# Default values for unbound DNS resolver
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
#
# PURPOSE: Provides DNSSEC validation for Mailu email server
# CoreDNS does NOT support DNSSEC, so Unbound fills this gap.
# Mailu's rspamd requires DNSSEC for DKIM/SPF/DMARC validation.

# Global settings
global:
  # DNS service name for other services to reference
  dnsServiceName: "unbound-dns"
  namespace: "bakery-ia"

# Unbound image configuration
image:
  repository: "mvance/unbound"
  tag: "latest"
  pullPolicy: "IfNotPresent"

# Deployment configuration
replicaCount: 1

# Resource limits and requests
# Unbound is very lightweight - these minimal resources are sufficient
resources:
  requests:
    cpu: "25m"
    memory: "32Mi"
  limits:
    cpu: "100m"
    memory: "128Mi"

# Security context
securityContext:
  capabilities:
    add: ["NET_BIND_SERVICE"]

# Service configuration
service:
  type: "ClusterIP"
  # Dynamic ClusterIP - Kubernetes will assign automatically
  # clusterIP: ""  # Leave empty for automatic assignment
  ports:
    dnsUdp: 53
    dnsTcp: 53

# Health probes configuration
# NOTE: mvance/unbound image does NOT have 'nc' (netcat), use 'drill' instead
probes:
  readiness:
    enabled: true
    initialDelaySeconds: 10
    periodSeconds: 30
    # Use drill (DNS lookup tool included in unbound image)
    command: "drill @127.0.0.1 localhost || exit 1"
  liveness:
    enabled: true
    initialDelaySeconds: 30
    periodSeconds: 60
    # Use drill (DNS lookup tool included in unbound image)
    command: "drill @127.0.0.1 localhost || exit 1"

# Additional environment variables
env: {}

# Additional volume mounts
volumeMounts: []

# Additional volumes
volumes: []

# Node selector
nodeSelector: {}

# Tolerations
tolerations: []

# Affinity
affinity: {}

# Pod annotations
podAnnotations: {}

# Service annotations
serviceAnnotations: {}

# Custom unbound configuration
config:
  enabled: false

# Additional containers (sidecars)
extraContainers: []

# Additional init containers
extraInitContainers: []

# Service account configuration
serviceAccount:
  create: false
  annotations: {}
  name: ""

# Pod security context
podSecurityContext: {}