# Production-specific values for unbound DNS resolver
# Overrides for the production environment
#
# ARCHITECTURE NOTE:
# Unbound provides DNSSEC validation required by Mailu (rspamd for DKIM/SPF/DMARC).
# CoreDNS does NOT support DNSSEC, so we need Unbound as a dedicated resolver.
#
# Two deployment options:
# 1. Mailu-only: Only Mailu pods use Unbound (via dnsPolicy: None)
#    - CoreDNS forwards to public DNS (8.8.8.8, 1.1.1.1)
#    - Lower resource usage, simpler architecture
#
# 2. Cluster-wide: CoreDNS forwards ALL external queries to Unbound
#    - All pods get DNSSEC validation
#    - Higher resource usage, single point of failure for DNS

# Use official image for production
image:
  repository: "mvance/unbound"
  tag: "latest"
  pullPolicy: "IfNotPresent"

# Production resource settings - MINIMAL for single-node clusters
# Unbound is very lightweight - DNS queries use minimal CPU
resources:
  requests:
    cpu: "50m"
    memory: "64Mi"
  limits:
    cpu: "200m"
    memory: "256Mi"

# Single replica for single-node clusters (saves resources)
# Increase to 2 for multi-node HA deployments
replicaCount: 1

# Production annotations
podAnnotations:
  environment: "production"
  critical: "true"

# Anti-affinity disabled for single-node clusters
# Uncomment for multi-node HA deployments
# affinity:
#   podAntiAffinity:
#     preferredDuringSchedulingIgnoredDuringExecution:
#     - weight: 100
#       podAffinityTerm:
#         labelSelector:
#           matchExpressions:
#           - key: app.kubernetes.io/name
#             operator: In
#             values:
#             - unbound
#         topologyKey: "kubernetes.io/hostname"

# Production probe settings (more conservative)
# NOTE: mvance/unbound image does NOT have 'nc' (netcat), use 'drill' instead
probes:
  readiness:
    initialDelaySeconds: 10
    periodSeconds: 30
    command: "drill @127.0.0.1 localhost || exit 1"
  liveness:
    initialDelaySeconds: 30
    periodSeconds: 60
    command: "drill @127.0.0.1 localhost || exit 1"

# Custom unbound configuration to forward internal Kubernetes zones to CoreDNS
config:
  enabled: true
  content: |
    server:
      interface: 0.0.0.0
      port: 53
      do-ip4: yes
      do-ip6: no
      do-udp: yes
      do-tcp: yes

      # Access control - allow all private networks
      access-control: 10.0.0.0/8 allow
      access-control: 172.16.0.0/12 allow
      access-control: 192.168.0.0/16 allow
      access-control: 127.0.0.0/8 allow

      # DNSSEC validation (required for Mailu)
      auto-trust-anchor-file: "/opt/unbound/etc/unbound/root.key"

      # Performance tuning
      num-threads: 2
      msg-cache-size: 32m
      rrset-cache-size: 64m
      cache-min-ttl: 60
      cache-max-ttl: 86400

      # Logging
      verbosity: 1
      log-queries: no
      log-replies: no

      # Private addresses - don't send to upstream
      private-address: 10.0.0.0/8
      private-address: 172.16.0.0/12
      private-address: 192.168.0.0/16

    # Forward Kubernetes internal zones to CoreDNS (10.152.183.10 for MicroK8s)
    forward-zone:
      name: "cluster.local."
      forward-addr: 10.152.183.10

    forward-zone:
      name: "svc.cluster.local."
      forward-addr: 10.152.183.10

    forward-zone:
      name: "bakery-ia.svc.cluster.local."
      forward-addr: 10.152.183.10

    # Forward in-addr.arpa for reverse DNS lookups within cluster
    forward-zone:
      name: "in-addr.arpa."
      forward-addr: 10.152.183.10

    # Forward all other queries to upstream DNS with DNSSEC
    forward-zone:
      name: "."
      forward-tls-upstream: yes
      forward-addr: 1.1.1.1@853#cloudflare-dns.com
      forward-addr: 8.8.8.8@853#dns.google