hive-apps/projects/services/values/proxy.yaml

---
image:
  repository: lib42/squid
  tag: "latest"
  pullPolicy: Always

configMaps:
  config:
    enabled: true
    data:
      squid.conf: |
        acl SSL_ports port 443
        acl Safe_ports port 80		# http
        acl Safe_ports port 443		# https
        acl CONNECT method CONNECT

        # Reject local network
        acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

        # Recommended minimum Access Permission configuration:
        #
        # Deny requests to certain unsafe ports
        http_access deny !Safe_ports

        # Only allow cachemgr access from localhost
        http_access allow localhost manager
        http_access deny manager

        http_access deny restricted_destination_subnetworks

        # Squid normally listens to port 3128
        http_port 3128

        # Uncomment and adjust the following to add a disk cache directory.
        #cache_dir ufs /var/cache/squid 100 16 256

        # Leave coredumps in the first cache dir
        coredump_dir /var/cache/squid

        #
        # Add any of your own refresh_pattern entries above these.
        #
        refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
        refresh_pattern .		0	20%	4320

        # Do not display squid version
        httpd_suppress_version_string on

controller:
  replicas: 1
  strategy: RollingUpdate

podSecurityContext:
  runAsUser: 31
  runAsGroup: 31
  fsGroup: 31

securityContext:
  runAsNonRoot: true
  privileged: false
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL

ingress:
  main:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: "vault-issuer"
      traefik.ingress.kubernetes.io/router.tls: 'true'
      nginx.ingress.kubernetes.io/proxy-body-size: 50m
    hosts:
      - host: proxy.dc
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: squid-tls
        hosts:
           - proxy.dc

service:
  main:
    enabled: true
    ports:
      http:
        port: 3128

persistence:
  config:
    name: '{{ include "bjw-s.common.lib.chart.names.fullname" . -}}-config'
    enabled: true
    type: configMap
    mountPath: /etc/squid/squid.conf
    subPath: squid.conf

  cache:
    enabled: true
    type: emptyDir
    mountPath: /var/cache/squid

  varrun:
    enabled: true
    type: emptyDir
    mountPath: /var/run

  varlog:
    enabled: true
    type: emptyDir
    mountPath: /var/log/squid

## VPN
addons:
  vpn:
    enabled: false
update(squid): use rootless chart 2022-12-10 14:27:23 +00:00			`---`
App Migration 2021-11-28 10:16:31 +00:00			`image:`
update(proxy): use lib42/squid 2022-12-10 11:40:08 +00:00			`repository: lib42/squid`
update(squid): use rootless chart 2022-12-10 14:27:23 +00:00			`tag: "latest"`
update(proxy): use lib42/squid 2022-12-10 11:40:08 +00:00			`pullPolicy: Always`
App Migration 2021-11-28 10:16:31 +00:00
update(squid): use rootless chart 2022-12-10 14:27:23 +00:00			`configMaps:`
			`config:`
			`enabled: true`
			`data:`
			`squid.conf: \|`
			`acl SSL_ports port 443`
			`acl Safe_ports port 80 # http`
			`acl Safe_ports port 443 # https`
			`acl CONNECT method CONNECT`
App Migration 2021-11-28 10:16:31 +00:00
update(squid): use rootless chart 2022-12-10 14:27:23 +00:00			`# Reject local network`
			`acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16`

			`# Recommended minimum Access Permission configuration:`
			`#`
			`# Deny requests to certain unsafe ports`
			`http_access deny !Safe_ports`

			`# Only allow cachemgr access from localhost`
			`http_access allow localhost manager`
			`http_access deny manager`

			`http_access deny restricted_destination_subnetworks`

			`# Squid normally listens to port 3128`
			`http_port 3128`

			`# Uncomment and adjust the following to add a disk cache directory.`
			`#cache_dir ufs /var/cache/squid 100 16 256`

			`# Leave coredumps in the first cache dir`
			`coredump_dir /var/cache/squid`

			`#`
			`# Add any of your own refresh_pattern entries above these.`
			`#`
			`refresh_pattern -i (/cgi-bin/\|\?) 0 0% 0`
			`refresh_pattern . 0 20% 4320`

			`# Do not display squid version`
			`httpd_suppress_version_string on`

			`controller:`
			`replicas: 1`
			`strategy: RollingUpdate`
update(proxy): use lib42/squid 2022-12-10 11:40:08 +00:00
			`podSecurityContext:`
			`runAsUser: 31`
			`runAsGroup: 31`
			`fsGroup: 31`

			`securityContext:`
			`runAsNonRoot: true`
			`privileged: false`
update(squid): use rootless chart 2022-12-10 14:27:23 +00:00			`readOnlyRootFilesystem: true`
update(proxy): use lib42/squid 2022-12-10 11:40:08 +00:00			`allowPrivilegeEscalation: false`
			`capabilities:`
			`drop:`
			`- ALL`
update(squid): use rootless chart 2022-12-10 14:27:23 +00:00
			`ingress:`
			`main:`
			`enabled: true`
			`annotations:`
			`cert-manager.io/cluster-issuer: "vault-issuer"`
			`traefik.ingress.kubernetes.io/router.tls: 'true'`
			`nginx.ingress.kubernetes.io/proxy-body-size: 50m`
			`hosts:`
			`- host: proxy.dc`
			`paths:`
			`- path: /`
			`pathType: Prefix`
			`tls:`
			`- secretName: squid-tls`
			`hosts:`
			`- proxy.dc`

			`service:`
			`main:`
			`enabled: true`
			`ports:`
			`http:`
			`port: 3128`

			`persistence:`
			`config:`
			`name: '{{ include "bjw-s.common.lib.chart.names.fullname" . -}}-config'`
			`enabled: true`
			`type: configMap`
			`mountPath: /etc/squid/squid.conf`
			`subPath: squid.conf`

			`cache:`
			`enabled: true`
			`type: emptyDir`
			`mountPath: /var/cache/squid`

			`varrun:`
			`enabled: true`
			`type: emptyDir`
			`mountPath: /var/run`

			`varlog:`
			`enabled: true`
			`type: emptyDir`
			`mountPath: /var/log/squid`

			`## VPN`
			`addons:`
			`vpn:`
			`enabled: false`