Merge pull request #1 from CrashenX/setup

Initial setup including pi-hole chart

.gitignore

@@ -0,0 +1,3 @@
+*.cnf
+*.srl
+*.pem

.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

README.md

@@ -1 +1,53 @@
-# microk8s
+# microk8s
+
+## Enable addons
+
+At a minimum you'll probably want:
+
+- dns
+- ingress
+- storage
+
+The list of addons and instructions on enabling can be found in the
+[docs](https://github.com/ubuntu/microk8s#kubernetes-addons).
+
+## Setting up Helm / Tiller
+
+    sudo snap install helm --classic
+    cd helm/; ./setup.sh  # Setup tiller with tls
+    helm --tiller-namespace=tiller ls --tls  # Verify working
+
+### Typing less
+
+Add this to your bashrc:
+
+    shelm () {
+            ( helm --tiller-namespace=tiller "$@" --tls )
+    }
+
+NB: You might want to logout and back in to reload bashrc
+
+Verify it works:
+
+    shelm ls
+
+## Setting up nginx ingress controller
+
+    shelm install stable/nginx-ingress --name my-nginx --set rbac.create=true
+
+## Setting up Pi-hole
+
+    IFACE='eno1'  # set to server's inbound interface
+    read -d "\n" PHIPV4 PHIPV6 <<<$(ip a show $IFACE | grep inet | awk '{ print $2 }' | sed -e 's/\/.*//')
+    echo -e "$PHIPV4\n$PHIPV6"  # verify correct IPs
+    cd helm/charts/pihole
+    curl https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt > files/whitelist.txt
+    curl https://v.firebog.net/hosts/lists.php?type=nocross > files/adlists.list
+    shelm install . --namespace=pihole \
+       --set host.ipv4=$PHIPV4 \
+       # --set host.ipv6=$PHIPV6  # don't set if link-local address
+
+## Gotchas
+
+  - I had to change the forwarding policy (`iptables -P FORWARD ACCEPT`), per
+  [this bug](https://github.com/ubuntu/microk8s/issues/75).

admin-user.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: admin-user
+  namespace: kube-system

get-admin-token.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+microk8s.kubectl -n kube-system get secret \
+    $(microk8s.kubectl -n kube-system get secret | grep admin-user-token | awk '{print $1}') \
+    -o json | jq -r '.data.token'

helm/charts/pihole/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "0.0.1"
+description: Pi-hole over HTTPS
+name: pihole
+version: 0.0.1

helm/charts/pihole/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "pihole.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this
+(by the DNS naming spec).
+*/}}
+{{- define "pihole.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "pihole.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

helm/charts/pihole/templates/cm-dnsmasq.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "pihole.fullname" . }}-dnsmasq
+  labels:
+    app: {{ template "pihole.name" . }}
+    chart: {{ template "pihole.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+data:
+  02-custom.conf:
+    address=/pi.hole/{{ .Values.host.ipv4 }}

helm/charts/pihole/templates/cm-lists.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "pihole.fullname" . }}-lists
+  labels:
+    app: {{ template "pihole.name" . }}
+    chart: {{ template "pihole.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+data:
+  whitelist.txt: |-
+{{ .Files.Get "files/whitelist.txt" | indent 4 }}
+  adlists.list: |-
+{{ .Files.Get "files/adlists.list" | indent 4 }}

helm/charts/pihole/templates/deployment.yaml

@@ -0,0 +1,90 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "pihole.fullname" . }}
+  labels:
+    app: {{ template "pihole.name" . }}
+    chart: {{ template "pihole.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ template "pihole.fullname" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "pihole.fullname" . }}
+    spec:
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+        - 127.0.0.1
+        - 1.1.1.1
+        - 8.8.8.8
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        resources:
+          limits:
+            memory: 1Gi
+        env:
+        - name: 'ServerIP'
+          value: {{ required "A valid .Values.host.ipv4 entry required!" .Values.host.ipv4 }}
+        {{ if .Values.host.ipv6 }}
+        - name: 'ServerIPv6'
+          value: {{ .Values.host.ipv6 }}
+        - name: 'IPv6'
+          value: True
+        {{ end }}
+        - name: 'DNS1'
+          value: '1.1.1.1'
+        - name: 'DNS2'
+          value: '8.8.8.8'
+        - name: 'VIRTUAL_HOST'
+          value: 'pi.hole'
+        ports:
+        - name: http
+          containerPort: 80
+        - name: dns-tcp
+          containerPort: 53
+          protocol: TCP
+        - name: dns-udp
+          containerPort: 53
+          protocol: UDP
+        livenessProbe:
+          httpGet:
+            path: /
+            port: http
+        readinessProbe:
+          httpGet:
+            path: /
+            port: http
+        volumeMounts:
+          - mountPath: "/etc/pihole"
+            name: {{ template "pihole.fullname" . }}-pvc
+            subPath: "pihole"
+          - mountPath: "/etc/dnsmasq.d"
+            name: {{ template "pihole.fullname" . }}-pvc
+            subPath: "dnsmasq"
+          - mountPath: "/etc/dnsmasq.d/02-custom.conf"
+            name: {{ template "pihole.fullname" . }}-dnsmasq
+            subPath: 02-custom.conf
+          - mountPath: "/etc/pihole/whitelist.txt"
+            name: {{ template "pihole.fullname" . }}-lists
+            subPath: whitelist.txt
+          - mountPath: "/etc/pihole/adlists.list"
+            name: {{ template "pihole.fullname" . }}-lists
+            subPath: adlists.list
+      volumes:
+        - name: {{ template "pihole.fullname" . }}-dnsmasq
+          configMap:
+            name: {{ template "pihole.fullname" . }}-dnsmasq
+        - name: {{ template "pihole.fullname" . }}-lists
+          configMap:
+            name: {{ template "pihole.fullname" . }}-lists
+        - name: {{ template "pihole.fullname" . }}-pvc
+          persistentVolumeClaim:
+            claimName: {{ template "pihole.fullname" . }}-pvc

helm/charts/pihole/templates/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ template "pihole.fullname" . }}
+  labels:
+    app: {{ template "pihole.name" . }}
+    chart: {{ template "pihole.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+    kubernetes.io/ingress.class: 'nginx'
+spec:
+  rules:
+    - host: pi.hole
+      http:
+        paths:
+          - path: /
+            backend:
+              serviceName: {{ template "pihole.fullname" . }}
+              servicePort: http

helm/charts/pihole/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "pihole.fullname" . }}-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 5Gi

helm/charts/pihole/templates/service.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pihole.fullname" . }}
+  labels:
+    app: {{ template "pihole.name" . }}
+    chart: {{ template "pihole.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+    protocol: TCP
+  - name: https
+    port: 443
+    targetPort: https
+    protocol: TCP
+  - name: dns
+    port: 53
+    targetPort: dns
+    protocol: TCP
+  - name: dns-udp
+    port: 53
+    targetPort: dns-udp
+    protocol: UDP
+  - name: client-udp
+    port: 67
+    targetPort: client-udp
+    protocol: UDP
+  externalIPs:
+  - {{ required "A valid .Values.host.ipv4 entry required!" .Values.host.ipv4 }}
+  {{ if .Values.host.ipv6 }}
+  - {{ .Values.host.ipv6 }}
+  {{ end }}
+  selector:
+    app: {{ template "pihole.fullname" . }}

helm/charts/pihole/values.yaml

@@ -0,0 +1,7 @@
+image:
+  pullPolicy: IfNotPresent
+  repository: pihole/pihole
+  tag: 4.2.2-1_amd64
+host:
+  # ipv4: required
+  # ipv6: optional

helm/rbac-config.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tiller
+  namespace: tiller
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: tiller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: tiller

helm/setup.sh

@@ -0,0 +1,13 @@
+microk8s.kubectl create namespace tiller
+microk8s.kubectl create -f rbac-config.yaml
+openssl genrsa -out ./ca.key.pem 4096
+cp /etc/ssl/openssl.cnf openssl-with-ca.cnf
+openssl req -key ca.key.pem -new -x509 -days 14 -sha256 -out ca.cert.pem -extensions v3_ca -config openssl-with-ca.cnf
+openssl genrsa -out ./tiller.key.pem 4096
+openssl genrsa -out ./helm.key.pem 4096
+openssl req -key tiller.key.pem -new -sha256 -out tiller.csr.pem
+openssl req -key helm.key.pem -new -sha256 -out helm.csr.pem
+openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 14
+openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in helm.csr.pem -out helm.cert.pem -days 14
+mkdir $(helm home); cp ca.cert.pem $(helm home)/ca.pem; cp helm.cert.pem $(helm home)/cert.pem; cp helm.key.pem $(helm home)/key.pem
+helm init --tiller-namespace tiller --service-account tiller --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert ca.cert.pem