Fix resources isues 5

Tiltfile

@@ -728,100 +728,20 @@ k8s_resource('rabbitmq', resource_deps=['security-setup'], labels=['01-infrastru
 k8s_resource('minio', resource_deps=['security-setup'], labels=['01-infrastructure'])
 k8s_resource('minio-bucket-init', resource_deps=['minio'], labels=['01-infrastructure'])
 
-# Unbound DNSSEC Resolver - Infrastructure component for Mailu DNS validation
+# CoreDNS DNSSEC Configuration - Infrastructure component for Mailu DNS validation
 local_resource(
-    'unbound-helm',
+    'coredns-dnssec',
     cmd='''
-        echo "Deploying Unbound DNS resolver via Helm..."
+        echo "Configuring CoreDNS with DNS-over-TLS for DNSSEC validation..."
         echo ""
 
-        # Check if Unbound is already deployed
-        if helm list -n bakery-ia | grep -q unbound; then
-            echo "Unbound already deployed, checking status..."
-            helm status unbound -n bakery-ia
-        else
-            echo "Installing Unbound..."
+        # Check if CoreDNS is already configured with DNS-over-TLS
+        CURRENT_FORWARD=$(kubectl get configmap coredns -n kube-system -o jsonpath='{.data.Corefile}' 2>/dev/null | grep -o 'tls://1.1.1.1' || echo "")
 
-            # Determine environment (dev or prod) based on context
-            ENVIRONMENT="dev"
-            if [[ "$(kubectl config current-context)" == *"prod"* ]]; then
-                ENVIRONMENT="prod"
-            fi
+        if [ -z "$CURRENT_FORWARD" ]; then
+            echo "Updating CoreDNS to use DNS-over-TLS with Cloudflare..."
 
-            echo "Environment detected: $ENVIRONMENT"
-
-            # Install Unbound with appropriate values
-            if [ "$ENVIRONMENT" = "dev" ]; then
-                helm upgrade --install unbound infrastructure/platform/networking/dns/unbound-helm \
-                    -n bakery-ia \
-                    --create-namespace \
-                    -f infrastructure/platform/networking/dns/unbound-helm/values.yaml \
-                    -f infrastructure/platform/networking/dns/unbound-helm/dev/values.yaml \
-                    --timeout 5m \
-                    --wait
-            else
-                helm upgrade --install unbound infrastructure/platform/networking/dns/unbound-helm \
-                    -n bakery-ia \
-                    --create-namespace \
-                    -f infrastructure/platform/networking/dns/unbound-helm/values.yaml \
-                    -f infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml \
-                    --timeout 5m \
-                    --wait
-            fi
-
-            echo ""
-            echo "Unbound deployment completed"
-        fi
-
-        echo ""
-        echo "Unbound DNS Service Information:"
-        echo "   Service Name: unbound-dns.bakery-ia.svc.cluster.local"
-        echo "   Ports: UDP/TCP 53"
-        echo "   Used by: Mailu for DNS validation"
-        echo ""
-        echo "To check pod status: kubectl get pods -n bakery-ia | grep unbound"
-    ''',
-    resource_deps=['security-setup'],
-    labels=['01-infrastructure'],
-    auto_init=True  # Auto-deploy with Tilt startup
-)
-
-# Mail Infrastructure (Mailu) - Manual trigger for Helm deployment
-local_resource(
-    'mailu-helm',
-    cmd='''
-        echo "Deploying Mailu via Helm..."
-        echo ""
-
-        # =====================================================
-        # Step 1: Ensure Unbound is deployed and get its IP
-        # =====================================================
-        echo "Checking Unbound DNS resolver..."
-        if ! kubectl get svc unbound-dns -n bakery-ia &>/dev/null; then
-            echo "ERROR: Unbound DNS service not found!"
-            echo "Please deploy Unbound first by triggering 'unbound-helm' resource"
-            exit 1
-        fi
-
-        UNBOUND_IP=$(kubectl get svc unbound-dns -n bakery-ia -o jsonpath='{.spec.clusterIP}')
-        echo "Unbound DNS service IP: $UNBOUND_IP"
-
-        # =====================================================
-        # Step 2: Configure CoreDNS to forward to Unbound
-        # =====================================================
-        echo ""
-        echo "Configuring CoreDNS to forward external queries to Unbound for DNSSEC validation..."
-
-        # Check current CoreDNS forward configuration
-        CURRENT_FORWARD=$(kubectl get configmap coredns -n kube-system -o jsonpath='{.data.Corefile}' | grep -o 'forward \\. [0-9.]*' | awk '{print $3}')
-
-        if [ "$CURRENT_FORWARD" != "$UNBOUND_IP" ]; then
-            echo "Updating CoreDNS to forward to Unbound ($UNBOUND_IP)..."
-
-            # Change to project root to ensure correct file paths
-            cd /Users/urtzialfaro/Documents/bakery-ia
-
-            # Create a temporary Corefile with the forwarding configuration
+            # Create a temporary Corefile with the DNS-over-TLS configuration
             TEMP_COREFILE=$(mktemp)
             cat > "$TEMP_COREFILE" << EOF
 .:53 {
@@ -836,8 +756,9 @@ local_resource(
        ttl 30
     }
     prometheus :9153
-    forward . $UNBOUND_IP {
-       max_concurrent 1000
+    forward . tls://1.1.1.1 tls://1.0.0.1 {
+       tls_servername cloudflare-dns.com
+       health_check 5s
     }
     cache 30 {
        disable success cluster.local
@@ -871,13 +792,44 @@ EOF
             kubectl rollout restart deployment coredns -n kube-system
             echo "Waiting for CoreDNS to restart..."
             kubectl rollout status deployment coredns -n kube-system --timeout=60s
-            echo "CoreDNS configured successfully"
+            echo "CoreDNS configured successfully with DNS-over-TLS"
         else
-            echo "CoreDNS already configured to forward to Unbound"
+            echo "CoreDNS already configured with DNS-over-TLS"
         fi
 
+        # Get CoreDNS service IP
+        COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
+
+        echo ""
+        echo "CoreDNS DNSSEC Configuration:"
+        echo "   CoreDNS IP: $COREDNS_IP"
+        echo "   Upstream: Cloudflare DNS-over-TLS (1.1.1.1, 1.0.0.1)"
+        echo "   DNSSEC: Validated by Cloudflare"
+        echo "   Used by: Mailu for DNS validation"
+        echo ""
+        echo "To check CoreDNS status: kubectl get pods -n kube-system -l k8s-app=kube-dns"
+    ''',
+    resource_deps=['security-setup'],
+    labels=['01-infrastructure'],
+    auto_init=True  # Auto-deploy with Tilt startup
+)
+
+# Mail Infrastructure (Mailu) - Manual trigger for Helm deployment
+local_resource(
+    'mailu-helm',
+    cmd='''
+        echo "Deploying Mailu via Helm..."
+        echo ""
+
         # =====================================================
-        # Step 3: Create self-signed TLS certificate for Mailu Front
+        # Step 1: Get CoreDNS service IP
+        # =====================================================
+        echo "Getting CoreDNS service IP..."
+        COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
+        echo "CoreDNS service IP: $COREDNS_IP"
+
+        # =====================================================
+        # Step 2: Create self-signed TLS certificate for Mailu Front
         # =====================================================
         echo ""
         echo "Checking Mailu TLS certificates..."
@@ -905,7 +857,7 @@ EOF
         fi
 
         # =====================================================
-        # Step 4: Deploy Mailu via Helm
+        # Step 3: Deploy Mailu via Helm
         # =====================================================
         echo ""
 
@@ -938,6 +890,7 @@ EOF
                     --create-namespace \
                     -f infrastructure/platform/mail/mailu-helm/values.yaml \
                     -f infrastructure/platform/mail/mailu-helm/dev/values.yaml \
+                    --set global.custom_dns_servers="$COREDNS_IP" \
                     --timeout 10m
             else
                 helm upgrade --install mailu mailu/mailu \
@@ -945,6 +898,7 @@ EOF
                     --create-namespace \
                     -f infrastructure/platform/mail/mailu-helm/values.yaml \
                     -f infrastructure/platform/mail/mailu-helm/prod/values.yaml \
+                    --set global.custom_dns_servers="$COREDNS_IP" \
                     --timeout 10m
             fi
 
@@ -953,7 +907,7 @@ EOF
         fi
 
         # =====================================================
-        # Step 5: Apply Mailu Ingress
+        # Step 4: Apply Mailu Ingress
         # =====================================================
         echo ""
         echo "Applying Mailu ingress configuration..."
@@ -962,7 +916,7 @@ EOF
         echo "Mailu ingress applied for mail.bakery-ia.dev"
 
         # =====================================================
-        # Step 6: Wait for pods and show status
+        # Step 5: Wait for pods and show status
         # =====================================================
         echo ""
         echo "Waiting for Mailu pods to be ready..."
@@ -975,16 +929,20 @@ EOF
         echo ""
         echo "Mailu Access Information:"
         echo "   Admin Panel: https://mail.bakery-ia.dev/admin"
-        echo "   Webmail:     https://mail.bakery-ia.ldev/webmail"
+        echo "   Webmail:     https://mail.bakery-ia.dev/webmail"
         echo "   SMTP:        mail.bakery-ia.dev:587 (STARTTLS)"
         echo "   IMAP:        mail.bakery-ia.dev:993 (SSL/TLS)"
         echo ""
+        echo "DNS Configuration:"
+        echo "   CoreDNS IP: $COREDNS_IP"
+        echo "   DNSSEC: Provided via DNS-over-TLS (Cloudflare)"
+        echo ""
         echo "To create admin user:"
         echo "   Admin user created automatically via initialAccount feature in Helm values"
         echo ""
         echo "To check pod status: kubectl get pods -n bakery-ia | grep mailu"
     ''',
-    resource_deps=['unbound-helm'],  # Ensure Unbound is deployed first
+    resource_deps=['coredns-dnssec'],  # Ensure CoreDNS DNSSEC is configured first
     labels=['01-infrastructure'],
     auto_init=False,  # Manual trigger only
 )