---
image:
  repository: lib42/squid
  tag: "latest"
  pullPolicy: Always

configMaps:
  config:
    enabled: true
    data:
      squid.conf: |
        acl SSL_ports port 443
        acl Safe_ports port 80		# http
        acl Safe_ports port 443		# https
        acl CONNECT method CONNECT

        # Reject local network
        acl restricted_destination_subnetworks dst 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

        # Recommended minimum Access Permission configuration:
        #
        # Deny requests to certain unsafe ports
        http_access deny !Safe_ports

        # Only allow cachemgr access from localhost
        http_access allow localhost manager
        http_access deny manager

        http_access deny restricted_destination_subnetworks

        # Squid normally listens to port 3128
        http_port 3128

        # Uncomment and adjust the following to add a disk cache directory.
        #cache_dir ufs /var/cache/squid 100 16 256

        # Leave coredumps in the first cache dir
        coredump_dir /var/cache/squid

        #
        # Add any of your own refresh_pattern entries above these.
        #
        refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
        refresh_pattern .		0	20%	4320

        # Do not display squid version
        httpd_suppress_version_string on

controller:
  replicas: 1
  strategy: RollingUpdate

podSecurityContext:
  runAsUser: 31
  runAsGroup: 31
  fsGroup: 31

securityContext:
  runAsNonRoot: true
  privileged: false
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL

ingress:
  main:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: "vault-issuer"
      traefik.ingress.kubernetes.io/router.tls: 'true'
      nginx.ingress.kubernetes.io/proxy-body-size: 50m
    hosts:
      - host: proxy.dc
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: squid-tls
        hosts:
           - proxy.dc

service:
  main:
    enabled: true
    ports:
      http:
        port: 3128

persistence:
  config:
    name: '{{ include "bjw-s.common.lib.chart.names.fullname" . -}}-config'
    enabled: true
    type: configMap
    mountPath: /etc/squid/squid.conf
    subPath: squid.conf

  cache:
    enabled: true
    type: emptyDir
    mountPath: /var/cache/squid

  varrun:
    enabled: true
    type: emptyDir
    mountPath: /var/run

  varlog:
    enabled: true
    type: emptyDir
    mountPath: /var/log/squid

## VPN
addons:
  vpn:
    enabled: false