Add new infra architecture

2026-01-19 11:55:17 +01:00
parent 21d35ea92b
commit 35f164f0cd
311 changed files with 13241 additions and 3700 deletions
--- a/infrastructure/platform/mail/mailu/WEBMAIL_DNS_CONFIGURATION.md
+++ b/infrastructure/platform/mail/mailu/WEBMAIL_DNS_CONFIGURATION.md
@@ -0,0 +1,265 @@
+# Webmail DNS Configuration Guide
+
+This guide provides the DNS configuration required to make the webmail system accessible from `webmail.bakewise.ai`.
+
+## Production DNS Configuration
+
+### Required DNS Records for `webmail.bakewise.ai`
+
+```bash
+# A Record for webmail subdomain
+webmail.bakewise.ai.    IN A    <your-ingress-ip>
+
+# CNAME Record (alternative approach)
+webmail.bakewise.ai.    IN CNAME    bakewise.ai.
+
+# MX Record for email delivery (if receiving emails)
+bakewise.ai.            IN MX    10 webmail.bakewise.ai.
+
+# SPF Record (authorize webmail server)
+bakewise.ai.            IN TXT   "v=spf1 include:mailgun.org ~all"
+
+# DKIM Record (will be generated by Mailu)
+mailu._domainkey.bakewise.ai.    IN TXT   "v=DKIM1; k=rsa; p=<public-key>"
+
+# DMARC Record
+_dmarc.bakewise.ai.     IN TXT   "v=DMARC1; p=quarantine; rua=mailto:dmarc@bakewise.ai"
+```
+
+## Development DNS Configuration
+
+### Required DNS Records for `webmail.bakery-ia.local`
+
+For local development, add these entries to your `/etc/hosts` file:
+
+```bash
+# Add to /etc/hosts
+127.0.0.1    webmail.bakery-ia.local
+127.0.0.1    bakery-ia.local
+127.0.0.1    monitoring.bakery-ia.local
+```
+
+## TLS Certificate Configuration
+
+The ingress configuration includes automatic TLS certificate provisioning using cert-manager with Let's Encrypt.
+
+### Production TLS Configuration
+
+The production ingress (`prod-ingress.yaml`) includes:
+
+```yaml
+tls:
+- hosts:
+  - bakewise.ai
+  - monitoring.bakewise.ai
+  - webmail.bakewise.ai  # ← Added webmail domain
+  secretName: bakery-ia-prod-tls-cert
+```
+
+### Development TLS Configuration
+
+The development ingress (`dev-ingress.yaml`) includes:
+
+```yaml
+tls:
+- hosts:
+  - localhost
+  - bakery-ia.local
+  - monitoring.bakery-ia.local
+  - webmail.bakery-ia.local  # ← Added webmail domain
+  secretName: bakery-dev-tls-cert
+```
+
+## Ingress Routing Configuration
+
+### Production Routing
+
+The production ingress routes traffic as follows:
+
+- `https://bakewise.ai/` → Frontend service (port 3000)
+- `https://bakewise.ai/api/` → Gateway service (port 8000)
+- `https://monitoring.bakewise.ai/` → SigNoz monitoring (port 8080)
+- `https://webmail.bakewise.ai/` → Email webmail (port 80)
+- `https://webmail.bakewise.ai/webmail` → Email webmail
+- `https://webmail.bakewise.ai/admin` → Email admin interface
+
+### Development Routing
+
+The development ingress routes traffic as follows:
+
+- `https://localhost/` → Frontend service (port 3000)
+- `https://localhost/api/` → Gateway service (port 8000)
+- `https://bakery-ia.local/` → Frontend service (port 3000)
+- `https://bakery-ia.local/api/` → Gateway service (port 8000)
+- `https://monitoring.bakery-ia.local/` → SigNoz monitoring (port 8080)
+- `https://webmail.bakery-ia.local/` → Email webmail (port 80)
+- `https://webmail.bakery-ia.local/webmail` → Email webmail
+- `https://webmail.bakery-ia.local/admin` → Email admin interface
+
+## Security Headers
+
+The webmail ingress includes enhanced security headers:
+
+```nginx
+Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; 
+style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; 
+connect-src 'self'; frame-src 'self';
+Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+```
+
+## Deployment Steps
+
+### 1. Update DNS Records
+
+```bash
+# For production (using Cloudflare as example)
+cfcli dns create bakewise.ai A webmail <ingress-ip> --ttl 3600 --proxied
+
+# For development (add to /etc/hosts)
+echo "127.0.0.1 webmail.bakery-ia.local" | sudo tee -a /etc/hosts
+```
+
+### 2. Apply Ingress Configuration
+
+```bash
+# Apply the updated ingress configuration
+kubectl apply -k infrastructure/environments/prod/k8s-manifests/
+
+# Verify the ingress is configured correctly
+kubectl get ingress -n bakery-ia
+kubectl describe ingress bakery-ingress-prod -n bakery-ia
+```
+
+### 3. Verify TLS Certificates
+
+```bash
+# Check TLS certificate status
+kubectl get certificaterequest -n bakery-ia
+kubectl get certificate -n bakery-ia
+
+# Check certificate details
+kubectl describe certificate bakery-ia-prod-tls-cert -n bakery-ia
+```
+
+### 4. Test Webmail Access
+
+```bash
+# Test webmail accessibility
+curl -I https://webmail.bakewise.ai
+curl -I https://webmail.bakewise.ai/webmail
+curl -I https://webmail.bakewise.ai/admin
+
+# Test from browser
+open https://webmail.bakewise.ai
+```
+
+## Troubleshooting
+
+### DNS Issues
+
+```bash
+# Check DNS resolution
+dig webmail.bakewise.ai
+nslookup webmail.bakewise.ai
+
+# Check ingress controller logs
+kubectl logs -f -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
+```
+
+### TLS Issues
+
+```bash
+# Check cert-manager logs
+kubectl logs -f -n cert-manager -l app=cert-manager
+
+# Check certificate status
+kubectl get certificaterequest,certificate,order,challenge -n bakery-ia
+```
+
+### Ingress Issues
+
+```bash
+# Check ingress controller events
+kubectl get events -n ingress-nginx
+
+# Check ingress description
+kubectl describe ingress -n bakery-ia
+```
+
+## Monitoring and Maintenance
+
+### Check Webmail Service Status
+
+```bash
+# Check email services
+kubectl get pods -n bakery-ia -l app=email
+
+# Check webmail service
+kubectl get service email-webmail -n bakery-ia
+
+# Check ingress routing
+kubectl get ingress -n bakery-ia -o yaml | grep -A 10 webmail
+```
+
+### Update DNS Records
+
+When the ingress IP changes, update the DNS records:
+
+```bash
+# Get current ingress IP
+kubectl get service -n ingress-nginx ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
+
+# Update DNS (Cloudflare example)
+cfcli dns update bakewise.ai A webmail <new-ip> --ttl 3600 --proxied
+```
+
+## Access Information
+
+After configuration, the webmail system will be accessible at:
+
+- **Production**: `https://webmail.bakewise.ai`
+- **Development**: `https://webmail.bakery-ia.local`
+
+Default credentials (configured in secrets):
+- **Admin**: `admin@bakewise.ai`
+- **Password**: Configured in `email-secrets`
+
+## Integration with Existing Systems
+
+The webmail system integrates with:
+
+1. **SMTP Service**: `email-smtp.bakery-ia.svc.cluster.local:587`
+2. **IMAP Service**: `email-imap.bakery-ia.svc.cluster.local:993`
+3. **Notification Service**: Uses the new SMTP service for email notifications
+4. **Monitoring**: SigNoz alerts use the new email service
+
+## Backup and Recovery
+
+### DNS Backup
+
+```bash
+# Export DNS records (Cloudflare example)
+cfcli dns export bakewise.ai > dns-backup.json
+
+# Restore DNS records
+cfcli dns import bakewise.ai dns-backup.json
+```
+
+### Certificate Backup
+
+```bash
+# Export TLS secrets
+kubectl get secret bakery-ia-prod-tls-cert -n bakery-ia -o yaml > tls-backup.yaml
+
+# Restore TLS secrets
+kubectl apply -f tls-backup.yaml
+```
+
+## References
+
+- [Cert-manager Documentation](https://cert-manager.io/docs/)
+- [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [DNS Configuration Best Practices](https://www.cloudflare.com/learning/dns/)
+
+This configuration provides a secure, scalable webmail solution that integrates seamlessly with the existing Bakery-IA infrastructure.