From f8d91495107e99e9643305b7e2ab09eafbec56b7 Mon Sep 17 00:00:00 2001
From: "Jesse J. Cook" <jesse@compile.fail>
Date: Sat, 20 Apr 2019 21:40:45 +0000
Subject: [PATCH] Update networking and setup

---
 README.md                                     | 59 +++++++++++--------
 helm/charts/pihole/Chart.yaml                 |  6 +-
 helm/charts/pihole/templates/cm-dnsmasq.yaml  | 12 ----
 helm/charts/pihole/templates/deployment.yaml  | 17 +-----
 helm/charts/pihole/templates/service-udp.yaml | 19 ++++++
 helm/charts/pihole/templates/service.yaml     | 13 ----
 helm/charts/pihole/values.yaml                |  1 -
 helm/setup.sh                                 | 11 ++--
 8 files changed, 62 insertions(+), 76 deletions(-)
 delete mode 100644 helm/charts/pihole/templates/cm-dnsmasq.yaml
 create mode 100644 helm/charts/pihole/templates/service-udp.yaml

diff --git a/README.md b/README.md
index 040e52e..ea567dc 100644
--- a/README.md
+++ b/README.md
@@ -1,25 +1,24 @@
-# microk8s
+# homelab
 
-## Enable addons
+## Setup
 
-At a minimum you'll probably want:
+### Install Kubernetes
 
-- dns
-- ingress
-- storage
+Tested with (on Ubuntu Server 18.04):
 
-The list of addons and instructions on enabling can be found in the
-[docs](https://github.com/ubuntu/microk8s#kubernetes-addons).
+- [microk8s](https://microk8s.io/)
+    - Can be installed during Ubuntu Server 18.04 installation or with `snap`
+    - Add `alias kubectl='microk8s.kubectl'` to bashrc
+    - NB: All DNS requests will show from 10.1.1.1 (docker bridge)
 
-## Setting up Helm / Tiller
+### Set up Helm / Tiller (with TLS)
 
     sudo snap install helm --classic
-    cd helm/; ./setup.sh  # Setup tiller with tls
-    helm --tiller-namespace=tiller ls --tls  # Verify working
+    pushd helm/
+    SUBJ="/C=US/ST=State/L=City/O=A Corp/OU=Security/CN=example.com" ./setup.sh
+    popd
 
-### Typing less
-
-Add this to your bashrc:
+Add this function to your bashrc (it saves typing and is used later on):
 
     shelm () {
             ( helm --tiller-namespace=tiller "$@" --tls )
@@ -27,25 +26,35 @@ Add this to your bashrc:
 
 NB: You might want to logout and back in to reload bashrc
 
-Verify it works:
+    shelm ls  # Verify working
+
+### Setup MetalLB
 
-    shelm ls
+    # NB: Your Start and End IPs must be in same subnet as your
+    #     clients and outside the DHCP lease range.
+    STARTIP=<192.168.x.n>
+    ENDIP=<192.168.x.n+m>
+    echo "Your IP range is: $STARTIP-$ENDIP"
+    shelm install stable/metallb \
+        --name metallb \
+        --set rbac.create=true \
+        --set configInline.address-pools[0].name="my-ip-space" \
+        --set configInline.address-pools[0].protocol="layer2" \
+        --set configInline.address-pools[0].addresses="{$STARTIP-$ENDIP}"
 
-## Setting up nginx ingress controller
+### Setup nginx ingress controller
 
-    shelm install stable/nginx-ingress --name my-nginx --set rbac.create=true
+    shelm install stable/nginx-ingress --name nginx --set rbac.create=true
 
 ## Setting up Pi-hole
 
-    IFACE='eno1'  # set to server's inbound interface
-    read -d "\n" PHIPV4 PHIPV6 <<<$(ip a show $IFACE | grep inet | awk '{ print $2 }' | sed -e 's/\/.*//')
-    echo -e "$PHIPV4\n$PHIPV6"  # verify correct IPs
-    cd helm/charts/pihole
+    PHIPV4=$(kubectl get service nginx-nginx-ingress-controller -o json | jq -r '.status.loadBalancer.ingress[0].ip')
+    echo "PHIPV4=$PHIPV4"  # verify correct IPs
+    pushd helm/charts/pihole
     curl https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt > files/whitelist.txt
     curl https://v.firebog.net/hosts/lists.php?type=nocross > files/adlists.list
-    shelm install . --namespace=pihole \
-       --set host.ipv4=$PHIPV4 \
-       # --set host.ipv6=$PHIPV6  # don't set if link-local address
+    shelm install . --name pihole --namespace=pihole --set host.ipv4=$PHIPV4
+    popd
 
 ## Gotchas
 
diff --git a/helm/charts/pihole/Chart.yaml b/helm/charts/pihole/Chart.yaml
index 379d4c9..2717e9f 100644
--- a/helm/charts/pihole/Chart.yaml
+++ b/helm/charts/pihole/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: "0.0.1"
-description: Pi-hole over HTTPS
+appVersion: "4.4.2-1"
+description: Pi-hole
 name: pihole
-version: 0.0.1
+version: 0.0.2
diff --git a/helm/charts/pihole/templates/cm-dnsmasq.yaml b/helm/charts/pihole/templates/cm-dnsmasq.yaml
deleted file mode 100644
index f450d6c..0000000
--- a/helm/charts/pihole/templates/cm-dnsmasq.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "pihole.fullname" . }}-dnsmasq
-  labels:
-    app: {{ template "pihole.name" . }}
-    chart: {{ template "pihole.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-data:
-  02-custom.conf:
-    address=/pi.hole/{{ .Values.host.ipv4 }}
diff --git a/helm/charts/pihole/templates/deployment.yaml b/helm/charts/pihole/templates/deployment.yaml
index 986bfd6..5464511 100644
--- a/helm/charts/pihole/templates/deployment.yaml
+++ b/helm/charts/pihole/templates/deployment.yaml
@@ -32,13 +32,7 @@ spec:
             memory: 1Gi
         env:
         - name: 'ServerIP'
-          value: {{ required "A valid .Values.host.ipv4 entry required!" .Values.host.ipv4 }}
-        {{ if .Values.host.ipv6 }}
-        - name: 'ServerIPv6'
-          value: {{ .Values.host.ipv6 }}
-        - name: 'IPv6'
-          value: True
-        {{ end }}
+          value: {{ required "A valid .Values.host.ipv4 entry is required." .Values.host.ipv4 }}
         - name: 'DNS1'
           value: '1.1.1.1'
         - name: 'DNS2'
@@ -66,12 +60,6 @@ spec:
           - mountPath: "/etc/pihole"
             name: {{ template "pihole.fullname" . }}-pvc
             subPath: "pihole"
-          - mountPath: "/etc/dnsmasq.d"
-            name: {{ template "pihole.fullname" . }}-pvc
-            subPath: "dnsmasq"
-          - mountPath: "/etc/dnsmasq.d/02-custom.conf"
-            name: {{ template "pihole.fullname" . }}-dnsmasq
-            subPath: 02-custom.conf
           - mountPath: "/etc/pihole/whitelist.txt"
             name: {{ template "pihole.fullname" . }}-lists
             subPath: whitelist.txt
@@ -79,9 +67,6 @@ spec:
             name: {{ template "pihole.fullname" . }}-lists
             subPath: adlists.list
       volumes:
-        - name: {{ template "pihole.fullname" . }}-dnsmasq
-          configMap:
-            name: {{ template "pihole.fullname" . }}-dnsmasq
         - name: {{ template "pihole.fullname" . }}-lists
           configMap:
             name: {{ template "pihole.fullname" . }}-lists
diff --git a/helm/charts/pihole/templates/service-udp.yaml b/helm/charts/pihole/templates/service-udp.yaml
new file mode 100644
index 0000000..0f525e4
--- /dev/null
+++ b/helm/charts/pihole/templates/service-udp.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pihole.fullname" . }}-udp
+  labels:
+    app: {{ template "pihole.name" . }}
+    chart: {{ template "pihole.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  externalTrafficPolicy: Local
+  type: "LoadBalancer"
+  ports:
+  - name: dns-udp
+    port: 53
+    targetPort: dns-udp
+    protocol: UDP
+  selector:
+    app: {{ template "pihole.fullname" . }}
diff --git a/helm/charts/pihole/templates/service.yaml b/helm/charts/pihole/templates/service.yaml
index 4531046..3b4e9ef 100644
--- a/helm/charts/pihole/templates/service.yaml
+++ b/helm/charts/pihole/templates/service.yaml
@@ -21,18 +21,5 @@ spec:
     port: 53
     targetPort: dns
     protocol: TCP
-  - name: dns-udp
-    port: 53
-    targetPort: dns-udp
-    protocol: UDP
-  - name: client-udp
-    port: 67
-    targetPort: client-udp
-    protocol: UDP
-  externalIPs:
-  - {{ required "A valid .Values.host.ipv4 entry required!" .Values.host.ipv4 }}
-  {{ if .Values.host.ipv6 }}
-  - {{ .Values.host.ipv6 }}
-  {{ end }}
   selector:
     app: {{ template "pihole.fullname" . }}
diff --git a/helm/charts/pihole/values.yaml b/helm/charts/pihole/values.yaml
index e238a3d..3be00ea 100644
--- a/helm/charts/pihole/values.yaml
+++ b/helm/charts/pihole/values.yaml
@@ -4,4 +4,3 @@ image:
   tag: 4.2.2-1_amd64
 host:
   # ipv4: required
-  # ipv6: optional
diff --git a/helm/setup.sh b/helm/setup.sh
index a85697c..f41791c 100755
--- a/helm/setup.sh
+++ b/helm/setup.sh
@@ -1,12 +1,11 @@
-microk8s.kubectl create namespace tiller
-microk8s.kubectl create -f rbac-config.yaml
+microk8s.kubectl create namespace tiller || kubectl create namespace tiller
+microk8s.kubectl create -f rbac-config.yaml || kubectl create -f rbac-config.yaml
 openssl genrsa -out ./ca.key.pem 4096
-cp /etc/ssl/openssl.cnf openssl-with-ca.cnf
-openssl req -key ca.key.pem -new -x509 -days 14 -sha256 -out ca.cert.pem -extensions v3_ca -config openssl-with-ca.cnf
+openssl req -key ca.key.pem -new -x509 -days 14 -sha256 -out ca.cert.pem -extensions v3_ca -subj "$SUBJ"
 openssl genrsa -out ./tiller.key.pem 4096
 openssl genrsa -out ./helm.key.pem 4096
-openssl req -key tiller.key.pem -new -sha256 -out tiller.csr.pem
-openssl req -key helm.key.pem -new -sha256 -out helm.csr.pem
+openssl req -key tiller.key.pem -new -sha256 -out tiller.csr.pem -subj "$SUBJ"
+openssl req -key helm.key.pem -new -sha256 -out helm.csr.pem -subj "$SUBJ"
 openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 14
 openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in helm.csr.pem -out helm.cert.pem -days 14
 mkdir $(helm home); cp ca.cert.pem $(helm home)/ca.pem; cp helm.cert.pem $(helm home)/cert.pem; cp helm.key.pem $(helm home)/key.pem