# Default values for squid.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  repository: lib42/squid
  tag: latest
  pullPolicy: Always
  # imagePullSecrets:

service:
  type: ClusterIP
  #loadBalancerSourceRanges: ""
  #loadBalancerIP: ""
  port: 80
  # annotations: {}

ingress:
  enabled: true
  annotations:
    cert-manager.io/cluster-issuer: vault-issuer
    traefik.ingress.kubernetes.io/router.tls: 'true'
  path: /
  hosts:
    - proxy.dc
  tls:
    - secretName: proxy-tls
      hosts:
        - proxy.dc

config: |
  acl SSL_ports port 443
  acl Safe_ports port 80		# http
  acl Safe_ports port 443		# https
  acl CONNECT method CONNECT

  acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

  # Recommended minimum Access Permission configuration:
  #
  # Deny requests to certain unsafe ports
  http_access deny !Safe_ports

  # Only allow cachemgr access from localhost
  http_access allow localhost manager
  http_access deny manager

  http_access deny restricted_destination_subnetworks

  # Squid normally listens to port 3128
  http_port 3128

  # Uncomment and adjust the following to add a disk cache directory.
  #cache_dir ufs /var/cache/squid 100 16 256

  # Leave coredumps in the first cache dir
  coredump_dir /var/cache/squid

  #
  # Add any of your own refresh_pattern entries above these.
  #
  refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
  refresh_pattern .		0	20%	4320

  # Do not display squid version
  httpd_suppress_version_string on


resources:
  limits:
    cpu: 500m
    memory: 512Mi

metrics:
  enabled: false
  serviceMonitor: false
  exporter:
    port: 9301
    resources: {}
    image:
      repository: boynux/squid-exporter
      tag: v1.9
      pullPolicy: IfNotPresent

podSecurityContext:
  runAsUser: 31
  runAsGroup: 31
  fsGroup: 31

securityContext:
  runAsNonRoot: true
  privileged: false
  readOnlyRootFilesystem: false
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL