auth-proxy: proxies only authenticated requests to upstream, redirects to login page otherwise (#103)
* auth-proxy: inspects authenticated user
* ingress: chart and use in rpuppy
* auth-proxy: make it optional in rpuppy
* kratos: whitelist env pub/priv domains for auth return_to addr
* url-shortener: put behind auth-proxy
* pihole: replace oauth2-client with auth-proxy
* auth-proxy: fix upstream uri generation
* pihole: remove old chart using oauth2
* auth-proxy: remove temporary values file
* url-shortener: check x-user header for authentication
* auth: fix allowed_return_urls list
* auth-proxy: fix current address generation logic
---------
Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/charts/pihole/templates/deployment.yaml b/charts/pihole/templates/deployment.yaml
new file mode 100644
index 0000000..082f767
--- /dev/null
+++ b/charts/pihole/templates/deployment.yaml
@@ -0,0 +1,349 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ template "pihole.fullname" . }}
+ labels:
+ app: {{ template "pihole.name" . }}
+ chart: {{ template "pihole.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ strategy:
+ type: {{ .Values.strategyType }}
+ {{- if eq .Values.strategyType "RollingUpdate" }}
+ rollingUpdate:
+ maxSurge: {{ .Values.maxSurge }}
+ maxUnavailable: {{ .Values.maxUnavailable }}
+ {{- end }}
+ selector:
+ matchLabels:
+ app: {{ template "pihole.name" . }}
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ annotations:
+ checksum.config.adlists: {{ include (print $.Template.BasePath "/configmap-adlists.yaml") . | sha256sum | trunc 63 }}
+ checksum.config.blacklist: {{ include (print $.Template.BasePath "/configmap-blacklist.yaml") . | sha256sum | trunc 63 }}
+ checksum.config.regex: {{ include (print $.Template.BasePath "/configmap-regex.yaml") . | sha256sum | trunc 63 }}
+ checksum.config.whitelist: {{ include (print $.Template.BasePath "/configmap-whitelist.yaml") . | sha256sum | trunc 63 }}
+ checksum.config.dnsmasqConfig: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }}
+ checksum.config.staticDhcpConfig: {{ include (print $.Template.BasePath "/configmap-static-dhcp.yaml") . | sha256sum | trunc 63 }}
+{{- with .Values.podAnnotations }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+ labels:
+ app: {{ template "pihole.name" . }}
+ release: {{ .Release.Name }}
+ spec:
+ {{- if .Values.antiaff.enabled }}
+ affinity:
+ podAntiAffinity:
+ {{- if .Values.antiaff.strict }}
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ {{- else }}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ {{- end }}
+ matchExpressions:
+ - key: release
+ operator: In
+ values:
+ - {{ .Values.antiaff.avoidRelease }}
+ {{- if .Values.antiaff.namespaces}}
+ namespaces:
+ {{- toYaml .Values.antiaff.namespaces | nindent 14 }}
+ {{- end }}
+ topologyKey: "kubernetes.io/hostname"
+ {{- end }}
+ {{- if .Values.podDnsConfig.enabled }}
+ dnsPolicy: {{ .Values.podDnsConfig.policy }}
+ dnsConfig:
+ nameservers:
+ {{- toYaml .Values.podDnsConfig.nameservers | nindent 8 }}
+ {{- end }}
+ hostname: {{ .Values.hostname }}
+ hostNetwork: {{ .Values.hostNetwork }}
+ {{- with .Values.extraInitContainers }}
+ initContainers:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ {{- if .Values.extraContainers }}
+ {{- toYaml .Values.extraContainers | nindent 8 }}
+ {{- end }}
+ {{- if .Values.monitoring.sidecar.enabled }}
+ - name: exporter
+ image: "{{ .Values.monitoring.sidecar.image.repository }}:{{ .Values.monitoring.sidecar.image.tag }}"
+ imagePullPolicy: {{ .Values.monitoring.sidecar.image.pullPolicy }}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ env:
+ - name: PIHOLE_HOSTNAME
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: PIHOLE_PORT
+ value: "{{ .Values.webHttp }}"
+ - name: PIHOLE_PASSWORD
+ {{- if .Values.admin.enabled }}
+ valueFrom:
+ secretKeyRef:
+ key: {{ .Values.admin.passwordKey | default "password" }}
+ name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }}
+ {{- else }}
+ value: ""
+ {{- end }}
+ resources:
+{{ toYaml .Values.monitoring.sidecar.resources | indent 12 }}
+ ports:
+ - containerPort: {{ .Values.monitoring.sidecar.port }}
+ name: prometheus
+ protocol: TCP
+ {{- end }}
+ {{- if .Values.doh.enabled }}
+ - name: cloudflared
+ image: "{{ .Values.doh.repository }}:{{ .Values.doh.tag }}"
+ imagePullPolicy: {{ .Values.doh.pullPolicy }}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ resources:
+ limits:
+ memory: 128Mi
+ ports:
+ - containerPort: 5053
+ name: cloudflared-udp
+ protocol: UDP
+ - containerPort: 49312
+ name: cloudflared-met
+ protocol: TCP
+ {{- if .Values.doh.envVars }}
+ env:
+ {{- range $key, $value := .Values.doh.envVars }}
+ - name: {{ $key | quote }}
+ value: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.doh.probes.liveness.enabled }}
+ livenessProbe:
+{{ toYaml .Values.doh.probes.liveness.probe | indent 12 }}
+ initialDelaySeconds: {{ .Values.doh.probes.liveness.initialDelaySeconds }}
+ failureThreshold: {{ .Values.doh.probes.liveness.failureThreshold }}
+ timeoutSeconds: {{ .Values.doh.probes.liveness.timeoutSeconds }}
+ {{- end }}
+ {{- end }}
+ - name: {{ .Chart.Name }}
+ env:
+ - name: 'WEB_PORT'
+ value: "{{ .Values.webHttp }}"
+ - name: VIRTUAL_HOST
+ value: {{ .Values.virtualHost }}
+ - name: WEBPASSWORD
+ {{- if .Values.admin.enabled }}
+ valueFrom:
+ secretKeyRef:
+ key: {{ .Values.admin.passwordKey | default "password" }}
+ name: {{ .Values.admin.existingSecret | default (include "pihole.password-secret" .) }}
+ {{- else }}
+ value: ""
+ {{- end }}
+ {{- range $key, $value := .Values.extraEnvVars }}
+ - name: {{ $key | quote }}
+ value: {{ $value | quote }}
+ {{- end }}
+ {{- range $key, $value := .Values.extraEnvVarsSecret }}
+ - name: {{ $key | quote }}
+ valueFrom:
+ secretKeyRef:
+ key: {{ $value.key | quote }}
+ name: {{ $value.name | quote }}
+ {{- end }}
+ {{- if .Values.doh.enabled }}
+ - name: 'DNS1'
+ value: "127.0.0.1#5053"
+ - name: DNS2
+ value: "127.0.0.1#5053"
+ {{- else }}
+ {{- if .Values.DNS1 }}
+ - name: 'PIHOLE_DNS_'
+ value: {{ if .Values.DNS2 }}{{ ( printf "%v;%v" .Values.DNS1 .Values.DNS2 ) | squote }}{{ else }}{{ .Values.DNS1 | squote }}{{ end }}
+ {{- end }}
+ {{- end }}
+ {{- range $key, $value := .Values.ftl }}
+ - name: 'FTLCONF_{{ $key }}'
+ value: {{ $value | quote }}
+ {{- end }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ privileged: {{ .Values.privileged }}
+ {{- if .Values.capabilities }}
+ capabilities:
+ {{- toYaml .Values.capabilities | nindent 14 }}
+ {{- end }}
+ ports:
+ - containerPort: {{ .Values.webHttp }}
+ name: http
+ protocol: TCP
+ - containerPort: 53
+ name: dns
+ protocol: TCP
+ {{- if .Values.dnsHostPort.enabled }}
+ hostPort: {{ .Values.dnsHostPort.port }}
+ {{- end }}
+ - containerPort: 53
+ name: dns-udp
+ protocol: UDP
+ {{- if .Values.dnsHostPort.enabled }}
+ hostPort: {{ .Values.dnsHostPort.port }}
+ {{- end }}
+ - containerPort: {{ .Values.webHttps }}
+ name: https
+ protocol: TCP
+ - containerPort: 67
+ name: client-udp
+ protocol: UDP
+ {{- if .Values.probes.liveness.enabled }}
+ livenessProbe:
+ {{- if eq .Values.probes.liveness.type "command" }}
+ exec:
+ command: {{ .Values.probes.liveness.command | required "An array of command(s) is required if 'type' is set to 'command'." | toYaml | nindent 16 }}
+ {{- else }}
+ httpGet:
+ path: /admin/index.php
+ port: {{ .Values.probes.liveness.port }}
+ scheme: {{ .Values.probes.liveness.scheme }}
+ {{- end }}
+ initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
+ failureThreshold: {{ .Values.probes.liveness.failureThreshold }}
+ timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }}
+
+ {{- end }}
+ {{- if .Values.probes.readiness.enabled }}
+ readinessProbe:
+ httpGet:
+ path: /admin/index.php
+ port: {{ .Values.probes.readiness.port }}
+ scheme: {{ .Values.probes.readiness.scheme }}
+ initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
+ failureThreshold: {{ .Values.probes.readiness.failureThreshold }}
+ timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }}
+ {{- end }}
+ volumeMounts:
+ - mountPath: /etc/pihole
+ name: config
+ {{- if .Values.persistentVolumeClaim.subPath }}
+ subPath: {{ .Values.persistentVolumeClaim.subPath }}
+ {{- end }}
+ - mountPath: /etc/dnsmasq.d/02-custom.conf
+ name: custom-dnsmasq
+ subPath: 02-custom.conf
+ - mountPath: /etc/addn-hosts
+ name: custom-dnsmasq
+ subPath: addn-hosts
+ {{- if .Values.dnsmasq.customCnameEntries }}
+ - mountPath: /etc/dnsmasq.d/05-pihole-custom-cname.conf
+ name: custom-dnsmasq
+ subPath: 05-pihole-custom-cname.conf
+ {{- end }}
+ {{- if .Values.adlists }}
+ - mountPath: /etc/pihole/adlists.list
+ name: adlists
+ subPath: adlists.list
+ {{- end }}
+ {{- if .Values.blacklist }}
+ - mountPath: /etc/pihole/blacklist.txt
+ name: blacklist
+ subPath: blacklist.txt
+ {{- end }}
+ {{- if .Values.regex }}
+ - mountPath: /etc/pihole/regex.list
+ name: regex
+ subPath: regex.list
+ {{- end }}
+ {{- if .Values.whitelist }}
+ - mountPath: /etc/pihole/whitelist.txt
+ name: whitelist
+ subPath: whitelist.txt
+ {{- end }}
+ {{- if .Values.dnsmasq.staticDhcpEntries }}
+ - mountPath: /etc/dnsmasq.d/04-pihole-static-dhcp.conf
+ name: static-dhcp
+ subPath: pihole-static-dhcp.conf
+ {{- end }}
+ {{- range $key, $value := .Values.extraVolumeMounts }}
+ - name: {{ $key }}
+{{- toYaml $value | nindent 12 }}
+ {{- end }}
+ resources:
+{{ toYaml .Values.resources | indent 12 }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml . | indent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+{{ toYaml . | indent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+{{ toYaml . | indent 8 }}
+ {{- end }}
+ {{- if .Values.priorityClassName }}
+ priorityClassName: "{{ .Values.priorityClassName }}"
+ {{- end }}
+ {{- with .Values.topologySpreadConstraints }}
+ topologySpreadConstraints:
+{{ toYaml . | indent 8 }}
+ {{- end }}
+ volumes:
+ - name: config
+ {{- if .Values.persistentVolumeClaim.enabled }}
+ persistentVolumeClaim:
+ claimName: {{ if .Values.persistentVolumeClaim.existingClaim }}{{ .Values.persistentVolumeClaim.existingClaim }}{{- else }}{{ template "pihole.fullname" . }}{{- end }}
+ {{- else if .Values.customVolumes.enabled }}
+{{- toYaml .Values.customVolumes.config | nindent 8 }}
+ {{- else }}
+ emptyDir: {}
+ {{- end }}
+ - configMap:
+ defaultMode: 420
+ name: {{ template "pihole.fullname" . }}-custom-dnsmasq
+ name: custom-dnsmasq
+ {{- if .Values.adlists }}
+ - configMap:
+ defaultMode: 420
+ name: {{ template "pihole.fullname" . }}-adlists
+ name: adlists
+ {{- end }}
+ {{- if .Values.whitelist }}
+ - configMap:
+ defaultMode: 420
+ name: {{ template "pihole.fullname" . }}-whitelist
+ name: whitelist
+ {{- end }}
+ {{- if .Values.dnsmasq.staticDhcpEntries }}
+ - configMap:
+ defaultMode: 420
+ name: {{ template "pihole.fullname" . }}-static-dhcp
+ name: static-dhcp
+ {{- end }}
+ {{- if .Values.blacklist }}
+ - configMap:
+ defaultMode: 420
+ name: {{ template "pihole.fullname" . }}-blacklist
+ name: blacklist
+ {{- end }}
+ {{- if .Values.regex }}
+ - configMap:
+ defaultMode: 420
+ name: {{ template "pihole.fullname" . }}-regex
+ name: regex
+ {{- end }}
+ {{- range $key, $value := .Values.extraVolumes }}
+ - name: {{ $key }}
+{{- toYaml $value | nindent 8 }}
+ {{- end }}