bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8461226a97340e61f3e0b1ec7eeaec6c92801097
bakery-ia/infrastructure/platform/mail/mailu/WEBMAIL_DNS_CONFIGURATION.md

265 lines
6.9 KiB
Markdown
Raw Normal View History

Add new infra architecture
2026-01-19 11:55:17 +01:00
# Webmail DNS Configuration Guide
This guide provides the DNS configuration required to make the webmail system accessible from `webmail.bakewise.ai`.
## Production DNS Configuration
### Required DNS Records for `webmail.bakewise.ai`
```bash
# A Record for webmail subdomain
webmail.bakewise.ai. IN A <your-ingress-ip>
# CNAME Record (alternative approach)
webmail.bakewise.ai. IN CNAME bakewise.ai.
# MX Record for email delivery (if receiving emails)
bakewise.ai. IN MX 10 webmail.bakewise.ai.
# SPF Record (authorize webmail server)
bakewise.ai. IN TXT "v=spf1 include:mailgun.org ~all"
# DKIM Record (will be generated by Mailu)
mailu._domainkey.bakewise.ai. IN TXT "v=DKIM1; k=rsa; p=<public-key>"
# DMARC Record
_dmarc.bakewise.ai. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@bakewise.ai"
```
## Development DNS Configuration
### Required DNS Records for `webmail.bakery-ia.local`
For local development, add these entries to your `/etc/hosts` file:
```bash
# Add to /etc/hosts
127.0.0.1 webmail.bakery-ia.local
127.0.0.1 bakery-ia.local
127.0.0.1 monitoring.bakery-ia.local
```
## TLS Certificate Configuration
The ingress configuration includes automatic TLS certificate provisioning using cert-manager with Let's Encrypt.
### Production TLS Configuration
The production ingress (`prod-ingress.yaml`) includes:
```yaml
tls:
- hosts:
- bakewise.ai
- monitoring.bakewise.ai
- webmail.bakewise.ai # ← Added webmail domain
secretName: bakery-ia-prod-tls-cert
```
### Development TLS Configuration
The development ingress (`dev-ingress.yaml`) includes:
```yaml
tls:
- hosts:
- localhost
- bakery-ia.local
- monitoring.bakery-ia.local
- webmail.bakery-ia.local # ← Added webmail domain
secretName: bakery-dev-tls-cert
```
## Ingress Routing Configuration
### Production Routing
The production ingress routes traffic as follows:
- `https://bakewise.ai/` → Frontend service (port 3000)
- `https://bakewise.ai/api/` → Gateway service (port 8000)
- `https://monitoring.bakewise.ai/` → SigNoz monitoring (port 8080)
- `https://webmail.bakewise.ai/` → Email webmail (port 80)
- `https://webmail.bakewise.ai/webmail` → Email webmail
- `https://webmail.bakewise.ai/admin` → Email admin interface
### Development Routing
The development ingress routes traffic as follows:
- `https://localhost/` → Frontend service (port 3000)
- `https://localhost/api/` → Gateway service (port 8000)
- `https://bakery-ia.local/` → Frontend service (port 3000)
- `https://bakery-ia.local/api/` → Gateway service (port 8000)
- `https://monitoring.bakery-ia.local/` → SigNoz monitoring (port 8080)
- `https://webmail.bakery-ia.local/` → Email webmail (port 80)
- `https://webmail.bakery-ia.local/webmail` → Email webmail
- `https://webmail.bakery-ia.local/admin` → Email admin interface
## Security Headers
The webmail ingress includes enhanced security headers:
```nginx
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';
connect-src 'self'; frame-src 'self';
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
```
## Deployment Steps
### 1. Update DNS Records
```bash
# For production (using Cloudflare as example)
cfcli dns create bakewise.ai A webmail <ingress-ip> --ttl 3600 --proxied
# For development (add to /etc/hosts)
echo "127.0.0.1 webmail.bakery-ia.local" | sudo tee -a /etc/hosts
```
### 2. Apply Ingress Configuration
```bash
# Apply the updated ingress configuration
kubectl apply -k infrastructure/environments/prod/k8s-manifests/
# Verify the ingress is configured correctly
kubectl get ingress -n bakery-ia
kubectl describe ingress bakery-ingress-prod -n bakery-ia
```
### 3. Verify TLS Certificates
```bash
# Check TLS certificate status
kubectl get certificaterequest -n bakery-ia
kubectl get certificate -n bakery-ia
# Check certificate details
kubectl describe certificate bakery-ia-prod-tls-cert -n bakery-ia
```
### 4. Test Webmail Access
```bash
# Test webmail accessibility
curl -I https://webmail.bakewise.ai
curl -I https://webmail.bakewise.ai/webmail
curl -I https://webmail.bakewise.ai/admin
# Test from browser
open https://webmail.bakewise.ai
```
## Troubleshooting
### DNS Issues
```bash
# Check DNS resolution
dig webmail.bakewise.ai
nslookup webmail.bakewise.ai
# Check ingress controller logs
kubectl logs -f -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
```
### TLS Issues
```bash
# Check cert-manager logs
kubectl logs -f -n cert-manager -l app=cert-manager
# Check certificate status
kubectl get certificaterequest,certificate,order,challenge -n bakery-ia
```
### Ingress Issues
```bash
# Check ingress controller events
kubectl get events -n ingress-nginx
# Check ingress description
kubectl describe ingress -n bakery-ia
```
## Monitoring and Maintenance
### Check Webmail Service Status
```bash
# Check email services
kubectl get pods -n bakery-ia -l app=email
# Check webmail service
kubectl get service email-webmail -n bakery-ia
# Check ingress routing
kubectl get ingress -n bakery-ia -o yaml | grep -A 10 webmail
```
### Update DNS Records
When the ingress IP changes, update the DNS records:
```bash
# Get current ingress IP
kubectl get service -n ingress-nginx ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
# Update DNS (Cloudflare example)
cfcli dns update bakewise.ai A webmail <new-ip> --ttl 3600 --proxied
```
## Access Information
After configuration, the webmail system will be accessible at:
- **Production**: `https://webmail.bakewise.ai`
- **Development**: `https://webmail.bakery-ia.local`
Default credentials (configured in secrets):
- **Admin**: `admin@bakewise.ai`
- **Password**: Configured in `email-secrets`
## Integration with Existing Systems
The webmail system integrates with:
1. **SMTP Service**: `email-smtp.bakery-ia.svc.cluster.local:587`
2. **IMAP Service**: `email-imap.bakery-ia.svc.cluster.local:993`
3. **Notification Service**: Uses the new SMTP service for email notifications
4. **Monitoring**: SigNoz alerts use the new email service
## Backup and Recovery
### DNS Backup
```bash
# Export DNS records (Cloudflare example)
cfcli dns export bakewise.ai > dns-backup.json
# Restore DNS records
cfcli dns import bakewise.ai dns-backup.json
```
### Certificate Backup
```bash
# Export TLS secrets
kubectl get secret bakery-ia-prod-tls-cert -n bakery-ia -o yaml > tls-backup.yaml
# Restore TLS secrets
kubectl apply -f tls-backup.yaml
```
## References
- [Cert-manager Documentation](https://cert-manager.io/docs/)
- [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/)
- [Let's Encrypt](https://letsencrypt.org/)
- [DNS Configuration Best Practices](https://www.cloudflare.com/learning/dns/)
This configuration provides a secure, scalable webmail solution that integrates seamlessly with the existing Bakery-IA infrastructure.
Reference in New Issue Copy Permalink