bakery-ia/infrastructure/platform/mail/mailu-helm/dev/values.yaml

# Development-tuned Mailu configuration
global:
  # Using Kubernetes cluster DNS for name resolution
  # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
  custom_dns_servers: "10.96.0.10"  # Kubernetes cluster DNS IP

# Redis configuration - use built-in Mailu Redis (no authentication needed)
externalRedis:
  enabled: false

# Component-specific DNS configuration
# Admin uses Kubernetes DNS (ClusterFirst) to resolve internal services like Redis
# DNSSEC validation is handled at the application level by rspamd
admin:
  dnsPolicy: "ClusterFirst"

# RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)
# Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound
rspamd:
  dnsPolicy: "ClusterFirst"

# Domain configuration for dev
domain: "bakery-ia.local"
hostnames:
  - "mail.bakery-ia.local"

# External relay configuration for dev
externalRelay:
  host: "[smtp.mailgun.org]:587"
  username: "postmaster@bakery-ia.local"
  password: "mailgun-api-key-replace-in-production"

# Environment-specific configurations
persistence:
  enabled: true
  # Development: use default storage class
  storageClass: "standard"
  size: "5Gi"

# Resource optimizations for development
resources:
  admin:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "500m"
      memory: "256Mi"
  front:
    requests:
      cpu: "50m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "128Mi"
  postfix:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "300m"
      memory: "256Mi"
  dovecot:
    requests:
      cpu: "100m"
      memory: "128Mi"
    limits:
      cpu: "300m"
      memory: "256Mi"
  rspamd:
    requests:
      cpu: "50m"
      memory: "64Mi"
    limits:
      cpu: "200m"
      memory: "128Mi"
  clamav:
    requests:
      cpu: "100m"
      memory: "256Mi"
    limits:
      cpu: "300m"
      memory: "512Mi"

replicaCount: 1  # Single replica for development

# Security settings
secretKey: "generate-strong-key-here-for-development"

# Ingress configuration for development - disabled to use with existing ingress
ingress:
  enabled: false  # Disable chart's Ingress; use existing one
  tls: false      # Disable TLS in chart since ingress handles it
  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
  path: /
  pathType: ImplementationSpecific

# TLS flavor for dev (may use self-signed)
tls:
  flavor: "notls"  # Disable TLS for development

# Welcome message (disabled in dev)
welcomeMessage:
  enabled: false

# Log level for dev
logLevel: "DEBUG"

# Development-specific overrides
env:
  DEBUG: "true"
  LOG_LEVEL: "INFO"

# Disable or simplify monitoring in development
monitoring:
  enabled: false

# Network Policy for dev
networkPolicy:
  enabled: true
  ingressController:
    namespace: ingress-nginx
    podSelector: |
      matchLabels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
  monitoring:
    namespace: monitoring
    podSelector: |
      matchLabels:
        app: signoz-prometheus
Add new infra architecture 5 2026-01-19 15:15:04 +01:00			`# Development-tuned Mailu configuration`
			`global:`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`# Using Kubernetes cluster DNS for name resolution`
			`# Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local`
			`custom_dns_servers: "10.96.0.10" # Kubernetes cluster DNS IP`

			`# Redis configuration - use built-in Mailu Redis (no authentication needed)`
			`externalRedis:`
			`enabled: false`
Add new infra architecture 5 2026-01-19 15:15:04 +01:00
			`# Component-specific DNS configuration`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`# Admin uses Kubernetes DNS (ClusterFirst) to resolve internal services like Redis`
			`# DNSSEC validation is handled at the application level by rspamd`
Add new infra architecture 5 2026-01-19 15:15:04 +01:00			`admin:`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`dnsPolicy: "ClusterFirst"`
Add new infra architecture 5 2026-01-19 15:15:04 +01:00
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`# RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)`
			`# Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound`
Add new infra architecture 5 2026-01-19 15:15:04 +01:00			`rspamd:`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`dnsPolicy: "ClusterFirst"`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00
			`# Domain configuration for dev`
			`domain: "bakery-ia.local"`
			`hostnames:`
			`- "mail.bakery-ia.local"`

			`# External relay configuration for dev`
			`externalRelay:`
			`host: "[smtp.mailgun.org]:587"`
			`username: "postmaster@bakery-ia.local"`
			`password: "mailgun-api-key-replace-in-production"`

Add new infra architecture 5 2026-01-19 15:15:04 +01:00			`# Environment-specific configurations`
			`persistence:`
			`enabled: true`
			`# Development: use default storage class`
			`storageClass: "standard"`
			`size: "5Gi"`

			`# Resource optimizations for development`
			`resources:`
			`admin:`
			`requests:`
			`cpu: "100m"`
			`memory: "128Mi"`
			`limits:`
			`cpu: "500m"`
			`memory: "256Mi"`
			`front:`
			`requests:`
			`cpu: "50m"`
			`memory: "64Mi"`
			`limits:`
			`cpu: "200m"`
			`memory: "128Mi"`
			`postfix:`
			`requests:`
			`cpu: "100m"`
			`memory: "128Mi"`
			`limits:`
			`cpu: "300m"`
			`memory: "256Mi"`
			`dovecot:`
			`requests:`
			`cpu: "100m"`
			`memory: "128Mi"`
			`limits:`
			`cpu: "300m"`
			`memory: "256Mi"`
			`rspamd:`
			`requests:`
			`cpu: "50m"`
			`memory: "64Mi"`
			`limits:`
			`cpu: "200m"`
			`memory: "128Mi"`
			`clamav:`
			`requests:`
			`cpu: "100m"`
			`memory: "256Mi"`
			`limits:`
			`cpu: "300m"`
			`memory: "512Mi"`

			`replicaCount: 1 # Single replica for development`

			`# Security settings`
			`secretKey: "generate-strong-key-here-for-development"`

			`# Ingress configuration for development - disabled to use with existing ingress`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00			`ingress:`
			`enabled: false # Disable chart's Ingress; use existing one`
			`tls: false # Disable TLS in chart since ingress handles it`
			`tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS`
			`realIpHeader: X-Forwarded-For # Header for client IP from your Ingress`
			`realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)`
			`path: /`
			`pathType: ImplementationSpecific`

			`# TLS flavor for dev (may use self-signed)`
			`tls:`
Add new infra architecture 6 2026-01-19 16:31:11 +01:00			`flavor: "notls" # Disable TLS for development`
Add new infra architecture 3 2026-01-19 13:57:50 +01:00
			`# Welcome message (disabled in dev)`
			`welcomeMessage:`
			`enabled: false`

			`# Log level for dev`
			`logLevel: "DEBUG"`

Add new infra architecture 5 2026-01-19 15:15:04 +01:00			`# Development-specific overrides`
			`env:`
			`DEBUG: "true"`
			`LOG_LEVEL: "INFO"`

			`# Disable or simplify monitoring in development`
			`monitoring:`
			`enabled: false`

Add new infra architecture 3 2026-01-19 13:57:50 +01:00			`# Network Policy for dev`
			`networkPolicy:`
			`enabled: true`
			`ingressController:`
			`namespace: ingress-nginx`
			`podSelector: \|`
			`matchLabels:`
			`app.kubernetes.io/name: ingress-nginx`
			`app.kubernetes.io/instance: ingress-nginx`
			`app.kubernetes.io/component: controller`
			`monitoring:`
			`namespace: monitoring`
			`podSelector: \|`
			`matchLabels:`
			`app: signoz-prometheus`