bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix resources isues 5

Browse Source
This commit is contained in:
Bakery Admin
2026-01-22 11:15:11 +01:00
parent 6505044f24
commit 0183f3ab72
20 changed files with 399 additions and 1193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

189
docs/PILOT_LAUNCH_GUIDE.md
View File

@@ -91,7 +91,7 @@ The Bakery-IA platform is organized into distinct infrastructure layers, each wi
│ PostgreSQL (18 DBs) │ Redis │ RabbitMQ │ MinIO │
├─────────────────────────────────────────────────────────────────────────────┤
│ LAYER 2: NETWORK & SECURITY │
Unbound DNS │ CoreDNS │ Ingress Controller │ Cert-Manager │ TLS
CoreDNS (DNS-over-TLS) │ Ingress Controller │ Cert-Manager │ TLS │
├─────────────────────────────────────────────────────────────────────────────┤
│ LAYER 1: FOUNDATION │
│ Namespaces │ Storage Classes │ RBAC │ ConfigMaps │ Secrets │
@@ -112,11 +112,9 @@ Components must be deployed in a specific order due to dependencies:
3. TLS Certificates (internal + ingress)
4. Unbound DNS Resolver (required for Mailu DNSSEC)
4. CoreDNS Configuration (DNS-over-TLS for DNSSEC)
5. CoreDNS Configuration (forward to Unbound)
6. Ingress Controller & Resources
5. Ingress Controller & Resources
7. Data Layer: PostgreSQL, Redis, RabbitMQ, MinIO
@@ -146,7 +144,6 @@ Components must be deployed in a specific order due to dependencies:
| **Redis** | Caching & sessions | Yes | bakery-ia |
| **RabbitMQ** | Message broker | Yes | bakery-ia |
| **MinIO** | Object storage (ML models) | Yes | bakery-ia |
| **Unbound DNS** | DNSSEC resolver | For Mailu | bakery-ia |
| **Mailu** | Self-hosted email server | Optional | bakery-ia |
| **Nominatim** | Geocoding service | Optional | bakery-ia |
| **Gitea** | Git server + container registry | Optional | gitea |
@@ -945,9 +942,8 @@ SMTP_PORT: 587
#### Prerequisites
Before deploying Mailu, ensure:
1. **Unbound DNS is deployed** (for DNSSEC validation)
2. **CoreDNS is configured** to forward to Unbound
3. **DNS records are configured** for your domain
1. **CoreDNS is configured** with DNS-over-TLS for DNSSEC validation
2. **DNS records are configured** for your domain
#### Step 1: Configure DNS Records
@@ -963,55 +959,64 @@ TXT _dmarc v=DMARC1; p=reject; rua=... Auto
**DKIM record** will be generated after Mailu is running - you'll add it later.
#### Step 2: Deploy Unbound DNS Resolver
#### Step 2: Configure CoreDNS for DNSSEC (DNS-over-TLS)
Unbound provides DNSSEC validation required by Mailu for email authentication.
Mailu requires DNSSEC validation. Configure CoreDNS to use DNS-over-TLS with Cloudflare:
```bash
# On VPS - Deploy Unbound via Helm
helm upgrade --install unbound infrastructure/platform/networking/dns/unbound-helm \
-n bakery-ia \
--create-namespace \
-f infrastructure/platform/networking/dns/unbound-helm/values.yaml \
-f infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml \
--timeout 5m \
--wait
# Check if CoreDNS is already configured with DNS-over-TLS
kubectl get configmap coredns -n kube-system -o jsonpath='{.data.Corefile}' | grep -o 'tls://1.1.1.1' || echo "Not configured"
# Verify Unbound is running
kubectl get pods -n bakery-ia | grep unbound
# Should show: unbound-xxx 1/1 Running
# If not configured, update CoreDNS
cat > /tmp/coredns-corefile.yaml << 'EOF'
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
health_check 5s
}
cache 30 {
disable success cluster.local
disable denial cluster.local
}
loop
reload
loadbalance
}
EOF
# Get Unbound service IP (needed for CoreDNS configuration)
UNBOUND_IP=$(kubectl get svc unbound-dns -n bakery-ia -o jsonpath='{.spec.clusterIP}')
echo "Unbound DNS IP: $UNBOUND_IP"
```
#### Step 3: Configure CoreDNS for DNSSEC
Mailu requires DNSSEC validation. Configure CoreDNS to forward external queries to Unbound:
```bash
# Get the Unbound service IP
UNBOUND_IP=$(kubectl get svc unbound-dns -n bakery-ia -o jsonpath='{.spec.clusterIP}')
# Patch CoreDNS to forward to Unbound
kubectl patch configmap coredns -n kube-system --type merge -p "{
\"data\": {
\"Corefile\": \".:53 {\\n errors\\n health {\\n lameduck 5s\\n }\\n ready\\n kubernetes cluster.local in-addr.arpa ip6.arpa {\\n pods insecure\\n fallthrough in-addr.arpa ip6.arpa\\n ttl 30\\n }\\n prometheus :9153\\n forward . $UNBOUND_IP {\\n max_concurrent 1000\\n }\\n cache 30 {\\n disable success cluster.local\\n disable denial cluster.local\\n }\\n loop\\n reload\\n loadbalance\\n}\\n\"
}
}"
kubectl apply -f /tmp/coredns-corefile.yaml
# Restart CoreDNS to apply changes
kubectl rollout restart deployment coredns -n kube-system
kubectl rollout status deployment coredns -n kube-system --timeout=60s
# Verify DNSSEC is working
kubectl run -it --rm debug --image=alpine --restart=Never -- \
sh -c "apk add drill && drill -D google.com"
# Should show: ;; flags: ... ad ... (ad = authenticated data = DNSSEC valid)
# Get CoreDNS service IP (needed for Mailu configuration)
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
echo "CoreDNS IP: $COREDNS_IP"
# Verify DNS resolution is working
kubectl run -it --rm dns-test --image=busybox --restart=Never -- nslookup google.com
```
#### Step 4: Create TLS Certificate Secret
#### Step 3: Create TLS Certificate Secret
Mailu Front pod requires a TLS certificate:
@@ -1036,7 +1041,7 @@ rm -rf "$TEMP_DIR"
kubectl get secret mailu-certificates -n bakery-ia
```
#### Step 5: Create Admin Credentials Secret
#### Step 4: Create Admin Credentials Secret
```bash
# Generate a secure password (or use your own)
@@ -1050,30 +1055,35 @@ kubectl create secret generic mailu-admin-credentials \
-n bakery-ia
```
#### Step 6: Deploy Mailu via Helm
#### Step 5: Deploy Mailu via Helm
```bash
# Add Mailu Helm repository
helm repo add mailu https://mailu.github.io/helm-charts
helm repo update mailu
# Get CoreDNS service IP
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
# Deploy Mailu with production values
# Admin user is created automatically via initialAccount feature
# CoreDNS provides DNSSEC validation via DNS-over-TLS to Cloudflare
helm upgrade --install mailu mailu/mailu \
-n bakery-ia \
--create-namespace \
-f infrastructure/platform/mail/mailu-helm/values.yaml \
-f infrastructure/platform/mail/mailu-helm/prod/values.yaml \
--set global.custom_dns_servers="$COREDNS_IP" \
--timeout 10m
# Wait for pods to be ready (may take 5-10 minutes for ClamAV)
kubectl get pods -n bakery-ia -l app.kubernetes.io/instance=mailu -w
# Admin user (admin@bakewise.ai) is created automatically!
# Password is the one you set in Step 5
# Password is the one you set in Step 4
```
#### Step 7: Configure DKIM
#### Step 6: Configure DKIM
After Mailu is running, get the DKIM key and add it to DNS:
@@ -1087,7 +1097,7 @@ kubectl exec -n bakery-ia deployment/mailu-admin -- \
# Value: (the key from above)
```
#### Step 8: Verify Email Setup
#### Step 7: Verify Email Setup
```bash
# Check all Mailu pods are running
@@ -1117,11 +1127,11 @@ kubectl port-forward -n bakery-ia svc/mailu-front 8080:80
**Issue: Admin pod CrashLoopBackOff with "DNSSEC validation" error**
```bash
# Verify CoreDNS is forwarding to Unbound
kubectl get configmap coredns -n kube-system -o yaml | grep forward
# Should show: forward . <unbound-ip>
# Verify CoreDNS is configured with DNS-over-TLS
kubectl get configmap coredns -n kube-system -o yaml | grep 'tls://'
# Should show: tls://1.1.1.1 tls://1.0.0.1
# If not, re-run Step 3 above
# If not, re-run Step 2 above
```
**Issue: Front pod stuck in ContainerCreating**
@@ -1129,7 +1139,7 @@ kubectl get configmap coredns -n kube-system -o yaml | grep forward
# Check for missing certificate secret
kubectl describe pod -n bakery-ia -l app.kubernetes.io/component=front | grep -A5 Events
# If missing mailu-certificates, re-run Step 4 above
# If missing mailu-certificates, re-run Step 3 above
```
**Issue: Admin pod can't connect to Redis**
@@ -2018,41 +2028,22 @@ Mailu is a full-featured, self-hosted email server with built-in antispam, webma
### Prerequisites
Before deploying Mailu:
- [ ] Unbound DNS resolver deployed (for DNSSEC validation)
- [ ] CoreDNS configured with DNS-over-TLS for DNSSEC validation
- [ ] DNS records configured for mail domain
- [ ] TLS certificates available
- [ ] Mailgun account created and domain verified (for outbound email relay)
### Step 1: Deploy Unbound DNS Resolver
### Step 1: Configure CoreDNS for DNSSEC (DNS-over-TLS)
Mailu requires DNSSEC validation for email authentication (DKIM/SPF/DMARC).
CoreDNS is configured to use DNS-over-TLS with Cloudflare for DNSSEC validation.
```bash
# Deploy Unbound via Helm
helm upgrade --install unbound infrastructure/platform/networking/dns/unbound-helm \
-n bakery-ia \
--create-namespace \
-f infrastructure/platform/networking/dns/unbound-helm/values.yaml \
-f infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml \
--timeout 5m \
--wait
# Check if CoreDNS is already configured with DNS-over-TLS
kubectl get configmap coredns -n kube-system -o jsonpath='{.data.Corefile}' | grep -o 'tls://1.1.1.1' || echo "Not configured"
# Verify Unbound is running
kubectl get pods -n bakery-ia | grep unbound
# Get Unbound service IP
UNBOUND_IP=$(kubectl get svc unbound-dns -n bakery-ia -o jsonpath='{.spec.clusterIP}')
echo "Unbound DNS IP: $UNBOUND_IP"
```
### Step 2: Configure CoreDNS for DNSSEC
```bash
# Get Unbound IP
UNBOUND_IP=$(kubectl get svc unbound-dns -n bakery-ia -o jsonpath='{.spec.clusterIP}')
# Create updated CoreDNS ConfigMap
cat > /tmp/coredns-config.yaml <<EOF
# If not configured, update CoreDNS ConfigMap
cat > /tmp/coredns-config.yaml << 'EOF'
apiVersion: v1
kind: ConfigMap
metadata:
@@ -2072,8 +2063,9 @@ data:
ttl 30
}
prometheus :9153
forward . $UNBOUND_IP {
max_concurrent 1000
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
health_check 5s
}
cache 30 {
disable success cluster.local
@@ -2092,10 +2084,12 @@ kubectl apply -f /tmp/coredns-config.yaml
kubectl rollout restart deployment coredns -n kube-system
kubectl rollout status deployment coredns -n kube-system --timeout=60s
# Verify DNSSEC is working
kubectl run -it --rm dns-test --image=alpine --restart=Never -- \
sh -c "apk add drill && drill -D google.com"
# Look for "ad" flag (authenticated data) in output
# Get CoreDNS service IP
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
echo "CoreDNS IP: $COREDNS_IP"
# Verify DNS resolution is working
kubectl run -it --rm dns-test --image=busybox --restart=Never -- nslookup google.com
```
### Step 3: Configure Mailgun (External SMTP Relay)
@@ -2216,15 +2210,20 @@ kubectl apply -f infrastructure/platform/mail/mailu-helm/configs/mailu-admin-cre
helm repo add mailu https://mailu.github.io/helm-charts
helm repo update mailu
# Get CoreDNS service IP for Mailu DNS configuration
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
# Deploy Mailu with production values
# Note:
# - externalRelay uses Mailgun via the secret created in Step 3
# - initialAccount creates admin user automatically using the secret from Step 6
# - CoreDNS provides DNSSEC validation via DNS-over-TLS (Cloudflare)
helm upgrade --install mailu mailu/mailu \
-n bakery-ia \
--create-namespace \
-f infrastructure/platform/mail/mailu-helm/values.yaml \
-f infrastructure/platform/mail/mailu-helm/prod/values.yaml \
--set global.custom_dns_servers="$COREDNS_IP" \
--timeout 10m
# Wait for pods to be ready (ClamAV may take 5-10 minutes)
@@ -2306,11 +2305,11 @@ kubectl port-forward -n bakery-ia svc/mailu-front 8080:80
#### Admin Pod CrashLoopBackOff with DNSSEC Error
```bash
# Verify CoreDNS is forwarding to Unbound
kubectl get configmap coredns -n kube-system -o yaml | grep forward
# Should show: forward . <unbound-ip>
# Verify CoreDNS is configured with DNS-over-TLS
kubectl get configmap coredns -n kube-system -o yaml | grep 'tls://'
# Should show: tls://1.1.1.1 tls://1.0.0.1
# If not configured, re-run Step 2
# If not configured, re-run Step 1
```
#### Front Pod Stuck in ContainerCreating
@@ -3419,8 +3418,7 @@ kubectl scale deployment monitoring -n bakery-ia --replicas=0
- [ ] End-to-end pipeline test successful
### Email Infrastructure (Optional - Mailu)
- [ ] Unbound DNS resolver deployed
- [ ] CoreDNS configured for DNSSEC
- [ ] CoreDNS configured with DNS-over-TLS for DNSSEC
- [ ] Mailu TLS certificate created
- [ ] Mailu deployed via Helm
- [ ] Admin user created
@@ -3473,8 +3471,7 @@ kubectl scale deployment monitoring -n bakery-ia --replicas=0
- Webhook integration and end-to-end testing
- Troubleshooting guide for CI/CD issues
- **NEW: Mailu Email Server Deployment** - Comprehensive self-hosted email setup
- Unbound DNS resolver deployment for DNSSEC
- CoreDNS configuration for mail authentication
- CoreDNS configuration with DNS-over-TLS for DNSSEC validation
- Mailu Helm deployment with all components
- DKIM/SPF/DMARC configuration
- Troubleshooting common Mailu issues