bakery-ia/infrastructure/platform/networking/dns/unbound-helm/dev/values.yaml

# Development values for unbound DNS resolver
# Using same configuration as production for consistency

# Use official image for development (same as production)
image:
  repository: "mvance/unbound"
  tag: "latest"
  pullPolicy: "IfNotPresent"

# Resource settings (slightly lower than production for dev)
resources:
  requests:
    cpu: "100m"
    memory: "128Mi"
  limits:
    cpu: "300m"
    memory: "384Mi"

# Single replica for development (can be scaled if needed)
replicaCount: 1

# Development annotations
podAnnotations:
  environment: "development"
  managed-by: "helm"

# Probe settings (same as production but slightly faster)
probes:
  readiness:
    initialDelaySeconds: 10
    periodSeconds: 30
    command: "drill @127.0.0.1 -p 53 example.org || echo 'DNS query test'"
  liveness:
    initialDelaySeconds: 30
    periodSeconds: 60
    command: "drill @127.0.0.1 -p 53 example.org || echo 'DNS query test'"

# Custom Unbound forward records for Kubernetes DNS
config:
  enabled: true
  # The mvance/unbound image includes forward-records.conf
  # We need to add Kubernetes-specific forwarding zones
  forwardRecords: |
    # Forward all queries to Cloudflare with DNSSEC (catch-all)
    forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com

  # Additional server config to mark cluster.local as insecure (no DNSSEC)
  # and use stub zones for Kubernetes internal DNS (more reliable than forward)
  serverConfig: |
    domain-insecure: "cluster.local."
    private-domain: "cluster.local."
    local-zone: "10.in-addr.arpa." nodefault

    stub-zone:
        name: "cluster.local."
        stub-addr: 10.96.0.10

    stub-zone:
        name: "10.in-addr.arpa."
        stub-addr: 10.96.0.10
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`# Development values for unbound DNS resolver`
			`# Using same configuration as production for consistency`

			`# Use official image for development (same as production)`
			`image:`
			`repository: "mvance/unbound"`
			`tag: "latest"`
			`pullPolicy: "IfNotPresent"`

			`# Resource settings (slightly lower than production for dev)`
			`resources:`
			`requests:`
			`cpu: "100m"`
			`memory: "128Mi"`
			`limits:`
			`cpu: "300m"`
			`memory: "384Mi"`

			`# Single replica for development (can be scaled if needed)`
			`replicaCount: 1`

			`# Development annotations`
			`podAnnotations:`
			`environment: "development"`
			`managed-by: "helm"`

			`# Probe settings (same as production but slightly faster)`
			`probes:`
			`readiness:`
			`initialDelaySeconds: 10`
			`periodSeconds: 30`
			`command: "drill @127.0.0.1 -p 53 example.org \|\| echo 'DNS query test'"`
			`liveness:`
			`initialDelaySeconds: 30`
			`periodSeconds: 60`
Add new infra architecture 8 2026-01-19 22:28:53 +01:00			`command: "drill @127.0.0.1 -p 53 example.org \|\| echo 'DNS query test'"`

			`# Custom Unbound forward records for Kubernetes DNS`
			`config:`
			`enabled: true`
			`# The mvance/unbound image includes forward-records.conf`
			`# We need to add Kubernetes-specific forwarding zones`
			`forwardRecords: \|`
			`# Forward all queries to Cloudflare with DNSSEC (catch-all)`
			`forward-zone:`
			`name: "."`
			`forward-tls-upstream: yes`
			`forward-addr: 1.1.1.1@853#cloudflare-dns.com`
			`forward-addr: 1.0.0.1@853#cloudflare-dns.com`

			`# Additional server config to mark cluster.local as insecure (no DNSSEC)`
			`# and use stub zones for Kubernetes internal DNS (more reliable than forward)`
			`serverConfig: \|`
			`domain-insecure: "cluster.local."`
			`private-domain: "cluster.local."`
			`local-zone: "10.in-addr.arpa." nodefault`

			`stub-zone:`
			`name: "cluster.local."`
			`stub-addr: 10.96.0.10`

			`stub-zone:`
			`name: "10.in-addr.arpa."`
			`stub-addr: 10.96.0.10`