pihole.toml settings with root owner not merged into pihole.toml.tmp

[16mc1r]

Versions

• Core version is v6.1.2 (Latest: v6.1.2)
• Web version is v6.2.1 (Latest: v6.2.1)
• FTL version is v6.2.3 (Latest: v6.2.3)
• Docker 2025.06.2

Platform

• OS and version: Ubuntu noble 24.04 x86_64

• Platform: MicroK8s v1.32.3 revision 8148

Expected behavior

I provide a pihole.toml as a configMap. Pihole should use these values for configuration. If the provided pihole.toml is read-only or the owner cannot be changed to pihole:pihole the file should be copied and used as base for pihole.toml.tmp .

mounting in deployment

# spec in deployment
        - name: pihole-config
          mountPath: "/etc/pihole/pihole.toml"
          subPath: "pihole.toml"

# volumes
      - name: pihole-config
        configMap:
          name: pihole-toml
          defaultMode: 0777

Actual behavior / bug

The values are correctly picked up with pihole -d in pihole.toml section, but not merged into pihole.toml.tmp. The file is read-writable, but due to k8s configMap behaviour the owner is root.

Steps to reproduce

Steps to reproduce the behavior:

mount a pihole.toml in k8s as a configMap or insert pihole.toml with root owner into etc/pihole/

Debug Token

• URL: https://tricorder.pi-hole.net/b1kBOWoq/

Additional context

The volume mounts are local for my dev machine only. Providing pihole.toml via a persistent mount defeats the point of moving as much config as possible into configMaps to make it reproducible across deployments.

depyloment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pihole
  labels:
    app: pihole
  namespace: pihole
spec:
  replicas: 1
  selector:
    matchLabels:
      app: pihole
  template:
    metadata:
      labels:
        app: pihole
    spec:
      nodeSelector:
        kubernetes.io/hostname: nuc
      containers:
      - name: pihole
        image: pihole/pihole:2025.06.2
        imagePullPolicy: IfNotPresent
        env:
        - name: TZ
          value: "Europe/Berlin'"
        - name: FTLCONF_webserver_api_password
          valueFrom:
            secretKeyRef:
              name: pihole-web-pw
              key: password
        ports:
        - containerPort: 80
          name: pihole-http
          protocol: TCP
        - containerPort: 53
          name: dns
          protocol: TCP
        - containerPort: 53
          name: dns-udp
          protocol: UDP
        - containerPort: 443
          name: pihole-ssl
          protocol: TCP
        - containerPort: 67
          name: client-udp
          protocol: UDP
        volumeMounts:
        - name: pihole-local-etc-volume
          mountPath: "/etc/pihole"
        - name: pihole-local-log-volume
          mountPath: "/var/log/pihole"
        - name: adlists
          mountPath: "/etc/pihole/adlists.list"
          subPath: adlists.list
        - name: pihole-config
          mountPath: "/etc/pihole/pihole.toml"
          subPath: "pihole.toml"
        securityContext:
          capabilities:        
            add:
              - NET_ADMIN
        resources:
          requests:
            memory: "250Mi"
            cpu: "250m"
          limits:
            memory: "1Gi"
      restartPolicy: Always
      volumes:
      - name: pihole-local-etc-volume
        persistentVolumeClaim:
          claimName: pihole-local-etc-claim
      - name: pihole-local-log-volume
        persistentVolumeClaim:
          claimName: pihole-local-log-claim
      - name: adlists
        configMap:
          defaultMode: 0777
          name: pihole-adlists
      - name: pihole-config
        configMap:
          name: pihole-toml
          defaultMode: 0777

[PromoFaux]

Personally, I've no idea where even to begin with k8s, but...

The volume mounts are local for my dev machine only. Providing pihole.toml via a persistent mount defeats the point of moving as much config as possible into configMaps to make it reproducible across deployments.

All settings within pihole.toml are configurable by passing in environment variables to the container. This should satisfy the "make it reproducible across deployments" aspect

[16mc1r]

Thanks,
the envvars work but have the downside of making all associated settings read only. I like to be able to test or adjust settings via the gui on the fly and persist them via manifests / config file if they stick.

Ideally pihole would integrate a root owned toml in its temporary toml. With that i could try ephemeral settings via gui and have the advantage of cleanly definded and source controlled configs via configmaps.

With the current situation there seems to be little point to toml files if i cant use them to inject these settings.

[16mc1r]

For any other k8s enthusiast out there, you can achieve configuring pihole via pihole.toml using an initContainer that copies the file (from a configMap) to /etc/pihole and set the correct user/mode. If your toml is valid its picked up by pihole.