add-kubernetes

Pihole/Kubernetes/default-headers.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: default-headers
+  namespace: pihole
+spec:
+  headers:
+    browserXssFilter: true
+    contentTypeNosniff: true
+    forceSTSHeader: true
+    stsIncludeSubdomains: true
+    stsPreload: true
+    stsSeconds: 15552000
+    customFrameOptionsValue: SAMEORIGIN
+    customRequestHeaders:
+      X-Forwarded-Proto: https

Pihole/Kubernetes/ingress.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: pihole
+  namespace: pihole
+  annotations: 
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`pihole.yourdomain.co.uk`)
+      kind: Rule
+      services:
+        - name: pihole
+          port: 80
+      middlewares:
+        - name: default-headers
+        - name: dashboard-redirect
+        - name: dashboard-prefix
+
+  tls:
+    secretName: yourdomain-tls

Pihole/Kubernetes/middleware.yaml

@@ -0,0 +1,18 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: dashboard-redirect
+  namespace: pihole
+spec:
+  redirectRegex:
+    regex: /admin/$
+    replacement: /
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: dashboard-prefix
+  namespace: pihole
+spec:
+  addPrefix:
+    prefix: /admin

Pihole/Kubernetes/networkpolicy.yaml

@@ -0,0 +1,17 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+  namespace: pihole
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+        - 172.16.0.0/20

Pihole/Kubernetes/pihole-deployment.yaml

@@ -0,0 +1,118 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pihole
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: pihole
+    app.kubernetes.io/name: pihole
+  name: pihole
+  namespace: pihole
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pihole
+  template:
+    metadata:
+      labels:
+        app: pihole
+        app.kubernetes.io/name: pihole
+    spec:
+      nodeSelector:
+        worker: "true"
+      containers:
+      - image: visibilityspots/cloudflared
+        imagePullPolicy: IfNotPresent
+        name: cloudflared
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: TCP
+        - containerPort: 67
+          name: dns-udp
+          protocol: UDP
+        env:
+        - name: TUNNEL_METRICS
+          value: 127.0.0.1:3000
+      - env:
+        - name: TZ
+          value: "Europe/London"
+        - name: WEBPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: web-pass
+              key: WEBPASSWORD
+        - name: FTLCONF_LOCAL_IPV4
+          value: 192.168.200.11
+        - name: PIHOLE_DNS_
+          value: 127.0.0.1#5054 
+        image: pihole/pihole:latest
+        imagePullPolicy: Always
+        name: pihole
+        ports:
+        - containerPort: 80
+          name: pihole-http
+          protocol: TCP
+        - containerPort: 53
+          name: dns
+          protocol: TCP
+        - containerPort: 53
+          name: dns-udp
+          protocol: UDP
+        - containerPort: 443
+          name: pihole-ssl
+          protocol: TCP
+        - containerPort: 67
+          name: client-udp
+          protocol: UDP
+        volumeMounts:
+        - mountPath: /etc/pihole
+          name: pihole
+        securityContext:
+          capabilities:        
+            add:
+              - NET_ADMIN  
+      restartPolicy: Always
+      volumes:
+        - name: pihole
+          persistentVolumeClaim:
+            claimName: pihole
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: pihole
+  name: pihole
+  namespace: pihole
+spec:
+  ports:
+  - name: dns-udp
+    port: 53
+    protocol: UDP
+    targetPort: 53
+  - name: client-udp
+    port: 67
+    protocol: UDP
+    targetPort: 67
+  - name: pihole-http
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  - name: pihole-https
+    port: 443
+    protocol: TCP
+    targetPort: 443
+  - name: dns
+    port: 53
+    protocol: TCP
+    targetPort: 53
+  selector:
+    app: pihole
+  externalTrafficPolicy: Local
+  loadBalancerIP: 192.168.200.11
+  type: LoadBalancer

Pihole/Kubernetes/sealed-secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: web-pass
+  namespace: pihole
+spec:
+  encryptedData:
+    WEBPASSWORD: some-secret
+  template:
+    metadata:
+      creationTimestamp: null
+      name: web-pass
+      namespace: pihole
+    type: Opaque
+