+            {{- if .Values.persistentVolumeClaim.subPath }}
+            subPath: {{ .Values.persistentVolumeClaim.subPath }}
+            {{- end }}
+          - mountPath: /etc/dnsmasq.d/02-custom.conf
+            name: custom-dnsmasq
+            subPath: 02-custom.conf
+          - mountPath: /etc/addn-hosts
+            name: custom-dnsmasq
+            subPath: addn-hosts
+          {{- if .Values.dnsmasq.customCnameEntries }}
+          - mountPath: /etc/dnsmasq.d/05-pihole-custom-cname.conf
+            name: custom-dnsmasq
+            subPath: 05-pihole-custom-cname.conf
+          {{- end }}
+          {{- if .Values.adlists }}
+          - mountPath: /etc/pihole/adlists.list
+            name: adlists
+            subPath: adlists.list
+          {{- end }}
+          {{- if .Values.blacklist }}
+          - mountPath: /etc/pihole/blacklist.txt
+            name: blacklist
+            subPath: blacklist.txt
+          {{- end }}
+          {{- if .Values.regex }}
+          - mountPath: /etc/pihole/regex.list
+            name: regex
+            subPath: regex.list
+          {{- end }}
+          {{- if .Values.whitelist }}
+          - mountPath: /etc/pihole/whitelist.txt
+            name: whitelist
+            subPath: whitelist.txt
+          {{- end }}
+          {{- if .Values.dnsmasq.staticDhcpEntries }}
+          - mountPath: /etc/dnsmasq.d/04-pihole-static-dhcp.conf
+            name: static-dhcp
+            subPath: pihole-static-dhcp.conf
+          {{- end }}
+          {{- range $key, $value := .Values.extraVolumeMounts }}
+          - name: {{ $key }}
+{{- toYaml $value | nindent 12 }}
+          {{- end }}
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+    {{- end }}
+    {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+      volumes:
+      - name: config
+        {{- if .Values.persistentVolumeClaim.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ if .Values.persistentVolumeClaim.existingClaim }}{{ .Values.persistentVolumeClaim.existingClaim }}{{- else }}{{ template "pihole.fullname" . }}{{- end }}
+        {{- else if .Values.customVolumes.enabled }}
+{{- toYaml .Values.customVolumes.config | nindent 8 }}
+        {{- else }}
+        emptyDir: {}
+        {{- end }}
+      - configMap:
+          defaultMode: 420
+          name: {{ template "pihole.fullname" . }}-custom-dnsmasq
+        name: custom-dnsmasq
+      {{- if .Values.adlists }}
+      - configMap:
+          defaultMode: 420
+          name: {{ template "pihole.fullname" . }}-adlists
+        name: adlists
+      {{- end }}
+      {{- if .Values.whitelist }}
+      - configMap:
+          defaultMode: 420
+          name: {{ template "pihole.fullname" . }}-whitelist
+        name: whitelist
+      {{- end }}
+      {{- if .Values.dnsmasq.staticDhcpEntries }}
+      - configMap:
+          defaultMode: 420
+          name: {{ template "pihole.fullname" . }}-static-dhcp
+        name: static-dhcp
+      {{- end }}
+      {{- if .Values.blacklist }}
+      - configMap:
+          defaultMode: 420
+          name: {{ template "pihole.fullname" . }}-blacklist
+        name: blacklist
+      {{- end }}
+      {{- if .Values.regex }}
+      - configMap:
+          defaultMode: 420
+          name: {{ template "pihole.fullname" . }}-regex
+        name: regex
+      {{- end }}
+      {{- range $key, $value := .Values.extraVolumes }}
+      - name: {{ $key }}
+{{- toYaml $value | nindent 8 }}
+      {{- end }}