default/pihole/pihole.yaml

---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: pihole
  namespace: default
spec:
  interval: 5m
  chart:
    spec:
      # renovate: registryUrl=https://mojo2600.github.io/pihole-kubernetes
      chart: pihole
      version: 2.27.0
      sourceRef:
        kind: HelmRepository
        name: mojo2600-charts
        namespace: flux-system
      interval: 5m
  values:
    monitoring:
      podMonitor:
        enabled: true
      sidecar:
        enabled: true
        image:
          pullPolicy: "IfNotPresent"
          repository: "ekofr/pihole-exporter"
          tag: "v0.4.0"
          port: 9617
        resources:
          limits:
            memory: "128Mi"
    doh:
      enabled: true
      name: "cloudflared"
      repository: "crazymax/cloudflared"
      tag: "2021.5.7"
    serviceDhcp:
      enabled: false
    serviceDns:
      type: LoadBalancer
      externalTrafficPolicy: Local
      loadBalancerIP: ${SVC_PIHOLE_IP}
      annotations:
        metallb.universe.tf/allow-shared-ip: pihole-svc
    serviceWeb:
      type: LoadBalancer
      externalTrafficPolicy: Local
      loadBalancerIP: ${SVC_PIHOLE_IP}
      annotations:
        metallb.universe.tf/allow-shared-ip: pihole-svc
    virtualHost: "pihole.k.${SECRET_DOMAIN}"
    ingress:
      enabled: true
      ingressClassName: nginx-internal
      annotations:
        kubernetes.io/tls-acme: "true"
        cert-manager.io/cluster-issuer: letsencrypt-prod
        nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_DOMAIN}"
        nginx.ingress.kubernetes.io/auth-url: "https://auth.${SECRET_DOMAIN}/api/authz/auth-request"
      path: /
      hosts:
        - "pihole.k.${SECRET_DOMAIN}"
      tls:
        - secretName: pihole2-cert
          hosts:
            - "pihole.k.${SECRET_DOMAIN}"
    persistentVolumeClaim:
      enabled: false
    tolerations:
      - key: "arm"
        operator: "Exists"
    replicaCount: 1
#    topologySpreadConstraints:
#      - maxSkew: 1
#        topologyKey: kubernetes.io/arch
#        whenUnsatisfiable: DoNotSchedule
#        labelSelector:
#          matchLabels:
#            release: pihole
#      - maxSkew: 1
#        topologyKey: kubernetes.io/hostname
#        whenUnsatisfiable: DoNotSchedule
#        labelSelector:
#          matchLabels:
#            release: pihole
    adminPassword: ${SECRET_PIHOLE_ADMIN_PASSWORD}
    extraEnvVars:
      RATE_LIMIT: "0/0"
  valuesFrom:
    - kind: Secret
      name: pihole-helm-values