diff --git a/charts/incubator/blocky/.helmignore b/charts/incubator/blocky/.helmignore new file mode 100644 index 00000000000..77ca5567b26 --- /dev/null +++ b/charts/incubator/blocky/.helmignore @@ -0,0 +1,30 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# OWNERS file for Kubernetes +OWNERS +# helm-docs templates +*.gotmpl +# docs folder +/docs +# icon +icon.png diff --git a/charts/incubator/blocky/Chart.yaml b/charts/incubator/blocky/Chart.yaml new file mode 100644 index 00000000000..40d68c6c4db --- /dev/null +++ b/charts/incubator/blocky/Chart.yaml @@ -0,0 +1,33 @@ +apiVersion: v2 +appVersion: "10.6.2" +dependencies: + - name: common + repository: https://library-charts.truecharts.org + version: 10.5.7 + - condition: redis.enabled + name: redis + repository: https://charts.truecharts.org + version: 3.0.67 +description: Blocky is a DNS proxy and ad-blocker for the local network written in Go +home: https://truecharts.org/docs/charts/stable/airsonic +icon: https://truecharts.org/img/hotlink-ok/chart-icons/airsonic.png +keywords: + - dns + - blocky +kubeVersion: ">=1.16.0-0" +maintainers: + - email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org +name: blocky +sources: + - https://0xerr0r.github.io/blocky/ + - https://github.com/0xERR0R/blocky + - https://github.com/Mozart409/blocky-frontend + - https://hub.docker.com/r/spx01/blocky +version: 0.0.1 +annotations: + truecharts.org/catagories: | + - network + truecharts.org/SCALE-support: "true" + truecharts.org/grade: U diff --git a/charts/incubator/blocky/README.md b/charts/incubator/blocky/README.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/charts/incubator/blocky/ci/k8sgateway-values.yaml b/charts/incubator/blocky/ci/k8sgateway-values.yaml new file mode 100644 index 00000000000..4bddcbf7f12 --- /dev/null +++ b/charts/incubator/blocky/ci/k8sgateway-values.yaml @@ -0,0 +1,7 @@ +k8sgateway: + enabled: true + # -- list of processed domains + domains: + - domain: something.com + dnsChallenge: + enabled: false diff --git a/charts/incubator/blocky/ci/standalone-values.yaml b/charts/incubator/blocky/ci/standalone-values.yaml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/charts/incubator/blocky/docs/installation-notes.md b/charts/incubator/blocky/docs/installation-notes.md new file mode 100644 index 00000000000..4ad649347aa --- /dev/null +++ b/charts/incubator/blocky/docs/installation-notes.md @@ -0,0 +1,87 @@ +# Installation notes + +## Default Configuration + +The following config will be pre-configured and merged with any config you manually add to `blockyConfig` option in `values.yaml`: + +Redis (always present): + +```yaml +redis: + address: $redis_host:6379 + password: $redis_pass + database: 0 + required: true + connectionAttempts: 10 + connectionCooldown: 3s +``` + +Prometheus (Only present if enabled): + +```yaml +prometheus: + enable: true + path: /metrics +``` + +Upstreams (from values.yaml): + +```yaml +upstream: + default: + - # Content from `.Values.defaultUpstreams` + # Additional upstream groups from `.Values.upstreams` +``` + +Whitelist/Blacklist (from values.yaml) : + +```yaml +blocking: + blockType: nxDomain + blockTTL: 6h + refreshPeriod: 4h + downloadTimeout: 60s + downloadAttempts: 3 + downloadCooldown: 2s + failStartOnListError: false + processingConcurrency: 4 + whiteLists: + # Groupname: + - # Content from .Values.blocking.whiteList + blackLists: + # Groupname: + - # Content from .Values.blocking.blackList + clientGroupsBlock: + # Groupname: + - # Content from .Values.blocking.clientGroupsBlock +``` + +## Configuration Instructions + +### TrueNAS SCALE + +For TrueNAS SCALE, we offer only a limited subset of configuration options: + +- Upstream DNS servers +- Whitelists +- Blacklists + +Those have special variables in `values.yaml`, so we can show them nicely in the TrueNAS SCALE GUI + +### Native Helm + +For anything but TrueNAS SCALE, we would advice to instead use `blockyConfig` in `Values.yaml` and NOT mount any configuration file manually. + +In short: + +- Add your config in `values.yaml` under `blockyConfig:` +- Add your whitelists in `values.yaml` under `blockyWhitelist` or manually using blockyConfig +- Add your blacklists in `values.yaml` under `blockyBlacklist` or manually using blockyConfig + +### Adding config by mounting files + +You can mount custom config files, using `persistence` or, in SCALE GUI, `Additional Storage` to the following path: +`/app/config/` +_However it cannot reference any of the pre-defined variables listed above, so it's use is severely limited._ + +You can also mount custom Whitelist/Blacklist files, using `persistence` or, in SCALE GUI, `Additional Storage` and enter the path in your whitelist or blacklist settings manually diff --git a/charts/incubator/blocky/icon.png b/charts/incubator/blocky/icon.png new file mode 100644 index 00000000000..e4e506d78ef Binary files /dev/null and b/charts/incubator/blocky/icon.png differ diff --git a/charts/incubator/blocky/questions.yaml b/charts/incubator/blocky/questions.yaml new file mode 100644 index 00000000000..9ec970e875a --- /dev/null +++ b/charts/incubator/blocky/questions.yaml @@ -0,0 +1,597 @@ +# Include{groups} +portals: + open: +# Include{portalLink} +questions: +# Include{global} +# Include{controller} +# Include{controllerDeployment} +# Include{replicas} +# Include{replica1} +# Include{strategy} +# Include{recreate} +# Include{controllerExpert} +# Include{controllerExpertExtraArgs} + - variable: blocky + group: Container Configuration + label: Blocky Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: enableWebUI + label: Enable Web UI + description: Enables Web UI + schema: + type: boolean + default: true + - variable: enablePrometheus + label: Enable Prometheus Endpoint + description: Enables Prometheus Endpoint + schema: + type: boolean + default: true + - variable: overrideDefaults + group: Container Configuration + label: Override Default Upstreams + description: Overrides the predefined DNS server upstream list + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: defaultUpstreams + label: Default Upstreams + schema: + type: list + default: [] + items: + - variable: upstreamEntry + label: Upstream Entry + schema: + type: string + required: true + default: "" + - variable: upstreams + group: Container Configuration + label: Upstreams Groups + description: + schema: + type: list + default: [] + items: + - variable: upstreamsGroupEntry + label: Upstreams Group Entry + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Group Name + schema: + type: string + required: true + default: "" + - variable: upstreams + label: Upstreams + schema: + type: list + required: true + default: [] + items: + - variable: upstreamEntry + label: upstream Entry + schema: + type: string + required: true + default: "" + - variable: conditional + group: Container Configuration + label: Conditional + schema: + additional_attrs: true + type: dict + attrs: + - variable: rewrite + label: Rewrite + schema: + type: list + default: [] + items: + - variable: rewriteEntry + label: Rewrite Entry + schema: + type: dict + additional_attrs: true + attrs: + - variable: in + label: In + schema: + type: string + required: true + default: "" + - variable: out + label: Out + schema: + type: string + required: true + default: "" + - variable: mapping + label: Mapping + schema: + type: list + default: [] + items: + - variable: mappingEntry + label: Mapping Entry + schema: + type: dict + additional_attrs: true + attrs: + - variable: domain + label: Domain + schema: + type: string + required: true + default: "" + - variable: dnsserver + label: DNS Server + schema: + type: string + required: true + default: "" + - variable: blocking + group: Container Configuration + label: Blocking + schema: + additional_attrs: true + type: dict + attrs: + - variable: blockType + label: Block Type + description: Set the response should be sent to the client, if a requested query is blocked + schema: + type: string + default: nxDomain + - variable: blockTTL + label: Block TTL + description: Set the TTL for answers to blocked domains + schema: + type: string + default: 6h + - variable: refreshPeriod + label: Refresh Period + description: Set how often blocky should refresh list cache + schema: + type: string + default: 4h + - variable: downloadTimeout + label: Download Timeout + description: Download attempt timeout + schema: + type: string + default: 60s + - variable: downloadAttempts + label: Download Attempts + description: How many download attempts should be performed + schema: + type: int + default: 3 + - variable: downloadCooldown + label: Download Cooldown + description: Time between the download attempts + schema: + type: string + default: 2s + - variable: failStartOnListError + label: Fail Start on List Error + description: Fail to start if at least one list can't be downloaded or opened + schema: + type: boolean + default: false + - variable: processingConcurrency + label: Processing Concurrency + description: Sets how many list-groups can be processed at the same time + schema: + type: int + default: 4 + - variable: whitelist + label: Whitelist + description: Define whitelists, either URL or file + schema: + type: list + default: [] + items: + - variable: whitelistEntry + label: Whitelist Group Entry + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Group Name + schema: + type: string + required: true + default: "" + - variable: lists + label: Lists + schema: + type: list + required: true + default: [] + items: + - variable: listEntry + label: List Entry + schema: + type: string + required: true + default: "" + - variable: blacklist + label: Blacklist + description: Define blacklists, either URL or file + schema: + type: list + default: [] + items: + - variable: blacklistEntry + label: Blacklist Group Entry + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Group Name + schema: + type: string + required: true + default: "" + - variable: lists + label: Lists + schema: + type: list + required: true + default: [] + items: + - variable: listEntry + label: List Entry + schema: + type: string + required: true + default: "" + - variable: clientGroupsBlock + label: Client Groups Block + description: Define, which blocking group(s) should be used for which client in your network. + schema: + type: list + default: [] + items: + - variable: clientGroupBlockEntry + label: Client Group Block Entry + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Client Group Name + schema: + type: string + required: true + default: "" + - variable: groups + label: Groups + schema: + type: list + required: true + default: [] + items: + - variable: groupEntry + label: Group Entry + schema: + type: string + required: true + default: "" + - variable: k8sgateway + group: Container Configuration + label: k8s-Gateway Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable k8s-Gateway + description: Enables k8s-Gateway + schema: + type: boolean + default: true + show_subquestions_if: true + subquestions: + - variable: domains + label: Domains + description: Please refer to CoreDNS docs for options + schema: + type: list + default: [] + items: + - variable: domainEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: domain + label: Domain name + schema: + type: string + required: true + default: example.com + - variable: dnsChallenge + label: Forward dnsChallenge + description: Optional configuration option for DNS01 challenge that will redirect all acme + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: domain + label: Forward to Domain + schema: + type: string + required: true + default: dns01.clouddns.com + + - variable: advancedOptions + label: Advanced Options + schema: + type: boolean + default: false + show_if: [["enabled", "=", "true"]] + show_subquestions_if: true + subquestions: + - variable: ttl + label: ttl + description: TTL for non-apex responses (in seconds) + schema: + type: int + default: 300 + - variable: watchedResources + label: Watched Resources + description: imit what kind of resources to watch, e.g. Ingress + schema: + type: list + default: [] + items: + - variable: watchedResource + label: Watched Resource + schema: + type: string + default: "" + - variable: secondary + label: Secondary DNS Server Service + description: Service name of a secondary DNS server (should be serviceName.namespace) + schema: + type: string + default: "" + - variable: apex + label: Apex + description: Override the default `serviceName.namespace` domain apex + schema: + type: string + default: "" +# Include{containerConfig} +# Include{serviceRoot} + - variable: main + label: Main Service + description: The Primary service on which the healthcheck runs, often the webUI + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelectorLoadBalancer} +# Include{serviceSelectorExtras} + - variable: main + label: Main Service Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 10315 + required: true +# Include{advancedPortHTTP} + - variable: targetPort + label: Target Port + description: The internal(!) port on the container the Application runs on + schema: + type: int + default: 80 + - variable: dns-tcp + label: DNS TCP Service + description: The DNS TCP service + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelectorLoadBalancer} +# Include{serviceSelectorExtras} + - variable: dns-tcp + label: DNS TCP Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 53 + required: true +# Include{advancedPortTCP} + - variable: targetPort + label: Target Port + description: The internal(!) port on the container the Application runs on + schema: + type: int + default: 53 + - variable: dns-udp + label: DNS UDP Service + description: The DNS UDP service + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelectorLoadBalancer} +# Include{serviceSelectorExtras} + - variable: dns-udp + label: DNS UDP Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 53 + required: true +# Include{advancedPortUDP} + - variable: targetPort + label: Target Port + description: The internal(!) port on the container the Application runs on + schema: + type: int + default: 53 + - variable: dot + label: DoT Service + description: "DNS-over-TLS service" + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelectorClusterIP} +# Include{serviceSelectorExtras} + - variable: dot + label: DoT Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 853 + required: true +# Include{advancedPortUDP} + - variable: targetPort + label: Target Port + description: The internal(!) port on the container the Application runs on + schema: + type: int + default: 853 + - variable: http + label: HTTP and Metrics Service + description: "service for things like metrics, pprof, API, DoH etc" + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelectorClusterIP} +# Include{serviceSelectorExtras} + - variable: http + label: HTTP and Metrics Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 4000 + required: true +# Include{advancedPortUDP} + - variable: targetPort + label: Target Port + description: The internal(!) port on the container the Application runs on + schema: + type: int + default: 4000 +# Include{serviceExpertRoot} + default: false +# Include{serviceExpert} +# Include{serviceList} +# Include{persistenceList} +# Include{ingressRoot} + - variable: main + label: Main Ingress + schema: + additional_attrs: true + type: dict + attrs: +# Include{ingressDefault} +# Include{ingressTLS} +# Include{ingressTraefik} +# Include{ingressExpert} +# Include{ingressList} +# Include{security} +# Include{securityContextAdvancedRoot} + - variable: privileged + label: Privileged mode + schema: + type: boolean + default: false + - variable: readOnlyRootFilesystem + label: ReadOnly Root Filesystem + schema: + type: boolean + default: true + - variable: allowPrivilegeEscalation + label: Allow Privilege Escalation + schema: + type: boolean + default: false + - variable: runAsNonRoot + label: runAsNonRoot + schema: + type: boolean + default: true +# Include{securityContextAdvanced} +# Include{podSecurityContextRoot} + - variable: runAsUser + label: runAsUser + description: The UserID of the user running the application + schema: + type: int + default: 568 + - variable: runAsGroup + label: runAsGroup + description: The groupID this App of the user running the application + schema: + type: int + default: 568 + - variable: fsGroup + label: fsGroup + description: The group that should own ALL storage. + schema: + type: int + default: 568 +# Include{podSecurityContextAdvanced} +# Include{resources} +# Include{advanced} +# Include{addons} +# Include{documentation} diff --git a/charts/incubator/blocky/templates/_blockyConfig.tpl b/charts/incubator/blocky/templates/_blockyConfig.tpl new file mode 100644 index 00000000000..1246345de5b --- /dev/null +++ b/charts/incubator/blocky/templates/_blockyConfig.tpl @@ -0,0 +1,200 @@ +{{/* Define the config */}} +{{- define "blocky.configmap" -}} +{{- $configName := printf "%s-config" (include "tc.common.names.fullname" .) }} +{{- $config := merge ( include "blocky.config" . | fromYaml ) ( .Values.blockyConfig ) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $configName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + tc-config.yaml: | +{{ $config | toYaml | indent 6 }} +{{- end -}} + +{{- define "blocky.config" -}} +redis: + address: {{ printf "%v-%v" .Release.Name "redis" }}:6379 + password: {{ .Values.redis.redisPassword | trimAll "\"" }} + database: 0 + required: true + connectionAttempts: 10 + connectionCooldown: 3s +{{- if .Values.blocky.enablePrometheus }} +prometheus: + enable: true + path: /metrics +{{- end }} +upstream: + default: +{{- .Values.defaultUpstreams | toYaml | nindent 8 }} + +{{- if .Values.certFile }} +certFile: {{ .Values.certFile }} +{{- end }} + +{{- if .Values.keyFile }} +keyFile: {{ .Values.keyFile }} +{{- end }} + +{{- if .Values.logLevel }} +logLevel: {{ .Values.logLevel }} +{{- end }} + +{{- if .Values.logTimestamp }} +logTimestamp: {{ .Values.logTimestamp }} +{{- end }} + +{{- if .Values.logPrivacy }} +logPrivacy: {{ .Values.logPrivacy }} +{{- end }} + +{{- if .Values.dohUserAgent }} +dohUserAgent: {{ .Values.dohUserAgent }} +{{- end }} + +{{- if .Values.minTlsServeVersion }} +minTlsServeVersion: {{ .Values.minTlsServeVersion }} +{{- end }} + +caching: +{{ toYaml .Values.caching | indent 2 }} + + +{{- if .Values.hostsFile.enabled }} +{{ $hostsfile := omit .Values.hostsFile "enabled" }} +hostsFile: +{{ toYaml $hostsfile | indent 2 }} +{{- end }} + +{{- range $id, $value := .Values.upstreams }} + {{ $value.name }}: +{{- $value.dnsservers | toYaml | nindent 8 }} +{{- end }} + +{{- if or .Values.bootstrapDns.upstream .Values.bootstrapDns.ips }} +bootstrapDns: +{{- if .Values.bootstrapDns.upstream }} + upstream: {{ .Values.bootstrapDns.upstream }} +{{- end }} +{{- if .Values.bootstrapDns.ips }} + ips: +{{- range $id, $value := .Values.bootstrapDns.ips }} + - {{ $value }} +{{- end }} +{{- end }} +{{- end }} + +{{- if or .Values.filtering.filtering }} +filtering: +{{- if .Values.filtering.ips }} + queryTypes: +{{- range $id, $value := .Values.filtering.ips }} + - {{ $value }} +{{- end }} +{{- end }} +{{- end }} + +{{- if or .Values.customDNS.filterUnmappedTypes .Values.customDNS.customTTL .Values.customDNS.rewrite .Values.customDNS.mapping }} +customDNS: +{{- if .Values.customDNS.upstream }} + upstream: {{ .Values.customDNS.upstream }} +{{- end }} +{{- if .Values.customDNS.customTTL }} + customTTL: {{ .Values.customDNS.customTTL }} +{{- end }} +{{- if .Values.customDNS.rewrite }} + rewrite: +{{- range $id, $value := .Values.customDNS.rewrite }} + {{ $value.in }}: {{ $value.out }} +{{- end }} +{{- end }} + +{{- if .Values.customDNS.mapping }} + mapping: +{{- range $id, $value := .Values.customDNS.mapping }} + {{ $value.domain }}: {{ $value.dnsserver }} +{{- end }} +{{- end }} +{{- end }} + +{{- if or .Values.clientLookup.upstream .Values.clientLookup.ips }} +clientLookup: +{{- if .Values.clientLookup.upstream }} + upstream: {{ .Values.clientLookup.upstream }} +{{- end }} +{{- if .Values.clientLookup.ips }} + singleNameOrder: +{{- range $id, $value := .Values.clientLookup.ips }} + - {{ $value }} +{{- end }} +{{- end }} +{{- if .Values.clientLookup.clients }} + clients: +{{- range $id, $value := .Values.clientLookup.clients }} + {{ $value.domain }}: + {{- range $id, $value := .ips }} + - {{ $value }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- if or .Values.conditional.rewrite .Values.conditional.mapping ( and .Values.k8sgateway.enabled .Values.k8sgateway.domains ) }} +conditional: +{{- if .Values.conditional.rewrite }} + rewrite: +{{- range $id, $value := .Values.conditional.rewrite }} + {{ $value.in }}: {{ $value.out }} +{{- end }} +{{- end }} + +{{- if or .Values.conditional.mapping ( and .Values.k8sgateway.enabled .Values.k8sgateway.domains ) }} + mapping: +{{- if and .Values.k8sgateway.enabled .Values.k8sgateway.domains }} +{{- range $id, $value := .Values.k8sgateway.domains }} + {{ .domain }}: 127.0.0.1:{{ $.Values.service.k8sgateway.ports.k8sgateway.targetPort }} +{{- end }} +{{- end }} +{{- range $id, $value := .Values.conditional.mapping }} + {{ $value.domain }}: {{ $value.dnsserver }} +{{- end }} +{{- end }} +{{- end }} + +blocking: + blockType: {{ .Values.blocking.blockType }} + blockTTL: {{ .Values.blocking.blockTTL }} + refreshPeriod: {{ .Values.blocking.refreshPeriod }} + downloadTimeout: {{ .Values.blocking.downloadTimeout }} + downloadAttempts: {{ .Values.blocking.downloadAttempts }} + downloadCooldown: {{ .Values.blocking.downloadCooldown }} + failStartOnListError: {{ .Values.blocking.failStartOnListError }} + processingConcurrency: {{ .Values.blocking.processingConcurrency }} +{{- if .Values.blocking.whitelist }} + whiteLists: +{{- range $id, $value := .Values.blocking.whitelist }} + {{ $value.name }}: +{{- $value.lists | toYaml | nindent 10 }} +{{- end }} +{{- end }} + +{{- if .Values.blocking.blacklist }} + blackLists: +{{- range $id, $value := .Values.blocking.blacklist }} + {{ $value.name }}: +{{- $value.lists | toYaml | nindent 10 }} +{{- end }} +{{- end }} + +{{- if .Values.blocking.clientGroupsBlock }} + clientGroupsBlock: +{{- range $id, $value := .Values.blocking.clientGroupsBlock }} + {{ $value.name }}: +{{- $value.groups | toYaml | nindent 10 }} +{{- end }} +{{- end }} + +{{- end -}} diff --git a/charts/incubator/blocky/templates/_k8sgateway.tpl b/charts/incubator/blocky/templates/_k8sgateway.tpl new file mode 100644 index 00000000000..94cccf78438 --- /dev/null +++ b/charts/incubator/blocky/templates/_k8sgateway.tpl @@ -0,0 +1,107 @@ +{{- define "k8sgateway.container" -}} +image: {{ .Values.k8sgatewayImage.repository }}:{{ .Values.k8sgatewayImage.tag }} +imagePullPolicy: {{ .Values.k8sgatewayImage.pullPolicy }} +securityContext: + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: true + runAsNonRoot: false +args: ["-conf", "/etc/coredns/Corefile"] +ports: + - containerPort: {{ .Values.service.k8sgateway.ports.k8sgateway.targetPort }} + name: main +volumeMounts: + - name: config-volume + mountPath: /etc/coredns +readinessProbe: + httpGet: + path: /ready + port: 8181 + initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} +livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} +startupProbe: + httpGet: + path: /ready + port: 8181 + initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} +{{- end -}} + +{{/* +Create the matchable regex from domain +*/}} +{{- define "k8sgateway.configmap.regex" -}} +{{- if .Values.k8sgateway.domain }} +{{- .Values.k8sgateway.domain | replace "." "[.]" -}} +{{- else -}} + {{ "unset" }} +{{- end }} +{{- end -}} + +{{/* Define the configmap */}} +{{- define "k8sgateway.configmap" -}} +{{- $values := .Values.k8sgateway }} +{{- $fqdn := ( include "tc.common.names.fqdn" . ) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "tc.common.names.fullname" . }}-corefile + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + Corefile: |- + .:{{ .Values.service.k8sgateway.ports.k8sgateway.targetPort }} { + errors + log + health { + lameduck 5s + } + ready + {{- range .Values.k8sgateway.domains }} + {{- if .dnsChallenge.enabled }} + template IN ANY {{ required "Delegated domain ('domain') is mandatory " .domain }} { + match "_acme-challenge[.](.*)[.]{{ include "k8sgateway.configmap.regex" . }}" + answer "{{ "{{" }} .Name {{ "}}" }} 5 IN CNAME {{ "{{" }} index .Match 1 {{ "}}" }}.{{ required "DNS01 challenge domain is mandatory " $values.dnsChallenge.domain }}" + fallthrough + } + {{- end }} + k8s_gateway "{{ required "Delegated domain ('domain') is mandatory " .domain }}" { + apex {{ $values.apex | default $fqdn }} + ttl {{ $values.ttl }} + {{- if $values.secondary }} + secondary {{ $values.secondary }} + {{- end }} + {{- if $values.watchedResources }} + resources {{ join " " $values.watchedResources }} + {{- end }} + fallthrough + } + {{- end }} + prometheus 0.0.0.0:9153 + {{- if .Values.k8sgateway.forward.enabled }} + forward . {{ .Values.k8sgateway.forward.primary }} {{ .Values.k8sgateway.forward.secondary }} { + {{- range .Values.k8sgateway.forward.options }} + {{ .name }} {{ .value }} + {{- end }} + } + {{- else }} + forward . 1.1.1.1 + {{- end }} + loop + reload + loadbalance + } +{{- end -}} diff --git a/charts/incubator/blocky/templates/_webui.tpl b/charts/incubator/blocky/templates/_webui.tpl new file mode 100644 index 00000000000..881bee2058b --- /dev/null +++ b/charts/incubator/blocky/templates/_webui.tpl @@ -0,0 +1,36 @@ +{{- define "blocky.frontend" -}} +image: {{ .Values.WebUIImage.repository }}:{{ .Values.WebUIImage.tag }} +imagePullPolicy: {{ .Values.WebUIImage.pullPolicy }} +securityContext: + runAsUser: 568 + runAsGroup: 568 + readOnlyRootFilesystem: true + runAsNonRoot: true +ports: + - containerPort: {{ .Values.service.main.ports.main.targetPort }} + name: main +readinessProbe: + httpGet: + path: / + port: {{ .Values.service.main.ports.main.targetPort }} + initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} +livenessProbe: + httpGet: + path: / + port: {{ .Values.service.main.ports.main.targetPort }} + initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} +startupProbe: + httpGet: + path: / + port: {{ .Values.service.main.ports.main.targetPort }} + initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} +{{- end -}} diff --git a/charts/incubator/blocky/templates/common.yaml b/charts/incubator/blocky/templates/common.yaml new file mode 100644 index 00000000000..5a906f353a2 --- /dev/null +++ b/charts/incubator/blocky/templates/common.yaml @@ -0,0 +1,50 @@ +{{/* Make sure all variables are set properly */}} +{{- include "tc.common.loader.init" . }} + +{{ include "blocky.configmap" . }} + +{{/* Always mount the configmap, with the basic config, plus the 'blockyConfig' */}} +{{- define "blocky.configmap.mount" -}} +enabled: true +type: custom +mountPath: /app/config/tc-config.yaml +subPath: tc-config.yaml +readOnly: true +volumeSpec: + configMap: + name: '{{ printf "%s-config" (include "tc.common.names.fullname" .) }}' +{{- end -}} + +{{/* Append the general configMap volume to the volumes */}} +{{- define "k8sgateway.configvolume" -}} +enabled: "true" +mountPath: "/etc/coredns" +readOnly: true +type: "custom" +volumeSpec: + configMap: + name: {{ include "tc.common.names.fullname" . }}-corefile + items: + - key: Corefile + path: Corefile +{{- end -}} + + +{{- $_ := set .Values.persistence "tc-config" (include "blocky.configmap.mount" . | fromYaml) -}} + +{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}} +{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}} +{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.main.ports.main.targetPort | quote) -}} + +{{- if .Values.blocky.enableWebUI -}} +{{- $_ := set .Values.additionalContainers "frontend" (include "blocky.frontend" . | fromYaml) -}} +{{- end -}} + +{{- if and .Values.k8sgateway.enabled .Values.k8sgateway.domains -}} +{{- include "k8sgateway.configmap" . }} +{{- $_ := set .Values.persistence "config-volume" (include "k8sgateway.configvolume" . | fromYaml) -}} +{{- $_ := set .Values.additionalContainers "k8sgateway" (include "k8sgateway.container" . | fromYaml) -}} +{{- end -}} + +{{/* Render the templates */}} +{{ include "tc.common.loader.apply" . }} diff --git a/charts/incubator/blocky/values.yaml b/charts/incubator/blocky/values.yaml new file mode 100644 index 00000000000..35b82c7d08f --- /dev/null +++ b/charts/incubator/blocky/values.yaml @@ -0,0 +1,338 @@ +image: + repository: spx01/blocky + tag: development@sha256:c55e676e89cee31edeee687d70f7ed957b727d61b5611e213809f7a0399fe4ef + # repository: tccr.io/truecharts/blocky + # tag: v0.19@sha256:77a474542f12f480deca33ff0a6375846918b86988c13f858620839d8818ca84 + pullPolicy: IfNotPresent + +WebUIImage: + repository: tccr.io/truecharts/blocky-frontend + tag: v0.0.3@sha256:81058f20520dcdb80c9883b6f21b338446fefc333e3ca8bd7d17336a24a5d842 + pullPolicy: IfNotPresent + +k8sgatewayImage: + repository: tccr.io/truecharts/k8s_gateway + pullPolicy: IfNotPresent + tag: 0.3.2@sha256:594fd6990eb2e0af1df7df8ba76cb3ca66232f46c5df5ebf786a45dd19777ae5 + +controller: + # -- Set additional annotations on the deployment/statefulset/daemonset + # -- Number of desired pods + replicas: 2 + # -- Set the controller upgrade strategy + # For Deployments, valid values are Recreate (default) and RollingUpdate. + # For StatefulSets, valid values are OnDelete and RollingUpdate (default). + # DaemonSets ignore this. + strategy: RollingUpdate + +# -- Blocky Config File content +blockyConfig: {} +# upstream: +# default: +# - 1.1.1.1 + +env: + BLOCKY_CONFIG_FILE: "/app/config/" + +blocky: + enableWebUI: true + enablePrometheus: true + +probes: + liveness: + enabled: + custom: true + spec: + exec: + command: + - /app/blocky + - healthcheck + readiness: + custom: true + spec: + exec: + command: + - /app/blocky + - healthcheck + startup: + custom: true + spec: + exec: + command: + - /app/blocky + - healthcheck + +service: + main: + ports: + main: + port: 10315 + protocol: HTTP + targetPort: 80 + dns-tcp: + enabled: true + ports: + dns-tcp: + enabled: true + port: 53 + targetPort: 53 + dns-udp: + enabled: true + ports: + dns-udp: + enabled: true + port: 53 + protocol: UDP + targetPort: 53 + dot: + enabled: true + ports: + dot: + enabled: true + port: 853 + protocol: TCP + targetPort: 853 + http: + enabled: true + ports: + http: + enabled: true + port: 4000 + protocol: HTTP + targetPort: 4000 + https: + enabled: true + ports: + https: + enabled: true + port: 4443 + protocol: HTTPS + targetPort: 4443 + k8sgateway: + enabled: true + ports: + k8sgateway: + enabled: true + port: 5353 + protocol: UDP + targetPort: 5353 + +## TODO Add support for SCALE certificates and certificates secrets here +certFile: "" +keyFile: "" +logLevel: info +logFormat: text +logTimestamp: true +logPrivacy: false +dohUserAgent: "" +minTlsServeVersion: 1.2 + +# -- set the default DNS upstream servers +# Primarily designed for inclusion in the TrueNAS SCALE GUI +defaultUpstreams: + - 1.1.1.1 + - 1.0.0.1 + - 8.8.8.8 + - 8.8.4.4 + - 9.9.9.9 + - 149.112.112.112 + - 208.67.222.222 + - 208.67.220.220 + - 8.26.56.26 + - 8.20.247.20 + - 185.228.168.9 + - 185.228.169.9 + - 76.76.19.19 + - 76.223.122.150 + - 76.76.2.0 + - 76.76.10.0 + +# -- set additional upstreams +# Primarily designed for inclusion in the TrueNAS SCALE GUI +upstreams: + # - name: group2 + # dnsservers: + # - 1.1.1.1 + +# -- set bootstrap dns (not needed) +# Ensures bootstrap encryption and ensure it doesn't use k8s dns +bootstrapDns: + # -- Upstream + upstream: "" + # -- IP's linked to upstream DoT/DoH DNS name + ips: [] + +# -- Return empty answer for these queries +filtering: + # -- Ensures filtering by query type + queryTypes: [] + +# -- Set manual custom DNS resolution +customDNS: + customTTL: 1h + filterUnmappedTypes: true + rewrite: [] + # - in: something.com + # out: somethingelse.com + mapping: [] + # - domain: something.com + # dnsserver: 192.168.178.1 + +# -- Setup client-name lookup +clientLookup: + # -- upstream used for client-name lookup + upstream: "" + singleNameOrder: [] + clients: + # - domain: laptop + # ips: [] + +# -- Setup caching +caching: + minTime: 5m + maxTime: 30m + maxItemsCount: 0 + prefetching: false + prefetchExpires: 2h + prefetchThreshold: 5 + prefetchMaxItemsCount: 0 + cacheTimeNegative: 30m + +# -- set conditional settings +# Primarily designed for inclusion in the TrueNAS SCALE GUI +conditional: + rewrite: [] + # - in: something.com + # out: somethingelse.com + mapping: [] + # - domain: something.com + # dnsserver: 192.168.178.1 + +# -- set blocking settings using Lists +# Primarily designed for inclusion in the TrueNAS SCALE GUI +blocking: + # -- Sets the blocktype + blockType: nxDomain + # -- Sets the block ttl + blockTTL: 6h + # -- Sets the block refreshPeriod + refreshPeriod: 4h + # -- Sets the block download timeout + downloadTimeout: 60s + # -- Sets the block download attempt count + downloadAttempts: 3 + # -- Sets the block download cooldown + downloadCooldown: 2s + # -- Set to fail start of lists cannot be downloaded + failStartOnListError: false + # -- Sets how many list-groups can be processed at the same time + processingConcurrency: 4 + # -- Add blocky whitelists + whitelist: [] + # - name: ads + # lists: + # - https://someurl.com/list.txt + # - /somefile.txt + + # -- Blocky blacklists + blacklist: [] + # - name: ads + # lists: + # - https://someurl.com/list.txt + # - /somefile.txt + + # -- Blocky clientGroupsBlock + clientGroupsBlock: [] + # - name: default + # groups: + # - ads + +# -- configure using hostsfile for lookups +# Allows for using the hosts configured in kubernetes and such +hostsFile: + enabled: false + filePath: /etc/hosts + hostsTTL: 60m + refreshPeriod: 30m + +## TODO: add this with postgresql support as well +# queryLog: +# type: csv +# target: /logs +# logRetentionDays: 0 +# creationAttempts: 3 +# CreationCooldown: 2 + +portal: + enabled: true + +serviceAccount: + main: + # -- Specifies whether a service account should be created + enabled: true + +# -- Create a ClusterRole and ClusterRoleBinding +# @default -- See below +rbac: + main: + # -- Enables or disables the ClusterRole and ClusterRoleBinding + enabled: true + + # -- Set Rules on the ClusterRole + rules: + - apiGroups: + - "" + resources: + - services + - namespaces + verbs: + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - list + - watch + +k8sgateway: + enabled: true + # -- TTL for non-apex responses (in seconds) + ttl: 300 + + # -- Limit what kind of resources to watch, e.g. watchedResources: ["Ingress"] + watchedResources: [] + + # -- Service name of a secondary DNS server (should be `serviceName.namespace`) + secondary: "" + + # -- Override the default `serviceName.namespace` domain apex + apex: "" + + # -- list of processed domains + domains: [] + # -- Delegated domain + # - domain: "example.com" + # # -- Optional configuration option for DNS01 challenge that will redirect all acme + # # challenge requests to external cloud domain (e.g. managed by cert-manager) + # # See: https://cert-manager.io/docs/configuration/acme/dns01/ + # dnsChallenge: + # enabled: false + # domain: dns01.clouddns.com + + forward: + enabled: false + primary: tls://1.1.1.1 + secondary: tls://1.0.0.1 + options: + - name: tls_servername + value: cloudflare-dns.com + +unbound: + enabled: false + +redis: + enabled: true + existingSecret: "rediscreds" diff --git a/cspell.config.yaml b/cspell.config.yaml index 26abe2b759c..f26edaa71b8 100644 --- a/cspell.config.yaml +++ b/cspell.config.yaml @@ -21,6 +21,8 @@ words: - basicauthexample - batnoter - bazarr + - Blocklists + - blocktype - bugfixer's - bungeecord - cacher @@ -28,12 +30,15 @@ words: - cheatsheet - chronos - cifs + - clouddns - cloudflared - cloudflareddns - collabora - configfile + - configfiles - configmap - containo + - cooldown - crossplay - csgo - cuda @@ -46,6 +51,8 @@ words: - ddns - djava - dnat + - dnsserver + - dnsservers - dockerized - duplicati - dynmap @@ -65,6 +72,7 @@ words: - gibibyte - gluster - goauthentik + - Groupname - gunicorn - healthcheck - healthchecks @@ -196,9 +204,13 @@ words: - Scipy - selfsigned - serverconfig + - servername - serverstransports - serviceexpert + - sgateway - smallblock + - somefile + - somethingelse - sonarr - sonarrsabnzbd - sonatype @@ -235,6 +247,7 @@ words: - umami - unet - unifi + - Upstreams - userspace - vaapi - valheim