update(squid): use rootless chart

2024-09-20 23:48:59 +00:00 · 2022-12-10 15:27:23 +01:00 · 2022-12-10 15:27:23 +01:00 · 7baf6653ef
parent 30877807a1
commit 7baf6653ef
2 changed files with 93 additions and 75 deletions
--- a/projects/services/project.yml
+++ b/projects/services/project.yml
@ -3,9 +3,9 @@ config:
 apps:
 - name: proxy
  namespace: proxy
-  repoURL: https://github.com/Nold360/lifen-charts
+  repoURL: https://lib42.github.io/charts
-  path: squid
+  chart: squid
-  targetRevision: f/squid_ingress_fix
+  targetRevision: 1.0.0
 - name: minio
  namespace: minio
--- a/projects/services/values/proxy.yaml
+++ b/projects/services/values/proxy.yaml
@ -1,88 +1,54 @@
-# Default values for squid.
+---
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 replicaCount: 1
 image:
  repository: lib42/squid
-  tag: latest
+  tag: "latest"
  pullPolicy: Always
  # imagePullSecrets:
-service:
+configMaps:
-  type: ClusterIP
+  config:
-  #loadBalancerSourceRanges: ""
+    enabled: true
-  #loadBalancerIP: ""
+    data:
-  port: 80
+      squid.conf: |
-  # annotations: {}
+        acl SSL_ports port 443
        acl Safe_ports port 80		# http
        acl Safe_ports port 443		# https
        acl CONNECT method CONNECT
-ingress:
+        # Reject local network
-  enabled: true
+        acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
  annotations:
    cert-manager.io/cluster-issuer: vault-issuer
    traefik.ingress.kubernetes.io/router.tls: 'true'
  path: /
  hosts:
    - proxy.dc
  tls:
    - secretName: proxy-tls
      hosts:
        - proxy.dc
-config: |
+        # Recommended minimum Access Permission configuration:
-  acl SSL_ports port 443
+        #
-  acl Safe_ports port 80		# http
+        # Deny requests to certain unsafe ports
-  acl Safe_ports port 443		# https
+        http_access deny !Safe_ports
  acl CONNECT method CONNECT
-  acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+        # Only allow cachemgr access from localhost
        http_access allow localhost manager
        http_access deny manager
-  # Recommended minimum Access Permission configuration:
+        http_access deny restricted_destination_subnetworks
  #
  # Deny requests to certain unsafe ports
  http_access deny !Safe_ports
-  # Only allow cachemgr access from localhost
+        # Squid normally listens to port 3128
-  http_access allow localhost manager
+        http_port 3128
  http_access deny manager
-  http_access deny restricted_destination_subnetworks
+        # Uncomment and adjust the following to add a disk cache directory.
        #cache_dir ufs /var/cache/squid 100 16 256
-  # Squid normally listens to port 3128
+        # Leave coredumps in the first cache dir
-  http_port 3128
+        coredump_dir /var/cache/squid
-  # Uncomment and adjust the following to add a disk cache directory.
+        #
-  #cache_dir ufs /var/cache/squid 100 16 256
+        # Add any of your own refresh_pattern entries above these.
        #
        refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
        refresh_pattern .		0	20%	4320
-  # Leave coredumps in the first cache dir
+        # Do not display squid version
-  coredump_dir /var/cache/squid
+        httpd_suppress_version_string on
-  #
+controller:
-  # Add any of your own refresh_pattern entries above these.
+  replicas: 1
-  #
+  strategy: RollingUpdate
  refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
  refresh_pattern .		0	20%	4320
  # Do not display squid version
  httpd_suppress_version_string on
 resources:
  limits:
    cpu: 500m
    memory: 512Mi
 metrics:
  enabled: false
  serviceMonitor: false
  exporter:
    port: 9301
    resources: {}
    image:
      repository: boynux/squid-exporter
      tag: v1.9
      pullPolicy: IfNotPresent
 podSecurityContext:
  runAsUser: 31
@ -92,8 +58,60 @@ podSecurityContext:
 securityContext:
  runAsNonRoot: true
  privileged: false
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
 ingress:
  main:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: "vault-issuer"
      traefik.ingress.kubernetes.io/router.tls: 'true'
      nginx.ingress.kubernetes.io/proxy-body-size: 50m
    hosts:
      - host: proxy.dc
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: squid-tls
        hosts:
           - proxy.dc
 service:
  main:
    enabled: true
    ports:
      http:
        port: 3128
 persistence:
  config:
    name: '{{ include "bjw-s.common.lib.chart.names.fullname" . -}}-config'
    enabled: true
    type: configMap
    mountPath: /etc/squid/squid.conf
    subPath: squid.conf
  cache:
    enabled: true
    type: emptyDir
    mountPath: /var/cache/squid
  varrun:
    enabled: true
    type: emptyDir
    mountPath: /var/run
  varlog:
    enabled: true
    type: emptyDir
    mountPath: /var/log/squid
 ## VPN
 addons:
  vpn:
    enabled: false