update(squid): use rootless chart

2024-09-20 15:38:59 +00:00 · 2022-12-10 15:27:23 +01:00 · 2022-12-10 15:27:23 +01:00 · 7baf6653ef
parent 30877807a1
commit 7baf6653ef
2 changed files with 93 additions and 75 deletions
--- a/projects/services/project.yml
+++ b/projects/services/project.yml
@ -3,9 +3,9 @@ config:
 apps:
 - name: proxy
  namespace: proxy
-  repoURL: https://github.com/Nold360/lifen-charts
-  path: squid
-  targetRevision: f/squid_ingress_fix
+  repoURL: https://lib42.github.io/charts
+  chart: squid
+  targetRevision: 1.0.0

 - name: minio
  namespace: minio
--- a/projects/services/values/proxy.yaml
+++ b/projects/services/values/proxy.yaml
@ -1,88 +1,54 @@
-# Default values for squid.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
+---
 image:
  repository: lib42/squid
-  tag: latest
+  tag: "latest"
  pullPolicy: Always
-  # imagePullSecrets:

-service:
-  type: ClusterIP
-  #loadBalancerSourceRanges: ""
-  #loadBalancerIP: ""
-  port: 80
-  # annotations: {}
+configMaps:
+  config:
+    enabled: true
+    data:
+      squid.conf: |
+        acl SSL_ports port 443
+        acl Safe_ports port 80		# http
+        acl Safe_ports port 443		# https
+        acl CONNECT method CONNECT

-ingress:
-  enabled: true
-  annotations:
-    cert-manager.io/cluster-issuer: vault-issuer
-    traefik.ingress.kubernetes.io/router.tls: 'true'
-  path: /
-  hosts:
-    - proxy.dc
-  tls:
-    - secretName: proxy-tls
-      hosts:
-        - proxy.dc
+        # Reject local network
+        acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

-config: |
-  acl SSL_ports port 443
-  acl Safe_ports port 80		# http
-  acl Safe_ports port 443		# https
-  acl CONNECT method CONNECT
+        # Recommended minimum Access Permission configuration:
+        #
+        # Deny requests to certain unsafe ports
+        http_access deny !Safe_ports

-  acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+        # Only allow cachemgr access from localhost
+        http_access allow localhost manager
+        http_access deny manager

-  # Recommended minimum Access Permission configuration:
-  #
-  # Deny requests to certain unsafe ports
-  http_access deny !Safe_ports
+        http_access deny restricted_destination_subnetworks

-  # Only allow cachemgr access from localhost
-  http_access allow localhost manager
-  http_access deny manager
+        # Squid normally listens to port 3128
+        http_port 3128

-  http_access deny restricted_destination_subnetworks
+        # Uncomment and adjust the following to add a disk cache directory.
+        #cache_dir ufs /var/cache/squid 100 16 256

-  # Squid normally listens to port 3128
-  http_port 3128
+        # Leave coredumps in the first cache dir
+        coredump_dir /var/cache/squid

-  # Uncomment and adjust the following to add a disk cache directory.
-  #cache_dir ufs /var/cache/squid 100 16 256
+        #
+        # Add any of your own refresh_pattern entries above these.
+        #
+        refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+        refresh_pattern .		0	20%	4320

-  # Leave coredumps in the first cache dir
-  coredump_dir /var/cache/squid
+        # Do not display squid version
+        httpd_suppress_version_string on

-  #
-  # Add any of your own refresh_pattern entries above these.
-  #
-  refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
-  refresh_pattern .		0	20%	4320
-
-  # Do not display squid version
-  httpd_suppress_version_string on
-
-
-resources:
-  limits:
-    cpu: 500m
-    memory: 512Mi
-
-metrics:
-  enabled: false
-  serviceMonitor: false
-  exporter:
-    port: 9301
-    resources: {}
-    image:
-      repository: boynux/squid-exporter
-      tag: v1.9
-      pullPolicy: IfNotPresent
+controller:
+  replicas: 1
+  strategy: RollingUpdate

 podSecurityContext:
  runAsUser: 31
@ -92,8 +58,60 @@ podSecurityContext:
 securityContext:
  runAsNonRoot: true
  privileged: false
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
+
+ingress:
+  main:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: "vault-issuer"
+      traefik.ingress.kubernetes.io/router.tls: 'true'
+      nginx.ingress.kubernetes.io/proxy-body-size: 50m
+    hosts:
+      - host: proxy.dc
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: squid-tls
+        hosts:
+           - proxy.dc
+
+service:
+  main:
+    enabled: true
+    ports:
+      http:
+        port: 3128
+
+persistence:
+  config:
+    name: '{{ include "bjw-s.common.lib.chart.names.fullname" . -}}-config'
+    enabled: true
+    type: configMap
+    mountPath: /etc/squid/squid.conf
+    subPath: squid.conf
+
+  cache:
+    enabled: true
+    type: emptyDir
+    mountPath: /var/cache/squid
+
+  varrun:
+    enabled: true
+    type: emptyDir
+    mountPath: /var/run
+
+  varlog:
+    enabled: true
+    type: emptyDir
+    mountPath: /var/log/squid
+
+## VPN
+addons:
+  vpn:
+    enabled: false