bakery-ia/infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml

# Production-specific values for unbound DNS resolver
# Overrides for the production environment
#
# ARCHITECTURE NOTE:
# Unbound provides DNSSEC validation required by Mailu (rspamd for DKIM/SPF/DMARC).
# CoreDNS does NOT support DNSSEC, so we need Unbound as a dedicated resolver.
#
# Two deployment options:
# 1. Mailu-only: Only Mailu pods use Unbound (via dnsPolicy: None)
#    - CoreDNS forwards to public DNS (8.8.8.8, 1.1.1.1)
#    - Lower resource usage, simpler architecture
#
# 2. Cluster-wide: CoreDNS forwards ALL external queries to Unbound
#    - All pods get DNSSEC validation
#    - Higher resource usage, single point of failure for DNS

# Use official image for production
image:
  repository: "mvance/unbound"
  tag: "latest"
  pullPolicy: "IfNotPresent"

# Production resource settings - MINIMAL for single-node clusters
# Unbound is very lightweight - DNS queries use minimal CPU
resources:
  requests:
    cpu: "50m"
    memory: "64Mi"
  limits:
    cpu: "200m"
    memory: "256Mi"

# Single replica for single-node clusters (saves resources)
# Increase to 2 for multi-node HA deployments
replicaCount: 1

# Production annotations
podAnnotations:
  environment: "production"
  critical: "true"

# Anti-affinity disabled for single-node clusters
# Uncomment for multi-node HA deployments
# affinity:
#   podAntiAffinity:
#     preferredDuringSchedulingIgnoredDuringExecution:
#     - weight: 100
#       podAffinityTerm:
#         labelSelector:
#           matchExpressions:
#           - key: app.kubernetes.io/name
#             operator: In
#             values:
#             - unbound
#         topologyKey: "kubernetes.io/hostname"

# Production probe settings (more conservative)
# NOTE: mvance/unbound image does NOT have 'nc' (netcat), use 'drill' instead
probes:
  readiness:
    initialDelaySeconds: 10
    periodSeconds: 30
    command: "drill @127.0.0.1 localhost || exit 1"
  liveness:
    initialDelaySeconds: 30
    periodSeconds: 60
    command: "drill @127.0.0.1 localhost || exit 1"
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`# Production-specific values for unbound DNS resolver`
			`# Overrides for the production environment`
Fix resources isues 2026-01-22 07:54:56 +01:00			`#`
			`# ARCHITECTURE NOTE:`
			`# Unbound provides DNSSEC validation required by Mailu (rspamd for DKIM/SPF/DMARC).`
			`# CoreDNS does NOT support DNSSEC, so we need Unbound as a dedicated resolver.`
			`#`
			`# Two deployment options:`
			`# 1. Mailu-only: Only Mailu pods use Unbound (via dnsPolicy: None)`
			`# - CoreDNS forwards to public DNS (8.8.8.8, 1.1.1.1)`
			`# - Lower resource usage, simpler architecture`
			`#`
			`# 2. Cluster-wide: CoreDNS forwards ALL external queries to Unbound`
			`# - All pods get DNSSEC validation`
			`# - Higher resource usage, single point of failure for DNS`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00
			`# Use official image for production`
			`image:`
			`repository: "mvance/unbound"`
			`tag: "latest"`
			`pullPolicy: "IfNotPresent"`

Fix resources isues 2026-01-22 07:54:56 +01:00			`# Production resource settings - MINIMAL for single-node clusters`
			`# Unbound is very lightweight - DNS queries use minimal CPU`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`resources:`
			`requests:`
Fix resources isues 2026-01-22 07:54:56 +01:00			`cpu: "50m"`
			`memory: "64Mi"`
			`limits:`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`cpu: "200m"`
			`memory: "256Mi"`

Fix resources isues 2026-01-22 07:54:56 +01:00			`# Single replica for single-node clusters (saves resources)`
			`# Increase to 2 for multi-node HA deployments`
			`replicaCount: 1`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00
			`# Production annotations`
			`podAnnotations:`
			`environment: "production"`
			`critical: "true"`

Fix resources isues 2026-01-22 07:54:56 +01:00			`# Anti-affinity disabled for single-node clusters`
			`# Uncomment for multi-node HA deployments`
			`# affinity:`
			`# podAntiAffinity:`
			`# preferredDuringSchedulingIgnoredDuringExecution:`
			`# - weight: 100`
			`# podAffinityTerm:`
			`# labelSelector:`
			`# matchExpressions:`
			`# - key: app.kubernetes.io/name`
			`# operator: In`
			`# values:`
			`# - unbound`
			`# topologyKey: "kubernetes.io/hostname"`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00
			`# Production probe settings (more conservative)`
Fix resources isues 2 2026-01-22 10:07:05 +01:00			`# NOTE: mvance/unbound image does NOT have 'nc' (netcat), use 'drill' instead`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`probes:`
			`readiness:`
Fix resources isues 2026-01-22 07:54:56 +01:00			`initialDelaySeconds: 10`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`periodSeconds: 30`
Fix resources isues 2 2026-01-22 10:07:05 +01:00			`command: "drill @127.0.0.1 localhost \|\| exit 1"`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`liveness:`
Fix resources isues 2026-01-22 07:54:56 +01:00			`initialDelaySeconds: 30`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`periodSeconds: 60`
Fix resources isues 2 2026-01-22 10:07:05 +01:00			`command: "drill @127.0.0.1 localhost \|\| exit 1"`