feat(blocky): add blocky (#3735)

* feat(blocky): add blocky

* Chore(Blocky): Ornias's refactor

* Chore(Blocky): stavros' refactor

* add basic run tests and remaining config options in values.yaml

* bump common again

* correct minor services whoopsy

* whoops again

* Update charts/incubator/blocky/questions.yaml

Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>

* Update charts/incubator/blocky/questions.yaml

Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>

* Actually add values.yaml settings to blockyconfig file

* hmm

* Update charts/incubator/blocky/templates/common.yaml

Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
Signed-off-by: Kjeld Schouten-Lebbing <kjeld@schouten-lebbing.nl>

* dont load k8s-gateway without domains added

* remove loop detection from k8s-gateway

* response with nxdomain if no forwarding is added to k8s-gateway and fix k8s-gateway domains in blocky config

* hmmm

* fix some mistakes

* fix config mistake

* always add a forward to prevent errors, even though forwarding would never be used.

Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
Signed-off-by: Kjeld Schouten-Lebbing <kjeld@schouten-lebbing.nl>
Co-authored-by: Kjeld Schouten-Lebbing <kjeld@schouten-lebbing.nl>
This commit is contained in:
Stavros Kois
2022-09-23 01:05:40 +03:00
committed by GitHub
parent fc6d4b689f
commit caa3733880
14 changed files with 1498 additions and 0 deletions

View File

@@ -0,0 +1,30 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# OWNERS file for Kubernetes
OWNERS
# helm-docs templates
*.gotmpl
# docs folder
/docs
# icon
icon.png

View File

@@ -0,0 +1,33 @@
apiVersion: v2
appVersion: "10.6.2"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 10.5.7
- condition: redis.enabled
name: redis
repository: https://charts.truecharts.org
version: 3.0.67
description: Blocky is a DNS proxy and ad-blocker for the local network written in Go
home: https://truecharts.org/docs/charts/stable/airsonic
icon: https://truecharts.org/img/hotlink-ok/chart-icons/airsonic.png
keywords:
- dns
- blocky
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: blocky
sources:
- https://0xerr0r.github.io/blocky/
- https://github.com/0xERR0R/blocky
- https://github.com/Mozart409/blocky-frontend
- https://hub.docker.com/r/spx01/blocky
version: 0.0.1
annotations:
truecharts.org/catagories: |
- network
truecharts.org/SCALE-support: "true"
truecharts.org/grade: U

View File

View File

@@ -0,0 +1,7 @@
k8sgateway:
enabled: true
# -- list of processed domains
domains:
- domain: something.com
dnsChallenge:
enabled: false

View File

@@ -0,0 +1,87 @@
# Installation notes
## Default Configuration
The following config will be pre-configured and merged with any config you manually add to `blockyConfig` option in `values.yaml`:
Redis (always present):
```yaml
redis:
address: $redis_host:6379
password: $redis_pass
database: 0
required: true
connectionAttempts: 10
connectionCooldown: 3s
```
Prometheus (Only present if enabled):
```yaml
prometheus:
enable: true
path: /metrics
```
Upstreams (from values.yaml):
```yaml
upstream:
default:
- # Content from `.Values.defaultUpstreams`
# Additional upstream groups from `.Values.upstreams`
```
Whitelist/Blacklist (from values.yaml) :
```yaml
blocking:
blockType: nxDomain
blockTTL: 6h
refreshPeriod: 4h
downloadTimeout: 60s
downloadAttempts: 3
downloadCooldown: 2s
failStartOnListError: false
processingConcurrency: 4
whiteLists:
# Groupname:
- # Content from .Values.blocking.whiteList
blackLists:
# Groupname:
- # Content from .Values.blocking.blackList
clientGroupsBlock:
# Groupname:
- # Content from .Values.blocking.clientGroupsBlock
```
## Configuration Instructions
### TrueNAS SCALE
For TrueNAS SCALE, we offer only a limited subset of configuration options:
- Upstream DNS servers
- Whitelists
- Blacklists
Those have special variables in `values.yaml`, so we can show them nicely in the TrueNAS SCALE GUI
### Native Helm
For anything but TrueNAS SCALE, we would advice to instead use `blockyConfig` in `Values.yaml` and NOT mount any configuration file manually.
In short:
- Add your config in `values.yaml` under `blockyConfig:`
- Add your whitelists in `values.yaml` under `blockyWhitelist` or manually using blockyConfig
- Add your blacklists in `values.yaml` under `blockyBlacklist` or manually using blockyConfig
### Adding config by mounting files
You can mount custom config files, using `persistence` or, in SCALE GUI, `Additional Storage` to the following path:
`/app/config/`
_However it cannot reference any of the pre-defined variables listed above, so it's use is severely limited._
You can also mount custom Whitelist/Blacklist files, using `persistence` or, in SCALE GUI, `Additional Storage` and enter the path in your whitelist or blacklist settings manually

Binary file not shown.

After

Width:  |  Height:  |  Size: 39 KiB

View File

@@ -0,0 +1,597 @@
# Include{groups}
portals:
open:
# Include{portalLink}
questions:
# Include{global}
# Include{controller}
# Include{controllerDeployment}
# Include{replicas}
# Include{replica1}
# Include{strategy}
# Include{recreate}
# Include{controllerExpert}
# Include{controllerExpertExtraArgs}
- variable: blocky
group: Container Configuration
label: Blocky Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: enableWebUI
label: Enable Web UI
description: Enables Web UI
schema:
type: boolean
default: true
- variable: enablePrometheus
label: Enable Prometheus Endpoint
description: Enables Prometheus Endpoint
schema:
type: boolean
default: true
- variable: overrideDefaults
group: Container Configuration
label: Override Default Upstreams
description: Overrides the predefined DNS server upstream list
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: defaultUpstreams
label: Default Upstreams
schema:
type: list
default: []
items:
- variable: upstreamEntry
label: Upstream Entry
schema:
type: string
required: true
default: ""
- variable: upstreams
group: Container Configuration
label: Upstreams Groups
description:
schema:
type: list
default: []
items:
- variable: upstreamsGroupEntry
label: Upstreams Group Entry
schema:
additional_attrs: true
type: dict
attrs:
- variable: name
label: Group Name
schema:
type: string
required: true
default: ""
- variable: upstreams
label: Upstreams
schema:
type: list
required: true
default: []
items:
- variable: upstreamEntry
label: upstream Entry
schema:
type: string
required: true
default: ""
- variable: conditional
group: Container Configuration
label: Conditional
schema:
additional_attrs: true
type: dict
attrs:
- variable: rewrite
label: Rewrite
schema:
type: list
default: []
items:
- variable: rewriteEntry
label: Rewrite Entry
schema:
type: dict
additional_attrs: true
attrs:
- variable: in
label: In
schema:
type: string
required: true
default: ""
- variable: out
label: Out
schema:
type: string
required: true
default: ""
- variable: mapping
label: Mapping
schema:
type: list
default: []
items:
- variable: mappingEntry
label: Mapping Entry
schema:
type: dict
additional_attrs: true
attrs:
- variable: domain
label: Domain
schema:
type: string
required: true
default: ""
- variable: dnsserver
label: DNS Server
schema:
type: string
required: true
default: ""
- variable: blocking
group: Container Configuration
label: Blocking
schema:
additional_attrs: true
type: dict
attrs:
- variable: blockType
label: Block Type
description: Set the response should be sent to the client, if a requested query is blocked
schema:
type: string
default: nxDomain
- variable: blockTTL
label: Block TTL
description: Set the TTL for answers to blocked domains
schema:
type: string
default: 6h
- variable: refreshPeriod
label: Refresh Period
description: Set how often blocky should refresh list cache
schema:
type: string
default: 4h
- variable: downloadTimeout
label: Download Timeout
description: Download attempt timeout
schema:
type: string
default: 60s
- variable: downloadAttempts
label: Download Attempts
description: How many download attempts should be performed
schema:
type: int
default: 3
- variable: downloadCooldown
label: Download Cooldown
description: Time between the download attempts
schema:
type: string
default: 2s
- variable: failStartOnListError
label: Fail Start on List Error
description: Fail to start if at least one list can't be downloaded or opened
schema:
type: boolean
default: false
- variable: processingConcurrency
label: Processing Concurrency
description: Sets how many list-groups can be processed at the same time
schema:
type: int
default: 4
- variable: whitelist
label: Whitelist
description: Define whitelists, either URL or file
schema:
type: list
default: []
items:
- variable: whitelistEntry
label: Whitelist Group Entry
schema:
additional_attrs: true
type: dict
attrs:
- variable: name
label: Group Name
schema:
type: string
required: true
default: ""
- variable: lists
label: Lists
schema:
type: list
required: true
default: []
items:
- variable: listEntry
label: List Entry
schema:
type: string
required: true
default: ""
- variable: blacklist
label: Blacklist
description: Define blacklists, either URL or file
schema:
type: list
default: []
items:
- variable: blacklistEntry
label: Blacklist Group Entry
schema:
additional_attrs: true
type: dict
attrs:
- variable: name
label: Group Name
schema:
type: string
required: true
default: ""
- variable: lists
label: Lists
schema:
type: list
required: true
default: []
items:
- variable: listEntry
label: List Entry
schema:
type: string
required: true
default: ""
- variable: clientGroupsBlock
label: Client Groups Block
description: Define, which blocking group(s) should be used for which client in your network.
schema:
type: list
default: []
items:
- variable: clientGroupBlockEntry
label: Client Group Block Entry
schema:
additional_attrs: true
type: dict
attrs:
- variable: name
label: Client Group Name
schema:
type: string
required: true
default: ""
- variable: groups
label: Groups
schema:
type: list
required: true
default: []
items:
- variable: groupEntry
label: Group Entry
schema:
type: string
required: true
default: ""
- variable: k8sgateway
group: Container Configuration
label: k8s-Gateway Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enable k8s-Gateway
description: Enables k8s-Gateway
schema:
type: boolean
default: true
show_subquestions_if: true
subquestions:
- variable: domains
label: Domains
description: Please refer to CoreDNS docs for options
schema:
type: list
default: []
items:
- variable: domainEntry
label: ""
schema:
additional_attrs: true
type: dict
attrs:
- variable: domain
label: Domain name
schema:
type: string
required: true
default: example.com
- variable: dnsChallenge
label: Forward dnsChallenge
description: Optional configuration option for DNS01 challenge that will redirect all acme
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enable
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: domain
label: Forward to Domain
schema:
type: string
required: true
default: dns01.clouddns.com
- variable: advancedOptions
label: Advanced Options
schema:
type: boolean
default: false
show_if: [["enabled", "=", "true"]]
show_subquestions_if: true
subquestions:
- variable: ttl
label: ttl
description: TTL for non-apex responses (in seconds)
schema:
type: int
default: 300
- variable: watchedResources
label: Watched Resources
description: imit what kind of resources to watch, e.g. Ingress
schema:
type: list
default: []
items:
- variable: watchedResource
label: Watched Resource
schema:
type: string
default: ""
- variable: secondary
label: Secondary DNS Server Service
description: Service name of a secondary DNS server (should be serviceName.namespace)
schema:
type: string
default: ""
- variable: apex
label: Apex
description: Override the default `serviceName.namespace` domain apex
schema:
type: string
default: ""
# Include{containerConfig}
# Include{serviceRoot}
- variable: main
label: Main Service
description: The Primary service on which the healthcheck runs, often the webUI
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: main
label: Main Service Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 10315
required: true
# Include{advancedPortHTTP}
- variable: targetPort
label: Target Port
description: The internal(!) port on the container the Application runs on
schema:
type: int
default: 80
- variable: dns-tcp
label: DNS TCP Service
description: The DNS TCP service
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: dns-tcp
label: DNS TCP Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 53
required: true
# Include{advancedPortTCP}
- variable: targetPort
label: Target Port
description: The internal(!) port on the container the Application runs on
schema:
type: int
default: 53
- variable: dns-udp
label: DNS UDP Service
description: The DNS UDP service
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: dns-udp
label: DNS UDP Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 53
required: true
# Include{advancedPortUDP}
- variable: targetPort
label: Target Port
description: The internal(!) port on the container the Application runs on
schema:
type: int
default: 53
- variable: dot
label: DoT Service
description: "DNS-over-TLS service"
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorClusterIP}
# Include{serviceSelectorExtras}
- variable: dot
label: DoT Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 853
required: true
# Include{advancedPortUDP}
- variable: targetPort
label: Target Port
description: The internal(!) port on the container the Application runs on
schema:
type: int
default: 853
- variable: http
label: HTTP and Metrics Service
description: "service for things like metrics, pprof, API, DoH etc"
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorClusterIP}
# Include{serviceSelectorExtras}
- variable: http
label: HTTP and Metrics Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 4000
required: true
# Include{advancedPortUDP}
- variable: targetPort
label: Target Port
description: The internal(!) port on the container the Application runs on
schema:
type: int
default: 4000
# Include{serviceExpertRoot}
default: false
# Include{serviceExpert}
# Include{serviceList}
# Include{persistenceList}
# Include{ingressRoot}
- variable: main
label: Main Ingress
schema:
additional_attrs: true
type: dict
attrs:
# Include{ingressDefault}
# Include{ingressTLS}
# Include{ingressTraefik}
# Include{ingressExpert}
# Include{ingressList}
# Include{security}
# Include{securityContextAdvancedRoot}
- variable: privileged
label: Privileged mode
schema:
type: boolean
default: false
- variable: readOnlyRootFilesystem
label: ReadOnly Root Filesystem
schema:
type: boolean
default: true
- variable: allowPrivilegeEscalation
label: Allow Privilege Escalation
schema:
type: boolean
default: false
- variable: runAsNonRoot
label: runAsNonRoot
schema:
type: boolean
default: true
# Include{securityContextAdvanced}
# Include{podSecurityContextRoot}
- variable: runAsUser
label: runAsUser
description: The UserID of the user running the application
schema:
type: int
default: 568
- variable: runAsGroup
label: runAsGroup
description: The groupID this App of the user running the application
schema:
type: int
default: 568
- variable: fsGroup
label: fsGroup
description: The group that should own ALL storage.
schema:
type: int
default: 568
# Include{podSecurityContextAdvanced}
# Include{resources}
# Include{advanced}
# Include{addons}
# Include{documentation}

View File

@@ -0,0 +1,200 @@
{{/* Define the config */}}
{{- define "blocky.configmap" -}}
{{- $configName := printf "%s-config" (include "tc.common.names.fullname" .) }}
{{- $config := merge ( include "blocky.config" . | fromYaml ) ( .Values.blockyConfig ) }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $configName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
tc-config.yaml: |
{{ $config | toYaml | indent 6 }}
{{- end -}}
{{- define "blocky.config" -}}
redis:
address: {{ printf "%v-%v" .Release.Name "redis" }}:6379
password: {{ .Values.redis.redisPassword | trimAll "\"" }}
database: 0
required: true
connectionAttempts: 10
connectionCooldown: 3s
{{- if .Values.blocky.enablePrometheus }}
prometheus:
enable: true
path: /metrics
{{- end }}
upstream:
default:
{{- .Values.defaultUpstreams | toYaml | nindent 8 }}
{{- if .Values.certFile }}
certFile: {{ .Values.certFile }}
{{- end }}
{{- if .Values.keyFile }}
keyFile: {{ .Values.keyFile }}
{{- end }}
{{- if .Values.logLevel }}
logLevel: {{ .Values.logLevel }}
{{- end }}
{{- if .Values.logTimestamp }}
logTimestamp: {{ .Values.logTimestamp }}
{{- end }}
{{- if .Values.logPrivacy }}
logPrivacy: {{ .Values.logPrivacy }}
{{- end }}
{{- if .Values.dohUserAgent }}
dohUserAgent: {{ .Values.dohUserAgent }}
{{- end }}
{{- if .Values.minTlsServeVersion }}
minTlsServeVersion: {{ .Values.minTlsServeVersion }}
{{- end }}
caching:
{{ toYaml .Values.caching | indent 2 }}
{{- if .Values.hostsFile.enabled }}
{{ $hostsfile := omit .Values.hostsFile "enabled" }}
hostsFile:
{{ toYaml $hostsfile | indent 2 }}
{{- end }}
{{- range $id, $value := .Values.upstreams }}
{{ $value.name }}:
{{- $value.dnsservers | toYaml | nindent 8 }}
{{- end }}
{{- if or .Values.bootstrapDns.upstream .Values.bootstrapDns.ips }}
bootstrapDns:
{{- if .Values.bootstrapDns.upstream }}
upstream: {{ .Values.bootstrapDns.upstream }}
{{- end }}
{{- if .Values.bootstrapDns.ips }}
ips:
{{- range $id, $value := .Values.bootstrapDns.ips }}
- {{ $value }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.filtering.filtering }}
filtering:
{{- if .Values.filtering.ips }}
queryTypes:
{{- range $id, $value := .Values.filtering.ips }}
- {{ $value }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.customDNS.filterUnmappedTypes .Values.customDNS.customTTL .Values.customDNS.rewrite .Values.customDNS.mapping }}
customDNS:
{{- if .Values.customDNS.upstream }}
upstream: {{ .Values.customDNS.upstream }}
{{- end }}
{{- if .Values.customDNS.customTTL }}
customTTL: {{ .Values.customDNS.customTTL }}
{{- end }}
{{- if .Values.customDNS.rewrite }}
rewrite:
{{- range $id, $value := .Values.customDNS.rewrite }}
{{ $value.in }}: {{ $value.out }}
{{- end }}
{{- end }}
{{- if .Values.customDNS.mapping }}
mapping:
{{- range $id, $value := .Values.customDNS.mapping }}
{{ $value.domain }}: {{ $value.dnsserver }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.clientLookup.upstream .Values.clientLookup.ips }}
clientLookup:
{{- if .Values.clientLookup.upstream }}
upstream: {{ .Values.clientLookup.upstream }}
{{- end }}
{{- if .Values.clientLookup.ips }}
singleNameOrder:
{{- range $id, $value := .Values.clientLookup.ips }}
- {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.clientLookup.clients }}
clients:
{{- range $id, $value := .Values.clientLookup.clients }}
{{ $value.domain }}:
{{- range $id, $value := .ips }}
- {{ $value }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.conditional.rewrite .Values.conditional.mapping ( and .Values.k8sgateway.enabled .Values.k8sgateway.domains ) }}
conditional:
{{- if .Values.conditional.rewrite }}
rewrite:
{{- range $id, $value := .Values.conditional.rewrite }}
{{ $value.in }}: {{ $value.out }}
{{- end }}
{{- end }}
{{- if or .Values.conditional.mapping ( and .Values.k8sgateway.enabled .Values.k8sgateway.domains ) }}
mapping:
{{- if and .Values.k8sgateway.enabled .Values.k8sgateway.domains }}
{{- range $id, $value := .Values.k8sgateway.domains }}
{{ .domain }}: 127.0.0.1:{{ $.Values.service.k8sgateway.ports.k8sgateway.targetPort }}
{{- end }}
{{- end }}
{{- range $id, $value := .Values.conditional.mapping }}
{{ $value.domain }}: {{ $value.dnsserver }}
{{- end }}
{{- end }}
{{- end }}
blocking:
blockType: {{ .Values.blocking.blockType }}
blockTTL: {{ .Values.blocking.blockTTL }}
refreshPeriod: {{ .Values.blocking.refreshPeriod }}
downloadTimeout: {{ .Values.blocking.downloadTimeout }}
downloadAttempts: {{ .Values.blocking.downloadAttempts }}
downloadCooldown: {{ .Values.blocking.downloadCooldown }}
failStartOnListError: {{ .Values.blocking.failStartOnListError }}
processingConcurrency: {{ .Values.blocking.processingConcurrency }}
{{- if .Values.blocking.whitelist }}
whiteLists:
{{- range $id, $value := .Values.blocking.whitelist }}
{{ $value.name }}:
{{- $value.lists | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.blocking.blacklist }}
blackLists:
{{- range $id, $value := .Values.blocking.blacklist }}
{{ $value.name }}:
{{- $value.lists | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.blocking.clientGroupsBlock }}
clientGroupsBlock:
{{- range $id, $value := .Values.blocking.clientGroupsBlock }}
{{ $value.name }}:
{{- $value.groups | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,107 @@
{{- define "k8sgateway.container" -}}
image: {{ .Values.k8sgatewayImage.repository }}:{{ .Values.k8sgatewayImage.tag }}
imagePullPolicy: {{ .Values.k8sgatewayImage.pullPolicy }}
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: true
runAsNonRoot: false
args: ["-conf", "/etc/coredns/Corefile"]
ports:
- containerPort: {{ .Values.service.k8sgateway.ports.k8sgateway.targetPort }}
name: main
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
readinessProbe:
httpGet:
path: /ready
port: 8181
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
path: /ready
port: 8181
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}
{{/*
Create the matchable regex from domain
*/}}
{{- define "k8sgateway.configmap.regex" -}}
{{- if .Values.k8sgateway.domain }}
{{- .Values.k8sgateway.domain | replace "." "[.]" -}}
{{- else -}}
{{ "unset" }}
{{- end }}
{{- end -}}
{{/* Define the configmap */}}
{{- define "k8sgateway.configmap" -}}
{{- $values := .Values.k8sgateway }}
{{- $fqdn := ( include "tc.common.names.fqdn" . ) }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "tc.common.names.fullname" . }}-corefile
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
Corefile: |-
.:{{ .Values.service.k8sgateway.ports.k8sgateway.targetPort }} {
errors
log
health {
lameduck 5s
}
ready
{{- range .Values.k8sgateway.domains }}
{{- if .dnsChallenge.enabled }}
template IN ANY {{ required "Delegated domain ('domain') is mandatory " .domain }} {
match "_acme-challenge[.](.*)[.]{{ include "k8sgateway.configmap.regex" . }}"
answer "{{ "{{" }} .Name {{ "}}" }} 5 IN CNAME {{ "{{" }} index .Match 1 {{ "}}" }}.{{ required "DNS01 challenge domain is mandatory " $values.dnsChallenge.domain }}"
fallthrough
}
{{- end }}
k8s_gateway "{{ required "Delegated domain ('domain') is mandatory " .domain }}" {
apex {{ $values.apex | default $fqdn }}
ttl {{ $values.ttl }}
{{- if $values.secondary }}
secondary {{ $values.secondary }}
{{- end }}
{{- if $values.watchedResources }}
resources {{ join " " $values.watchedResources }}
{{- end }}
fallthrough
}
{{- end }}
prometheus 0.0.0.0:9153
{{- if .Values.k8sgateway.forward.enabled }}
forward . {{ .Values.k8sgateway.forward.primary }} {{ .Values.k8sgateway.forward.secondary }} {
{{- range .Values.k8sgateway.forward.options }}
{{ .name }} {{ .value }}
{{- end }}
}
{{- else }}
forward . 1.1.1.1
{{- end }}
loop
reload
loadbalance
}
{{- end -}}

View File

@@ -0,0 +1,36 @@
{{- define "blocky.frontend" -}}
image: {{ .Values.WebUIImage.repository }}:{{ .Values.WebUIImage.tag }}
imagePullPolicy: {{ .Values.WebUIImage.pullPolicy }}
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
runAsNonRoot: true
ports:
- containerPort: {{ .Values.service.main.ports.main.targetPort }}
name: main
readinessProbe:
httpGet:
path: /
port: {{ .Values.service.main.ports.main.targetPort }}
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
path: /
port: {{ .Values.service.main.ports.main.targetPort }}
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
path: /
port: {{ .Values.service.main.ports.main.targetPort }}
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

View File

@@ -0,0 +1,50 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.common.loader.init" . }}
{{ include "blocky.configmap" . }}
{{/* Always mount the configmap, with the basic config, plus the 'blockyConfig' */}}
{{- define "blocky.configmap.mount" -}}
enabled: true
type: custom
mountPath: /app/config/tc-config.yaml
subPath: tc-config.yaml
readOnly: true
volumeSpec:
configMap:
name: '{{ printf "%s-config" (include "tc.common.names.fullname" .) }}'
{{- end -}}
{{/* Append the general configMap volume to the volumes */}}
{{- define "k8sgateway.configvolume" -}}
enabled: "true"
mountPath: "/etc/coredns"
readOnly: true
type: "custom"
volumeSpec:
configMap:
name: {{ include "tc.common.names.fullname" . }}-corefile
items:
- key: Corefile
path: Corefile
{{- end -}}
{{- $_ := set .Values.persistence "tc-config" (include "blocky.configmap.mount" . | fromYaml) -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.main.ports.main.targetPort | quote) -}}
{{- if .Values.blocky.enableWebUI -}}
{{- $_ := set .Values.additionalContainers "frontend" (include "blocky.frontend" . | fromYaml) -}}
{{- end -}}
{{- if and .Values.k8sgateway.enabled .Values.k8sgateway.domains -}}
{{- include "k8sgateway.configmap" . }}
{{- $_ := set .Values.persistence "config-volume" (include "k8sgateway.configvolume" . | fromYaml) -}}
{{- $_ := set .Values.additionalContainers "k8sgateway" (include "k8sgateway.container" . | fromYaml) -}}
{{- end -}}
{{/* Render the templates */}}
{{ include "tc.common.loader.apply" . }}

View File

@@ -0,0 +1,338 @@
image:
repository: spx01/blocky
tag: development@sha256:c55e676e89cee31edeee687d70f7ed957b727d61b5611e213809f7a0399fe4ef
# repository: tccr.io/truecharts/blocky
# tag: v0.19@sha256:77a474542f12f480deca33ff0a6375846918b86988c13f858620839d8818ca84
pullPolicy: IfNotPresent
WebUIImage:
repository: tccr.io/truecharts/blocky-frontend
tag: v0.0.3@sha256:81058f20520dcdb80c9883b6f21b338446fefc333e3ca8bd7d17336a24a5d842
pullPolicy: IfNotPresent
k8sgatewayImage:
repository: tccr.io/truecharts/k8s_gateway
pullPolicy: IfNotPresent
tag: 0.3.2@sha256:594fd6990eb2e0af1df7df8ba76cb3ca66232f46c5df5ebf786a45dd19777ae5
controller:
# -- Set additional annotations on the deployment/statefulset/daemonset
# -- Number of desired pods
replicas: 2
# -- Set the controller upgrade strategy
# For Deployments, valid values are Recreate (default) and RollingUpdate.
# For StatefulSets, valid values are OnDelete and RollingUpdate (default).
# DaemonSets ignore this.
strategy: RollingUpdate
# -- Blocky Config File content
blockyConfig: {}
# upstream:
# default:
# - 1.1.1.1
env:
BLOCKY_CONFIG_FILE: "/app/config/"
blocky:
enableWebUI: true
enablePrometheus: true
probes:
liveness:
enabled:
custom: true
spec:
exec:
command:
- /app/blocky
- healthcheck
readiness:
custom: true
spec:
exec:
command:
- /app/blocky
- healthcheck
startup:
custom: true
spec:
exec:
command:
- /app/blocky
- healthcheck
service:
main:
ports:
main:
port: 10315
protocol: HTTP
targetPort: 80
dns-tcp:
enabled: true
ports:
dns-tcp:
enabled: true
port: 53
targetPort: 53
dns-udp:
enabled: true
ports:
dns-udp:
enabled: true
port: 53
protocol: UDP
targetPort: 53
dot:
enabled: true
ports:
dot:
enabled: true
port: 853
protocol: TCP
targetPort: 853
http:
enabled: true
ports:
http:
enabled: true
port: 4000
protocol: HTTP
targetPort: 4000
https:
enabled: true
ports:
https:
enabled: true
port: 4443
protocol: HTTPS
targetPort: 4443
k8sgateway:
enabled: true
ports:
k8sgateway:
enabled: true
port: 5353
protocol: UDP
targetPort: 5353
## TODO Add support for SCALE certificates and certificates secrets here
certFile: ""
keyFile: ""
logLevel: info
logFormat: text
logTimestamp: true
logPrivacy: false
dohUserAgent: ""
minTlsServeVersion: 1.2
# -- set the default DNS upstream servers
# Primarily designed for inclusion in the TrueNAS SCALE GUI
defaultUpstreams:
- 1.1.1.1
- 1.0.0.1
- 8.8.8.8
- 8.8.4.4
- 9.9.9.9
- 149.112.112.112
- 208.67.222.222
- 208.67.220.220
- 8.26.56.26
- 8.20.247.20
- 185.228.168.9
- 185.228.169.9
- 76.76.19.19
- 76.223.122.150
- 76.76.2.0
- 76.76.10.0
# -- set additional upstreams
# Primarily designed for inclusion in the TrueNAS SCALE GUI
upstreams:
# - name: group2
# dnsservers:
# - 1.1.1.1
# -- set bootstrap dns (not needed)
# Ensures bootstrap encryption and ensure it doesn't use k8s dns
bootstrapDns:
# -- Upstream
upstream: ""
# -- IP's linked to upstream DoT/DoH DNS name
ips: []
# -- Return empty answer for these queries
filtering:
# -- Ensures filtering by query type
queryTypes: []
# -- Set manual custom DNS resolution
customDNS:
customTTL: 1h
filterUnmappedTypes: true
rewrite: []
# - in: something.com
# out: somethingelse.com
mapping: []
# - domain: something.com
# dnsserver: 192.168.178.1
# -- Setup client-name lookup
clientLookup:
# -- upstream used for client-name lookup
upstream: ""
singleNameOrder: []
clients:
# - domain: laptop
# ips: []
# -- Setup caching
caching:
minTime: 5m
maxTime: 30m
maxItemsCount: 0
prefetching: false
prefetchExpires: 2h
prefetchThreshold: 5
prefetchMaxItemsCount: 0
cacheTimeNegative: 30m
# -- set conditional settings
# Primarily designed for inclusion in the TrueNAS SCALE GUI
conditional:
rewrite: []
# - in: something.com
# out: somethingelse.com
mapping: []
# - domain: something.com
# dnsserver: 192.168.178.1
# -- set blocking settings using Lists
# Primarily designed for inclusion in the TrueNAS SCALE GUI
blocking:
# -- Sets the blocktype
blockType: nxDomain
# -- Sets the block ttl
blockTTL: 6h
# -- Sets the block refreshPeriod
refreshPeriod: 4h
# -- Sets the block download timeout
downloadTimeout: 60s
# -- Sets the block download attempt count
downloadAttempts: 3
# -- Sets the block download cooldown
downloadCooldown: 2s
# -- Set to fail start of lists cannot be downloaded
failStartOnListError: false
# -- Sets how many list-groups can be processed at the same time
processingConcurrency: 4
# -- Add blocky whitelists
whitelist: []
# - name: ads
# lists:
# - https://someurl.com/list.txt
# - /somefile.txt
# -- Blocky blacklists
blacklist: []
# - name: ads
# lists:
# - https://someurl.com/list.txt
# - /somefile.txt
# -- Blocky clientGroupsBlock
clientGroupsBlock: []
# - name: default
# groups:
# - ads
# -- configure using hostsfile for lookups
# Allows for using the hosts configured in kubernetes and such
hostsFile:
enabled: false
filePath: /etc/hosts
hostsTTL: 60m
refreshPeriod: 30m
## TODO: add this with postgresql support as well
# queryLog:
# type: csv
# target: /logs
# logRetentionDays: 0
# creationAttempts: 3
# CreationCooldown: 2
portal:
enabled: true
serviceAccount:
main:
# -- Specifies whether a service account should be created
enabled: true
# -- Create a ClusterRole and ClusterRoleBinding
# @default -- See below
rbac:
main:
# -- Enables or disables the ClusterRole and ClusterRoleBinding
enabled: true
# -- Set Rules on the ClusterRole
rules:
- apiGroups:
- ""
resources:
- services
- namespaces
verbs:
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- watch
k8sgateway:
enabled: true
# -- TTL for non-apex responses (in seconds)
ttl: 300
# -- Limit what kind of resources to watch, e.g. watchedResources: ["Ingress"]
watchedResources: []
# -- Service name of a secondary DNS server (should be `serviceName.namespace`)
secondary: ""
# -- Override the default `serviceName.namespace` domain apex
apex: ""
# -- list of processed domains
domains: []
# -- Delegated domain
# - domain: "example.com"
# # -- Optional configuration option for DNS01 challenge that will redirect all acme
# # challenge requests to external cloud domain (e.g. managed by cert-manager)
# # See: https://cert-manager.io/docs/configuration/acme/dns01/
# dnsChallenge:
# enabled: false
# domain: dns01.clouddns.com
forward:
enabled: false
primary: tls://1.1.1.1
secondary: tls://1.0.0.1
options:
- name: tls_servername
value: cloudflare-dns.com
unbound:
enabled: false
redis:
enabled: true
existingSecret: "rediscreds"

View File

@@ -21,6 +21,8 @@ words:
- basicauthexample
- batnoter
- bazarr
- Blocklists
- blocktype
- bugfixer's
- bungeecord
- cacher
@@ -28,12 +30,15 @@ words:
- cheatsheet
- chronos
- cifs
- clouddns
- cloudflared
- cloudflareddns
- collabora
- configfile
- configfiles
- configmap
- containo
- cooldown
- crossplay
- csgo
- cuda
@@ -46,6 +51,8 @@ words:
- ddns
- djava
- dnat
- dnsserver
- dnsservers
- dockerized
- duplicati
- dynmap
@@ -65,6 +72,7 @@ words:
- gibibyte
- gluster
- goauthentik
- Groupname
- gunicorn
- healthcheck
- healthchecks
@@ -196,9 +204,13 @@ words:
- Scipy
- selfsigned
- serverconfig
- servername
- serverstransports
- serviceexpert
- sgateway
- smallblock
- somefile
- somethingelse
- sonarr
- sonarrsabnzbd
- sonatype
@@ -235,6 +247,7 @@ words:
- umami
- unet
- unifi
- Upstreams
- userspace
- vaapi
- valheim