bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix resources isues 5

Browse Source
This commit is contained in:
Bakery Admin
2026-01-22 11:15:11 +01:00
parent 6505044f24
commit 0183f3ab72
20 changed files with 399 additions and 1193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

228
MAILU_DEPLOYMENT_ARCHITECTURE.md
View File

@@ -2,7 +2,7 @@
## Executive Summary
This document outlines the recommended architecture for deploying Mailu email services across development and production environments for the Bakery-IA project. The solution addresses DNSSEC validation requirements while maintaining consistency across different Kubernetes platforms.
This document outlines the recommended architecture for deploying Mailu email services across development and production environments for the Bakery-IA project. The solution addresses DNSSEC validation requirements using CoreDNS with DNS-over-TLS while maintaining consistency across different Kubernetes platforms.
## Environment Overview
@@ -25,124 +25,76 @@ This document outlines the recommended architecture for deploying Mailu email se
## Architectural Solution
### Unified DNS Resolution Strategy
### DNS Resolution Strategy
**Recommended Approach**: Deploy Unbound as a dedicated DNSSEC-validating resolver pod in both environments
**Approach**: Use CoreDNS with DNS-over-TLS to Cloudflare (1.1.1.1) for DNSSEC validation
#### Benefits:
- ✅ Leverages existing Kubernetes DNS infrastructure
- ✅ No additional pods required (uses CoreDNS already in cluster)
- ✅ DNSSEC validation provided by Cloudflare's DNS-over-TLS
- ✅ Consistent behavior across dev and prod
- ✅ Meets Mailu's DNSSEC requirements
-Privacy-preserving (no external DNS queries)
- ✅ Avoids rate-limiting from public DNS providers
- ✅ Full control over DNS resolution
-Simple and reliable
### Implementation Components
#### 1. Unbound Deployment Manifest
#### 1. CoreDNS Configuration with DNS-over-TLS
```yaml
# unbound.yaml - Cross-environment compatible
apiVersion: apps/v1
kind: Deployment
metadata:
name: unbound-resolver
namespace: mailu
labels:
app: unbound
component: dns
spec:
replicas: 1 # Scale to 2+ in production with anti-affinity
selector:
matchLabels:
app: unbound
template:
metadata:
labels:
app: unbound
component: dns
spec:
containers:
- name: unbound
image: mvance/unbound:latest
ports:
- containerPort: 53
name: dns-udp
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "300m"
memory: "384Mi"
readinessProbe:
exec:
command: ["drill", "@127.0.0.1", "-p", "53", "+dnssec", "example.org"]
initialDelaySeconds: 10
periodSeconds: 30
securityContext:
capabilities:
add: ["NET_BIND_SERVICE"]
---
apiVersion: v1
kind: Service
metadata:
name: unbound-dns
namespace: mailu
spec:
selector:
app: unbound
ports:
- name: dns-udp
port: 53
targetPort: 53
protocol: UDP
- name: dns-tcp
port: 53
targetPort: 53
protocol: TCP
# CoreDNS Corefile configuration for DNSSEC via DNS-over-TLS
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
health_check 5s
}
cache 30 {
disable success cluster.local
disable denial cluster.local
}
loop
reload
loadbalance
}
```
#### 2. Mailu Configuration (values.yaml)
```yaml
# Production-tuned Mailu configuration
dnsPolicy: None
dnsConfig:
nameservers:
- "10.152.183.x" # Replace with actual unbound service IP
global:
# Using Kubernetes CoreDNS for DNS resolution
# CoreDNS is configured with DNS-over-TLS (Cloudflare) for DNSSEC validation
custom_dns_servers: "10.152.183.10" # MicroK8s CoreDNS IP (adjust for your cluster)
# Component-specific DNS configuration
# DNS configuration - use Kubernetes DNS (ClusterFirst)
# CoreDNS provides DNSSEC validation via DNS-over-TLS to Cloudflare
admin:
dnsPolicy: None
dnsConfig:
nameservers:
- "10.152.183.x"
dnsPolicy: "ClusterFirst"
rspamd:
dnsPolicy: None
dnsConfig:
nameservers:
- "10.152.183.x"
dnsPolicy: "ClusterFirst"
# Environment-specific configurations
persistence:
enabled: true
# Development: use default storage class
# Production: use microk8s-hostpath or longhorn
storageClass: "standard"
storageClass: "" # Use cluster default
replicas: 1 # Increase in production as needed
# Security settings
secretKey: "generate-strong-key-here"
# Ingress configuration
# Use existing Bakery-IA ingress controller
```
### Environment-Specific Adaptations
@@ -157,23 +109,21 @@ secretKey: "generate-strong-key-here"
**Deployment:**
```bash
# Apply unbound
kubectl apply -f unbound.yaml
# Get unbound service IP
UNBOUND_IP=$(kubectl get svc unbound-dns -n mailu -o jsonpath='{.spec.clusterIP}')
# Get CoreDNS service IP
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
# Deploy Mailu with dev-specific values
helm upgrade --install mailu mailu/mailu \
--namespace mailu \
-f values-dev.yaml \
--set dnsConfig.nameservers[0]=$UNBOUND_IP
--namespace bakery-ia \
-f infrastructure/platform/mail/mailu-helm/values.yaml \
-f infrastructure/platform/mail/mailu-helm/dev/values.yaml \
--set global.custom_dns_servers=$COREDNS_IP
```
#### Production (MicroK8s/Ubuntu)
**Enhancements:**
- Use Longhorn or OpenEBS for storage
- Use microk8s-hostpath for storage
- Enable monitoring and logging
- Configure proper ingress with TLS
- Set up backup solutions
@@ -181,19 +131,17 @@ helm upgrade --install mailu mailu/mailu \
**Deployment:**
```bash
# Enable required MicroK8s addons
microk8s enable dns storage ingress metallb
microk8s enable dns storage ingress
# Apply unbound
kubectl apply -f unbound.yaml
# Get unbound service IP
UNBOUND_IP=$(kubectl get svc unbound-dns -n mailu -o jsonpath='{.spec.clusterIP}')
# Get CoreDNS service IP
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
# Deploy Mailu with production values
helm upgrade --install mailu mailu/mailu \
--namespace mailu \
-f values-prod.yaml \
--set dnsConfig.nameservers[0]=$UNBOUND_IP
--namespace bakery-ia \
-f infrastructure/platform/mail/mailu-helm/values.yaml \
-f infrastructure/platform/mail/mailu-helm/prod/values.yaml \
--set global.custom_dns_servers=$COREDNS_IP
```
## Verification Procedures
@@ -201,52 +149,39 @@ helm upgrade --install mailu mailu/mailu \
### DNSSEC Validation Test
```bash
# From within a Mailu pod
kubectl exec -it -n mailu deploy/mailu-admin -- bash
# Test DNS resolution from within a Mailu pod
kubectl exec -it -n bakery-ia deploy/mailu-admin -- bash
# Test DNSSEC validation
dig @unbound-dns +short +dnssec +adflag example.org A
# Test DNSSEC validation (via CoreDNS -> Cloudflare DNS-over-TLS)
dig +short +dnssec +adflag example.org A
# Should show AD flag in response
# Should show AD flag in response indicating DNSSEC validation
```
### Service Health Checks
```bash
# Check unbound service
kubectl get pods -n mailu -l app=unbound
kubectl logs -n mailu -l app=unbound
# Check CoreDNS is running
kubectl get pods -n kube-system -l k8s-app=kube-dns
# Check Mailu components
kubectl get pods -n mailu
kubectl logs -n mailu -l app.kubernetes.io/name=mailu
kubectl get pods -n bakery-ia | grep mailu
kubectl logs -n bakery-ia -l app.kubernetes.io/name=mailu
```
## Monitoring and Maintenance
### Production Monitoring Setup
```yaml
# Example monitoring configuration for production
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: unbound-monitor
namespace: mailu
spec:
selector:
matchLabels:
app: unbound
endpoints:
- port: dns-tcp
interval: 30s
path: /metrics
```
CoreDNS exposes Prometheus metrics on port 9153 by default. Monitor:
- DNS query latency
- DNS query success/failure rates
- DNS cache hit ratio
### Backup Strategy
**Production:**
- Daily Velero backups of Mailu namespace
- Daily Velero backups of bakery-ia namespace
- Weekly database dumps
- Monthly full cluster snapshots
@@ -258,16 +193,21 @@ spec:
### Common Issues and Solutions
**Issue: DNSSEC validation failures**
- Verify unbound pod logs
- Check network policies
- Test DNS resolution from within pods
**Issue: DNS resolution failures**
- Verify CoreDNS pods are running
- Check CoreDNS logs: `kubectl logs -n kube-system -l k8s-app=kube-dns`
- Test DNS resolution: `kubectl run -it --rm dns-test --image=busybox -- nslookup google.com`
**Issue: Mailu pods failing to start**
- Confirm DNS configuration in values.yaml
- Verify unbound service is reachable
- Verify CoreDNS service is reachable
- Check resource availability
**Issue: DNSSEC validation errors**
- Ensure CoreDNS is configured with DNS-over-TLS
- Test with: `dig +dnssec example.org`
- Verify Cloudflare DNS is reachable
**Issue: Performance problems**
- Monitor CPU/memory usage
- Adjust resource limits
@@ -327,12 +267,12 @@ spec:
## Conclusion
This architecture provides a robust, consistent solution for deploying Mailu across development and production environments. By using Unbound as a dedicated DNSSEC-validating resolver, we ensure compliance with Mailu's requirements while maintaining flexibility and reliability across different Kubernetes platforms.
This architecture provides a robust, consistent solution for deploying Mailu across development and production environments. By using CoreDNS with DNS-over-TLS to Cloudflare, we ensure compliance with Mailu's DNSSEC requirements while maintaining simplicity and reliability.
The solution is designed to be:
- **Simple**: Uses existing Kubernetes DNS infrastructure
- **Consistent**: Same core architecture across environments
- **Reliable**: Production-grade availability and monitoring
- **Efficient**: Optimized resource usage
- **Maintainable**: Clear documentation and troubleshooting guides
- **Reliable**: Production-grade availability
- **Efficient**: No additional pods required for DNS
This approach aligns with the Bakery-IA project's requirements for a secure, reliable email infrastructure that can be consistently deployed across different environments.