Add new infra architecture 8

infrastructure/cicd/gitea/values.yaml

@@ -8,6 +8,11 @@
 #
 # NOTE: The namespace is determined by the -n flag during helm install, not in this file.
 
+# Use regular Gitea image instead of rootless to ensure registry functionality
+# Rootless images don't support container registry due to security restrictions
+image:
+  rootless: false
+
 service:
   http:
     type: ClusterIP
@@ -15,9 +20,12 @@ service:
   ssh:
     type: ClusterIP
     port: 2222
+  # NOTE: Gitea's container registry is served on port 3000 (same as HTTP) under /v2/
+  # The registry.PORT in gitea config is NOT used for external access
+  # Registry authentication and API is handled by the main HTTP service
 
 ingress:
-  enabled: false
+  enabled: false  # Disable Gitea's built-in ingress - use common ingress instead
 
 persistence:
   enabled: true
@@ -39,16 +47,27 @@ gitea:
     server:
       DOMAIN: gitea.bakery-ia.local
       SSH_DOMAIN: gitea.bakery-ia.local
-      # Use HTTP internally; TLS termination happens at ingress
-      ROOT_URL: http://gitea.bakery-ia.local
+      # Use HTTPS for external access; TLS termination happens at ingress
+      ROOT_URL: https://gitea.bakery-ia.local
       HTTP_PORT: 3000
-      # For external HTTPS access via ingress, set:
-      # ROOT_URL: https://gitea.bakery-ia.local
+      # Enable package registry
+      PACKAGES_ENABLED: true
+      # Disable built-in HTTPS since ingress handles TLS
+      PROTOCOL: http
     repository:
       ENABLE_PUSH_CREATE_USER: true
       ENABLE_PUSH_CREATE_ORG: true
     packages:
       ENABLED: true
+    registry:
+      ENABLE: true
+      ROOT: /var/lib/gitea-registry
+      STORAGE_TYPE: local
+      # NOTE: PORT config here is internal - registry is accessed via HTTP port on /v2/ path
+    # Additional registry configuration for proper external access
+    docker:
+      ENABLE: true
+      REGISTRY_SSL_REDIRECT: false  # SSL termination happens at ingress
     webhook:
       ALLOWED_HOST_LIST: "*"
       # Allow internal cluster URLs for Tekton EventListener

infrastructure/environments/dev/k8s-manifests/dev-certificate.yaml

@@ -26,6 +26,8 @@ spec:
     - api.bakery-ia.local
     - monitoring.bakery-ia.local
     - "*.bakery-ia.local"
+    - "mail.bakery-ia.dev"
+    - "*.bakery-ia.dev"
 
   # IP addresses (for localhost)
   ipAddresses:

infrastructure/platform/mail/mailu-helm/MIGRATION_GUIDE.md

@@ -57,10 +57,10 @@ metadata:
 spec:
   tls:
   - hosts:
-    - mail.bakery-ia.local  # or mail.bakewise.ai for prod
+    - mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     secretName: mail-tls-secret  # Your TLS Secret
   rules:
-  - host: mail.bakery-ia.local  # or mail.bakewise.ai for prod
+  - host: mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     http:
       paths:
       - path: /

infrastructure/platform/mail/mailu-helm/README.md

@@ -105,10 +105,10 @@ metadata:
 spec:
   tls:
   - hosts:
-    - mail.bakery-ia.local  # or mail.bakewise.ai for prod
+    - mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     secretName: mail-tls-secret  # Your TLS Secret
   rules:
-  - host: mail.bakery-ia.local  # or mail.bakewise.ai for prod
+  - host: mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     http:
       paths:
       - path: /

infrastructure/platform/mail/mailu-helm/configs/mailu-certificates-secret.yaml

@@ -8,7 +8,7 @@
 # To regenerate manually:
 #   openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
 #     -keyout tls.key -out tls.crt \
-#     -subj "/CN=mail.bakery-ia.local/O=bakery-ia"
+#     -subj "/CN=mail.bakery-ia.dev/O=bakery-ia"
 #   kubectl create secret tls mailu-certificates \
 #     --cert=tls.crt --key=tls.key -n bakery-ia
 apiVersion: v1
@@ -21,6 +21,6 @@ metadata:
     app.kubernetes.io/component: certificates
 type: kubernetes.io/tls
 data:
-  # Placeholder - will be generated dynamically by the setup script
-  tls.crt: ""
-  tls.key: ""
+  # Generated certificate for mail.bakery-ia.dev
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRekNDQWl1Z0F3SUJBZ0lVVWg1Rlg5cWlPRDdkc2FmVi9KemlKWWh1WUZJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd01URWJNQmtHQTFVRUF3d1NiV0ZwYkM1aVlXdGxjbmt0YVdFdVpHVjJNUkl3RUFZRFZRUUtEQWxDWVd0bApjbmtnU1VFd0hoY05Nall3TVRFNU1qQTBOakkwV2hjTk1qY3dNVEU1TWpBME5qSTBXakF4TVJzd0dRWURWUVFECkRCSnRZV2xzTG1KaGEyVnllUzFwWVM1a1pYWXhFakFRQmdOVkJBb01DVUpoYTJWeWVTQkpRVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDJlbXM2YW5DSjV5N0JQNm9KdTQ2TldQSXJ3Zlg3Mgp3WmgxZERJaVlIMmNsalBESldsb3ROU0JFTngxUkZZSEc3Z0VSRVk1MHpFQ3UwSC9Vc0YzRFlPTFhobkYwdVRXCkNSTmJFRjFoYjZNT2lqanVmOWJHKzdsVkJ5NmZkMXZRTzJpOTA1VktxRTdEZllraWIwVkpxN0duVUo5RWFtOFgKSWxTaUphY1F6Mm11WXd6QjBPN3hZeVV3VFFWTDcvSnRNTWs5ZjZDY1ZENXFRMGJuWEJNM2hqcVVGWTlnbEF5dApZZHBUUUhPdms1WXgrZk1nL2JZVlBjQ0VhZFhVVkhBdHoxYlJybGIwenlMc3FXeHd2OXlWN0pCM210TkNmbFdsCkRCWWRIb3J0ZlROTHVSNFhhRTNXT2pnbzkwT1ltbi9PYll6Mld0SXUwMnp5MkhrTnBNYUFvVmtDQXdFQUFhTlQKTUZFd0hRWURWUjBPQkJZRUZMS2hPc254WnpXQ1RyMFFuSTdjaE1hbWtTb2pNQjhHQTFVZEl3UVlNQmFBRkxLaApPc254WnpXQ1RyMFFuSTdjaE1hbWtTb2pNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VCQUFMQ3hGV1VnY3Z3ZVpoRjFHdlNnR3R3VW9WakJtcG1GYnFPMC93S2lqMlhDRmZ6L0FqanZaOHMKOGVIUEc5Z3crbjlpaGNSN016Q2V5ZldRd1FsaTBXZkcySzBvUDFGeUxoYU9aMlhtdU9nNnhNRG5EVzBVZWtqMwpCYWdHc3RFVXpqQlR1UlJ3WS9uck5vb1ZCOVFoYnhoeW9mbXkrVzVmczhZMDNTZG9paTFpWG1iSEhaemMyL21ICmF2UDE0Z3BzWUNDZVl6aklyWm05WWE4Rzhpc2tYelNnZU0vSEhpRzhJOWhKRkJYaHRYYWRjeGkvbU5hNHRKcWgKM1crTEIzaEQ4NFVkZ3MrR3pCZ0hHdnIwdWxMMTQvaUxVRXFySXZaWjN2VTlvNlZ4MlBvRjQ3cjBQNXpOZXVTNwpkRk5xT3JJT2phSm5yMXFVb0tMeWd3RUhqdVRNbUk0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzlucHJPbXB3aWVjdXcKVCtxQ2J1T2pWanlLOEgxKzlzR1lkWFF5SW1COW5KWXp3eVZwYUxUVWdSRGNkVVJXQnh1NEJFUkdPZE14QXJ0QgovMUxCZHcyRGkxNFp4ZExrMWdrVFd4QmRZVytqRG9vNDduL1d4dnU1VlFjdW4zZGIwRHRvdmRPVlNxaE93MzJKCkltOUZTYXV4cDFDZlJHcHZGeUpVb2lXbkVNOXBybU1Nd2REdThXTWxNRTBGUysveWJUREpQWCtnbkZRK2FrTkcKNTF3VE40WTZsQldQWUpRTXJXSGFVMEJ6cjVPV01mbnpJUDIyRlQzQWhHblYxRlJ3TGM5VzBhNVc5TThpN0tscwpjTC9jbGV5UWQ1clRRbjVWcFF3V0hSNks3WDB6UzdrZUYyaE4xam80S1BkRG1KcC96bTJNOWxyU0x0TnM4dGg1CkRhVEdnS0ZaQWdNQkFBRUNnZ0VBSW51TFQzTVNYYnFrYmdXNmNjblVuOGw0N1JOYTN4SGtsdU1WSkdEWUJ6L0kKbU5VdUlvTW1EMWNCUi9ZVFhVbWhvczh6MDBtRXZHN3d1c25CdE9qL2ppSjBGRi9EUUZZa0JGOFZGTVk1VlArNQo1eXlJRnZqTW9pRnlVdW93L0lOYnFtcUs1YVZVQWk3T3ozZHhvTG9LL1IyZUxiaDFXb3BzZGRPZTRValBUenBVCnU1TVl4NXlMVnVZc1A3U09TSHRrd2UvMDN5RFJLckl2V3k1QlBtYzJRVEhUcEJPVUJHNC9DcFJWR1ozZjhLa0QKN2QrNlZlNzd1TWV1eERPOG1HZ1paNTRpd0NuMStYR2NFcVFVR1Z1WngrcVpodVhTZks0ajR3eWVtbndlRUFCdgptTlNZSXQ2OG91SSs0cEFyV1ZONEFjaXhWRUxIV1d6MDRYTm56WFUyNFFLQmdRRDBlc0JZenVkRzJaU2t5SWJRCnU4SXhwT2RzRjRnU1lpekNkMTNLQktGbm9obTFrVzlYemRmS3ZObnJxcFRPRnJIYkRXUTdpaUhKM2NqVjlBVTUKTlEwMVUzWXY0SzhkdWtnb2MvRUFhbnQvRjhvMG5qc0pJZ2Z2WTFuUHNPVFVFcGtRQk1QSGpraGpyM3FBNkh4dgp4b0I2OEdVdU1OVHRkQitBV0Y0dXR1T2JoUUtCZ1FER2pnNmJnbGpXRVR4TnhBalQxc21reEpzQ2xmbFFteXRmCmNiaDVWempzdGNad2lLSjh1b0xjT0d4b05HWDJIaGJRQU5wRWhUR3FuMEZIbGxFc1BYbXBoeUJVY01JUFZTWEkKRUlLeU9kL3ZMYjhjWG9ydDZMaDNNS0FoakVLbExENVZOcDhXbVlQM3dCVE1ia3BrM0NDdWxDSEJLcEJXV2Y2NgpQWFp0RUZKa3hRS0JnQjNSTHM1bUJhME5jbVNhbEY2MjE1dG9hbFV6bFlQd2QxY01hZUx1cDZUVkQxK21xamJDClF6UlZ6aHBCQnI4UDQ0YzgzZUdwR2kvZG5kWUNXZlM5Tkt3eFRyUE9LbTFzdjhvM1FjaDBORFd1K0Jsc3h2UjUKTXhDT1JIRGhPVGRvUVVURDRBRGhxSkNINFdBQmV0UERHUDVsZldHaDBRWlk2RktsOUc2c0haeGxBb0dBWnlLLwpIN1B6WlM2S3ZuSkhpNUlVSjh3Z0lKVzZiVTVNbDBWQTUzYVJFUlBTd2YyWE9XYkFOcGZ3WjZoZ0ZobkhDOENGCm4vWDN1SU1FcTZTL0FWWGxibFBNVFZCTTNSNERoQXBmZVNocTA1aFZudXpWQ1lOSzNrNlp2eE5XUXVuYWJ2VHkKYWhEUDVjOFdmcUlEYnFTUkxWMndzdC9qSFplZG95dnQ2ZlVDZDJrQ2dZRUFsbzRZelRabC8vays0WGlpeHVMQQpnZ2ZieTBoS3M1QWlLcFY0Q3pVZVE1Y0tZT2k5SXpvQzJMckxTWCtVckgvd0w3MGdCRzZneUNSZ1dLaW1RbmFWCnRZTy8xM1NyUFVnbm51R2o2Q0I1YUVreXYyTGFPVmV2WEZFcmlFbWQ1cWJKSXJYMENmZ1FuRnI2dm5RZDRwUFMKOGRVMkdhaDRiNVdNSjVJdzgwU3BjR0k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K

infrastructure/platform/mail/mailu-helm/dev/values.yaml

@@ -1,18 +1,27 @@
 # Development-tuned Mailu configuration
 global:
-  # Using Kubernetes cluster DNS for name resolution
+  # Using Unbound DNS for DNSSEC validation (required by Mailu admin)
   # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
-  custom_dns_servers: "10.96.0.10"  # Kubernetes cluster DNS IP
+  custom_dns_servers: "10.98.197.120"  # Unbound DNS service IP
 
 # Redis configuration - use built-in Mailu Redis (no authentication needed)
 externalRedis:
   enabled: false
 
 # Component-specific DNS configuration
-# Admin uses Kubernetes DNS (ClusterFirst) to resolve internal services like Redis
-# DNSSEC validation is handled at the application level by rspamd
+# Admin requires DNSSEC validation - use Unbound DNS (forwards cluster.local to kube-dns)
 admin:
-  dnsPolicy: "ClusterFirst"
+  dnsPolicy: "None"
+  dnsConfig:
+    nameservers:
+      - "10.98.197.120"   # Unbound DNS for DNSSEC validation (forwards cluster.local to kube-dns)
+    searches:
+      - "bakery-ia.svc.cluster.local"
+      - "svc.cluster.local"
+      - "cluster.local"
+    options:
+      - name: ndots
+        value: "5"
 
 # RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)
 # Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound
@@ -20,14 +29,16 @@ rspamd:
   dnsPolicy: "ClusterFirst"
 
 # Domain configuration for dev
-domain: "bakery-ia.local"
+# NOTE: Using .dev TLD instead of .local because email-validator library
+# rejects .local domains as "special-use or reserved names" (RFC 6761)
+domain: "bakery-ia.dev"
 hostnames:
-  - "mail.bakery-ia.local"
+  - "mail.bakery-ia.dev"
 
 # External relay configuration for dev
 externalRelay:
   host: "[smtp.mailgun.org]:587"
-  username: "postmaster@bakery-ia.local"
+  username: "postmaster@bakery-ia.dev"
   password: "mailgun-api-key-replace-in-production"
 
 # Environment-specific configurations

infrastructure/platform/mail/mailu-helm/mailu-ingress.yaml

@@ -13,10 +13,10 @@ metadata:
 spec:
   tls:
   - hosts:
-    - mail.bakery-ia.local  # or mail.bakewise.ai for prod
+    - mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     secretName: mail-tls-secret  # Your TLS Secret
   rules:
-  - host: mail.bakery-ia.local  # or mail.bakewise.ai for prod
+  - host: mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     http:
       paths:
       - path: /

infrastructure/platform/networking/dns/unbound-helm/dev/values.yaml

@@ -33,4 +33,32 @@ probes:
   liveness:
     initialDelaySeconds: 30
     periodSeconds: 60
-    command: "drill @127.0.0.1 -p 53 example.org || echo 'DNS query test'"
+    command: "drill @127.0.0.1 -p 53 example.org || echo 'DNS query test'"
+
+# Custom Unbound forward records for Kubernetes DNS
+config:
+  enabled: true
+  # The mvance/unbound image includes forward-records.conf
+  # We need to add Kubernetes-specific forwarding zones
+  forwardRecords: |
+    # Forward all queries to Cloudflare with DNSSEC (catch-all)
+    forward-zone:
+        name: "."
+        forward-tls-upstream: yes
+        forward-addr: 1.1.1.1@853#cloudflare-dns.com
+        forward-addr: 1.0.0.1@853#cloudflare-dns.com
+
+  # Additional server config to mark cluster.local as insecure (no DNSSEC)
+  # and use stub zones for Kubernetes internal DNS (more reliable than forward)
+  serverConfig: |
+    domain-insecure: "cluster.local."
+    private-domain: "cluster.local."
+    local-zone: "10.in-addr.arpa." nodefault
+
+    stub-zone:
+        name: "cluster.local."
+        stub-addr: 10.96.0.10
+
+    stub-zone:
+        name: "10.in-addr.arpa."
+        stub-addr: 10.96.0.10

infrastructure/platform/networking/dns/unbound-helm/templates/configmap.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.config.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "unbound.fullname" . }}-config
+  namespace: {{ .Values.global.namespace }}
+  labels:
+    {{- include "unbound.labels" . | nindent 4 }}
+data:
+  {{- if .Values.config.forwardRecords }}
+  forward-records.conf: |
+{{ .Values.config.forwardRecords | indent 4 }}
+  {{- end }}
+  {{- if .Values.config.serverConfig }}
+  a-records.conf: |
+{{ .Values.config.serverConfig | indent 4 }}
+  {{- end }}
+  {{- if .Values.config.content }}
+  unbound.conf: |
+{{ .Values.config.content | indent 4 }}
+  {{- end }}
+{{- end }}

infrastructure/platform/networking/dns/unbound-helm/templates/deployment.yaml

@@ -61,18 +61,40 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.volumeMounts }}
           volumeMounts:
+            {{- if .Values.config.enabled }}
+            {{- if .Values.config.forwardRecords }}
+            - name: unbound-config
+              mountPath: /opt/unbound/etc/unbound/forward-records.conf
+              subPath: forward-records.conf
+            {{- end }}
+            {{- if .Values.config.serverConfig }}
+            - name: unbound-config
+              mountPath: /opt/unbound/etc/unbound/a-records.conf
+              subPath: a-records.conf
+            {{- end }}
+            {{- if .Values.config.content }}
+            - name: unbound-config
+              mountPath: /opt/unbound/etc/unbound/unbound.conf
+              subPath: unbound.conf
+            {{- end }}
+            {{- end }}
+            {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
-          {{- end }}
+            {{- end }}
           {{- with .Values.env }}
           env:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-      {{- with .Values.volumes }}
       volumes:
+        {{- if .Values.config.enabled }}
+        - name: unbound-config
+          configMap:
+            name: {{ include "unbound.fullname" . }}-config
+        {{- end }}
+        {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

infrastructure/platform/networking/ingress/base/ingress.yaml

@@ -33,6 +33,7 @@ spec:
   - hosts:
     - DOMAIN_PLACEHOLDER  # To be replaced by kustomize
     - gitea.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
+    - registry.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
     - mail.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
     secretName: TLS_SECRET_PLACEHOLDER  # To be replaced by kustomize
   rules:
@@ -65,6 +66,19 @@ spec:
             name: gitea-http
             port:
               number: 3000
+  # Gitea Container Registry route
+  # NOTE: Gitea's container registry is served on the same HTTP port (3000) under /v2/
+  # It does NOT run on a separate port - the registry.PORT config is not used for external access
+  - host: registry.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: gitea-http  # Service created by Gitea Helm chart
+            port:
+              number: 3000  # Same as HTTP port - registry is at /v2/ path
   # Mail server web interface (webmail and admin)
   - host: mail.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
     http:

infrastructure/platform/networking/ingress/overlays/dev/gitea-service.yaml

@@ -1,3 +1,8 @@
+---
+# Service to route traffic from bakery-ia namespace to Gitea in gitea namespace
+# Using ExternalName pointing to the headless service FQDN
+# The ingress controller can resolve headless services via DNS (returns pod IPs)
+# NOTE: Gitea's container registry is served on port 3000 (same as HTTP) at /v2/ path
 apiVersion: v1
 kind: Service
 metadata:
@@ -5,7 +10,9 @@ metadata:
   namespace: bakery-ia
 spec:
   type: ExternalName
+  # Use the headless service DNS name - nginx ingress resolves this to pod IPs
   externalName: gitea-http.gitea.svc.cluster.local
   ports:
-    - port: 3000
+    - name: http
+      port: 3000
       targetPort: 3000

infrastructure/platform/networking/ingress/overlays/dev/kustomization.yaml

@@ -20,7 +20,10 @@ patches:
         value: gitea.bakery-ia.local
       - op: replace
         path: /spec/tls/0/hosts/2
-        value: mail.bakery-ia.local
+        value: registry.bakery-ia.local
+      - op: replace
+        path: /spec/tls/0/hosts/3
+        value: mail.bakery-ia.dev
       - op: replace
         path: /spec/tls/0/secretName
         value: bakery-dev-tls-cert
@@ -32,7 +35,10 @@ patches:
         value: gitea.bakery-ia.local
       - op: replace
         path: /spec/rules/2/host
-        value: mail.bakery-ia.local
+        value: registry.bakery-ia.local
+      - op: replace
+        path: /spec/rules/3/host
+        value: mail.bakery-ia.dev
       - op: replace
         path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-origin
-        value: "https://localhost,https://localhost:3000,https://localhost:3001,https://127.0.0.1,https://127.0.0.1:3000,https://127.0.0.1:3001,https://bakery-ia.local,http://localhost,http://localhost:3000,http://localhost:3001,http://127.0.0.1,http://127.0.0.1:3000"
+        value: "https://localhost,https://localhost:3000,https://localhost:3001,https://127.0.0.1,https://127.0.0.1:3000,https://127.0.0.1:3001,https://bakery-ia.local,https://registry.bakery-ia.local,https://gitea.bakery-ia.local,http://localhost,http://localhost:3000,http://localhost:3001,http://127.0.0.1,http://127.0.0.1:3000"

infrastructure/security/certificates/generate-mail-certificates.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Generate TLS certificates for Mailu service
+# This script creates a self-signed certificate for mail.bakery-ia.dev
+# For production, you should use Let's Encrypt or a trusted CA
+
+set -e
+
+TLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+MAIL_DIR="$TLS_DIR/mail"
+
+mkdir -p "$MAIL_DIR"
+
+echo "Generating TLS certificates for Mailu service..."
+echo "Directory: $MAIL_DIR"
+echo ""
+
+# Clean up old certificates
+rm -f "$MAIL_DIR/tls.key" "$MAIL_DIR/tls.crt" 2>/dev/null || true
+
+# Generate private key
+openssl genrsa -out "$MAIL_DIR/tls.key" 2048
+
+# Generate self-signed certificate valid for 365 days
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+  -keyout "$MAIL_DIR/tls.key" -out "$MAIL_DIR/tls.crt" \
+  -subj "/CN=mail.bakery-ia.dev/O=Bakery IA"
+
+echo "✓ Mailu certificates generated"
+echo ""
+
+# Verify certificate
+echo "Certificate details:"
+openssl x509 -in "$MAIL_DIR/tls.crt" -noout -subject -issuer -dates
+
+echo ""
+echo "==================="
+echo "✓ Certificate generated successfully!"
+echo ""
+echo "Generated files:"
+echo "  - $MAIL_DIR/tls.crt (Certificate)"
+echo "  - $MAIL_DIR/tls.key (Private key)"
+echo ""
+echo "Next steps:"
+echo "  1. Create Kubernetes secret: kubectl create secret tls mailu-certificates --cert=$MAIL_DIR/tls.crt --key=$MAIL_DIR/tls.key -n bakery-ia"
+echo "  2. Update the mailu-certificates-secret.yaml with the base64 encoded values"
+echo "  3. Apply the secret to your cluster"

infrastructure/security/certificates/mail/tls.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQzCCAiugAwIBAgIUUh5FX9qiOD7dsafV/JziJYhuYFIwDQYJKoZIhvcNAQEL
+BQAwMTEbMBkGA1UEAwwSbWFpbC5iYWtlcnktaWEuZGV2MRIwEAYDVQQKDAlCYWtl
+cnkgSUEwHhcNMjYwMTE5MjA0NjI0WhcNMjcwMTE5MjA0NjI0WjAxMRswGQYDVQQD
+DBJtYWlsLmJha2VyeS1pYS5kZXYxEjAQBgNVBAoMCUJha2VyeSBJQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2ems6anCJ5y7BP6oJu46NWPIrwfX72
+wZh1dDIiYH2cljPDJWlotNSBENx1RFYHG7gEREY50zECu0H/UsF3DYOLXhnF0uTW
+CRNbEF1hb6MOijjuf9bG+7lVBy6fd1vQO2i905VKqE7DfYkib0VJq7GnUJ9Eam8X
+IlSiJacQz2muYwzB0O7xYyUwTQVL7/JtMMk9f6CcVD5qQ0bnXBM3hjqUFY9glAyt
+YdpTQHOvk5Yx+fMg/bYVPcCEadXUVHAtz1bRrlb0zyLsqWxwv9yV7JB3mtNCflWl
+DBYdHortfTNLuR4XaE3WOjgo90OYmn/ObYz2WtIu02zy2HkNpMaAoVkCAwEAAaNT
+MFEwHQYDVR0OBBYEFLKhOsnxZzWCTr0QnI7chMamkSojMB8GA1UdIwQYMBaAFLKh
+OsnxZzWCTr0QnI7chMamkSojMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggEBAALCxFWUgcvweZhF1GvSgGtwUoVjBmpmFbqO0/wKij2XCFfz/AjjvZ8s
+8eHPG9gw+n9ihcR7MzCeyfWQwQli0WfG2K0oP1FyLhaOZ2XmuOg6xMDnDW0Uekj3
+BagGstEUzjBTuRRwY/nrNooVB9Qhbxhyofmy+W5fs8Y03Sdoii1iXmbHHZzc2/mH
+avP14gpsYCCeYzjIrZm9Ya8G8iskXzSgeM/HHiG8I9hJFBXhtXadcxi/mNa4tJqh
+3W+LB3hD84Udgs+GzBgHGvr0ulL14/iLUEqrIvZZ3vU9o6Vx2PoF47r0P5zNeuS7
+dFNqOrIOjaJnr1qUoKLygwEHjuTMmI4=
+-----END CERTIFICATE-----

infrastructure/security/certificates/mail/tls.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9nprOmpwiecuw
+T+qCbuOjVjyK8H1+9sGYdXQyImB9nJYzwyVpaLTUgRDcdURWBxu4BERGOdMxArtB
+/1LBdw2Di14ZxdLk1gkTWxBdYW+jDoo47n/Wxvu5VQcun3db0DtovdOVSqhOw32J
+Im9FSauxp1CfRGpvFyJUoiWnEM9prmMMwdDu8WMlME0FS+/ybTDJPX+gnFQ+akNG
+51wTN4Y6lBWPYJQMrWHaU0Bzr5OWMfnzIP22FT3AhGnV1FRwLc9W0a5W9M8i7Kls
+cL/cleyQd5rTQn5VpQwWHR6K7X0zS7keF2hN1jo4KPdDmJp/zm2M9lrSLtNs8th5
+DaTGgKFZAgMBAAECggEAInuLT3MSXbqkbgW6ccnUn8l47RNa3xHkluMVJGDYBz/I
+mNUuIoMmD1cBR/YTXUmhos8z00mEvG7wusnBtOj/jiJ0FF/DQFYkBF8VFMY5VP+5
+5yyIFvjMoiFyUuow/INbqmqK5aVUAi7Oz3dxoLoK/R2eLbh1WopsddOe4UjPTzpU
+u5MYx5yLVuYsP7SOSHtkwe/03yDRKrIvWy5BPmc2QTHTpBOUBG4/CpRVGZ3f8KkD
+7d+6Ve77uMeuxDO8mGgZZ54iwCn1+XGcEqQUGVuZx+qZhuXSfK4j4wyemnweEABv
+mNSYIt68ouI+4pArWVN4AcixVELHWWz04XNnzXU24QKBgQD0esBYzudG2ZSkyIbQ
+u8IxpOdsF4gSYizCd13KBKFnohm1kW9XzdfKvNnrqpTOFrHbDWQ7iiHJ3cjV9AU5
+NQ01U3Yv4K8dukgoc/EAant/F8o0njsJIgfvY1nPsOTUEpkQBMPHjkhjr3qA6Hxv
+xoB68GUuMNTtdB+AWF4utuObhQKBgQDGjg6bgljWETxNxAjT1smkxJsClflQmytf
+cbh5VzjstcZwiKJ8uoLcOGxoNGX2HhbQANpEhTGqn0FHllEsPXmphyBUcMIPVSXI
+EIKyOd/vLb8cXort6Lh3MKAhjEKlLD5VNp8WmYP3wBTMbkpk3CCulCHBKpBWWf66
+PXZtEFJkxQKBgB3RLs5mBa0NcmSalF6215toalUzlYPwd1cMaeLup6TVD1+mqjbC
+QzRVzhpBBr8P44c83eGpGi/dndYCWfS9NKwxTrPOKm1sv8o3Qch0NDWu+BlsxvR5
+MxCORHDhOTdoQUTD4ADhqJCH4WABetPDGP5lfWGh0QZY6FKl9G6sHZxlAoGAZyK/
+H7PzZS6KvnJHi5IUJ8wgIJW6bU5Ml0VA53aRERPSwf2XOWbANpfwZ6hgFhnHC8CF
+n/X3uIMEq6S/AVXlblPMTVBM3R4DhApfeShq05hVnuzVCYNK3k6ZvxNWQunabvTy
+ahDP5c8WfqIDbqSRLV2wst/jHZedoyvt6fUCd2kCgYEAlo4YzTZl//k+4XiixuLA
+ggfby0hKs5AiKpV4CzUeQ5cKYOi9IzoC2LrLSX+UrH/wL70gBG6gyCRgWKimQnaV
+tYO/13SrPUgnnuGj6CB5aEkyv2LaOVevXFEriEmd5qbJIrX0CfgQnFr6vnQd4pPS
+8dU2Gah4b5WMJ5Iw80SpcGI=
+-----END PRIVATE KEY-----