nold/hive-apps
1
0
Fork 0
mirror of https://github.com/nold360/hive-apps synced 2025-01-03 12:11:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

update(squid): use rootless chart

Browse source
This commit is contained in:
nold 2022-12-10 15:27:23 +01:00
parent 30877807a1
commit 7baf6653ef
2 changed files with 93 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
projects/services/project.yml
View file

@ -3,9 +3,9 @@ config:
apps: apps:
- name: proxy - name: proxy
namespace: proxy namespace: proxy
repoURL: https://github.com/Nold360/lifen-charts repoURL: https://lib42.github.io/charts
path: squid chart: squid
targetRevision: f/squid_ingress_fix targetRevision: 1.0.0
- name: minio - name: minio
namespace: minio namespace: minio

108
projects/services/values/proxy.yaml
View file

@ -1,41 +1,20 @@
# Default values for squid. ---
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image: image:
repository: lib42/squid repository: lib42/squid
tag: latest tag: "latest"
pullPolicy: Always pullPolicy: Always
# imagePullSecrets:
service: configMaps:
type: ClusterIP config:
#loadBalancerSourceRanges: ""
#loadBalancerIP: ""
port: 80
# annotations: {}
ingress:
enabled: true enabled: true
annotations: data:
cert-manager.io/cluster-issuer: vault-issuer squid.conf: |
traefik.ingress.kubernetes.io/router.tls: 'true'
path: /
hosts:
- proxy.dc
tls:
- secretName: proxy-tls
hosts:
- proxy.dc
config: |
acl SSL_ports port 443 acl SSL_ports port 443
acl Safe_ports port 80 # http acl Safe_ports port 80 # http
acl Safe_ports port 443 # https acl Safe_ports port 443 # https
acl CONNECT method CONNECT acl CONNECT method CONNECT
# Reject local network
acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# Recommended minimum Access Permission configuration: # Recommended minimum Access Permission configuration:
@ -67,22 +46,9 @@ config: |
# Do not display squid version # Do not display squid version
httpd_suppress_version_string on httpd_suppress_version_string on
controller:
resources: replicas: 1
limits: strategy: RollingUpdate
cpu: 500m
memory: 512Mi
metrics:
enabled: false
serviceMonitor: false
exporter:
port: 9301
resources: {}
image:
repository: boynux/squid-exporter
tag: v1.9
pullPolicy: IfNotPresent
podSecurityContext: podSecurityContext:
runAsUser: 31 runAsUser: 31
@ -92,8 +58,60 @@ podSecurityContext:
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
privileged: false privileged: false
readOnlyRootFilesystem: false readOnlyRootFilesystem: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
drop: drop:
- ALL - ALL
ingress:
main:
enabled: true
annotations:
cert-manager.io/cluster-issuer: "vault-issuer"
traefik.ingress.kubernetes.io/router.tls: 'true'
nginx.ingress.kubernetes.io/proxy-body-size: 50m
hosts:
- host: proxy.dc
paths:
- path: /
pathType: Prefix
tls:
- secretName: squid-tls
hosts:
- proxy.dc
service:
main:
enabled: true
ports:
http:
port: 3128
persistence:
config:
name: '{{ include "bjw-s.common.lib.chart.names.fullname" . -}}-config'
enabled: true
type: configMap
mountPath: /etc/squid/squid.conf
subPath: squid.conf
cache:
enabled: true
type: emptyDir
mountPath: /var/cache/squid
varrun:
enabled: true
type: emptyDir
mountPath: /var/run
varlog:
enabled: true
type: emptyDir
mountPath: /var/log/squid
## VPN
addons:
vpn:
enabled: false