--- image: repository: lib42/squid tag: "latest" pullPolicy: Always configMaps: config: enabled: true data: squid.conf: | acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT # Reject local network acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager http_access deny restricted_destination_subnetworks # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Do not display squid version httpd_suppress_version_string on controller: replicas: 1 strategy: RollingUpdate podSecurityContext: runAsUser: 31 runAsGroup: 31 fsGroup: 31 securityContext: runAsNonRoot: true privileged: false readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL ingress: main: enabled: true annotations: cert-manager.io/cluster-issuer: "vault-issuer" traefik.ingress.kubernetes.io/router.tls: 'true' nginx.ingress.kubernetes.io/proxy-body-size: 50m hosts: - host: proxy.dc paths: - path: / pathType: Prefix tls: - secretName: squid-tls hosts: - proxy.dc service: main: enabled: true ports: http: port: 3128 persistence: config: name: '{{ include "bjw-s.common.lib.chart.names.fullname" . -}}-config' enabled: true type: configMap mountPath: /etc/squid/squid.conf subPath: squid.conf cache: enabled: true type: emptyDir mountPath: /var/cache/squid varrun: enabled: true type: emptyDir mountPath: /var/run varlog: enabled: true type: emptyDir mountPath: /var/log/squid ## VPN addons: vpn: enabled: false