riju/k8s/riju-proxy.yaml

---
kind: ConfigMap
apiVersion: v1
metadata:
  namespace: riju
  name: riju-proxy-config
data:
  squid.conf: |
    cache deny all

    acl riju_src src 127.0.0.1/32
    acl riju_src src 10.244.0.0/16
    http_access deny !riju_src

    acl riju_dst dst 10.244.0.0/16
    http_access deny !riju_dst

    acl riju_port port 869
    http_access deny !riju_port

    acl riju_method method GET
    http_access deny !riju_method

    auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
    auth_param basic children 5 startup=5 idle=1
    auth_param basic realm Riju administrative proxy
    auth_param basic credentialsttl 24 hours

    acl riju_auth proxy_auth REQUIRED
    http_access deny !riju_auth

    http_access allow all
    http_access deny all

    http_port 3128

    # Avoid logging TCP healthchecks as errors
    acl hasRequest has request
    access_log daemon:/var/log/squid/access.log hasRequest    

---
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: riju
  name: riju-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: riju-proxy
  template:
    metadata:
      labels:
        app: riju-proxy
    spec:
      volumes:
        - name: config
          configMap:
            name: riju-proxy-config
        - name: auth
          secret:
            secretName: riju-proxy-auth
      containers:
        - name: nginx
          image: "ubuntu/squid:5.2-22.04_beta"
          resources: {}
          readinessProbe:
            tcpSocket:
              port: 3128
            failureThreshold: 1
            initialDelaySeconds: 2
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          livenessProbe:
            tcpSocket:
              port: 3128
            failureThreshold: 3
            initialDelaySeconds: 2
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          ports:
            - name: http
              containerPort: 3128
          volumeMounts:
            - name: config
              mountPath: /etc/squid/squid.conf
              subPath: squid.conf
            - name: auth
              mountPath: /etc/squid/passwd
              subPath: htpasswd

---
kind: Service
apiVersion: v1
metadata:
  namespace: riju
  name: riju-proxy
  annotations:
    metallb.universe.tf/allow-shared-ip: main
spec:
  type: LoadBalancer
  selector:
    app: riju-proxy
  ports:
    - name: http
      port: 3128
      targetPort: 3128