Add new infra architecture 8

infrastructure/platform/mail/mailu-helm/MIGRATION_GUIDE.md

@@ -57,10 +57,10 @@ metadata:
 spec:
   tls:
   - hosts:
-    - mail.bakery-ia.local  # or mail.bakewise.ai for prod
+    - mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     secretName: mail-tls-secret  # Your TLS Secret
   rules:
-  - host: mail.bakery-ia.local  # or mail.bakewise.ai for prod
+  - host: mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     http:
       paths:
       - path: /

infrastructure/platform/mail/mailu-helm/README.md

@@ -105,10 +105,10 @@ metadata:
 spec:
   tls:
   - hosts:
-    - mail.bakery-ia.local  # or mail.bakewise.ai for prod
+    - mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     secretName: mail-tls-secret  # Your TLS Secret
   rules:
-  - host: mail.bakery-ia.local  # or mail.bakewise.ai for prod
+  - host: mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     http:
       paths:
       - path: /

infrastructure/platform/mail/mailu-helm/configs/mailu-certificates-secret.yaml

@@ -8,7 +8,7 @@
 # To regenerate manually:
 #   openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
 #     -keyout tls.key -out tls.crt \
-#     -subj "/CN=mail.bakery-ia.local/O=bakery-ia"
+#     -subj "/CN=mail.bakery-ia.dev/O=bakery-ia"
 #   kubectl create secret tls mailu-certificates \
 #     --cert=tls.crt --key=tls.key -n bakery-ia
 apiVersion: v1
@@ -21,6 +21,6 @@ metadata:
     app.kubernetes.io/component: certificates
 type: kubernetes.io/tls
 data:
-  # Placeholder - will be generated dynamically by the setup script
-  tls.crt: ""
-  tls.key: ""
+  # Generated certificate for mail.bakery-ia.dev
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRekNDQWl1Z0F3SUJBZ0lVVWg1Rlg5cWlPRDdkc2FmVi9KemlKWWh1WUZJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd01URWJNQmtHQTFVRUF3d1NiV0ZwYkM1aVlXdGxjbmt0YVdFdVpHVjJNUkl3RUFZRFZRUUtEQWxDWVd0bApjbmtnU1VFd0hoY05Nall3TVRFNU1qQTBOakkwV2hjTk1qY3dNVEU1TWpBME5qSTBXakF4TVJzd0dRWURWUVFECkRCSnRZV2xzTG1KaGEyVnllUzFwWVM1a1pYWXhFakFRQmdOVkJBb01DVUpoYTJWeWVTQkpRVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDJlbXM2YW5DSjV5N0JQNm9KdTQ2TldQSXJ3Zlg3Mgp3WmgxZERJaVlIMmNsalBESldsb3ROU0JFTngxUkZZSEc3Z0VSRVk1MHpFQ3UwSC9Vc0YzRFlPTFhobkYwdVRXCkNSTmJFRjFoYjZNT2lqanVmOWJHKzdsVkJ5NmZkMXZRTzJpOTA1VktxRTdEZllraWIwVkpxN0duVUo5RWFtOFgKSWxTaUphY1F6Mm11WXd6QjBPN3hZeVV3VFFWTDcvSnRNTWs5ZjZDY1ZENXFRMGJuWEJNM2hqcVVGWTlnbEF5dApZZHBUUUhPdms1WXgrZk1nL2JZVlBjQ0VhZFhVVkhBdHoxYlJybGIwenlMc3FXeHd2OXlWN0pCM210TkNmbFdsCkRCWWRIb3J0ZlROTHVSNFhhRTNXT2pnbzkwT1ltbi9PYll6Mld0SXUwMnp5MkhrTnBNYUFvVmtDQXdFQUFhTlQKTUZFd0hRWURWUjBPQkJZRUZMS2hPc254WnpXQ1RyMFFuSTdjaE1hbWtTb2pNQjhHQTFVZEl3UVlNQmFBRkxLaApPc254WnpXQ1RyMFFuSTdjaE1hbWtTb2pNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VCQUFMQ3hGV1VnY3Z3ZVpoRjFHdlNnR3R3VW9WakJtcG1GYnFPMC93S2lqMlhDRmZ6L0FqanZaOHMKOGVIUEc5Z3crbjlpaGNSN016Q2V5ZldRd1FsaTBXZkcySzBvUDFGeUxoYU9aMlhtdU9nNnhNRG5EVzBVZWtqMwpCYWdHc3RFVXpqQlR1UlJ3WS9uck5vb1ZCOVFoYnhoeW9mbXkrVzVmczhZMDNTZG9paTFpWG1iSEhaemMyL21ICmF2UDE0Z3BzWUNDZVl6aklyWm05WWE4Rzhpc2tYelNnZU0vSEhpRzhJOWhKRkJYaHRYYWRjeGkvbU5hNHRKcWgKM1crTEIzaEQ4NFVkZ3MrR3pCZ0hHdnIwdWxMMTQvaUxVRXFySXZaWjN2VTlvNlZ4MlBvRjQ3cjBQNXpOZXVTNwpkRk5xT3JJT2phSm5yMXFVb0tMeWd3RUhqdVRNbUk0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzlucHJPbXB3aWVjdXcKVCtxQ2J1T2pWanlLOEgxKzlzR1lkWFF5SW1COW5KWXp3eVZwYUxUVWdSRGNkVVJXQnh1NEJFUkdPZE14QXJ0QgovMUxCZHcyRGkxNFp4ZExrMWdrVFd4QmRZVytqRG9vNDduL1d4dnU1VlFjdW4zZGIwRHRvdmRPVlNxaE93MzJKCkltOUZTYXV4cDFDZlJHcHZGeUpVb2lXbkVNOXBybU1Nd2REdThXTWxNRTBGUysveWJUREpQWCtnbkZRK2FrTkcKNTF3VE40WTZsQldQWUpRTXJXSGFVMEJ6cjVPV01mbnpJUDIyRlQzQWhHblYxRlJ3TGM5VzBhNVc5TThpN0tscwpjTC9jbGV5UWQ1clRRbjVWcFF3V0hSNks3WDB6UzdrZUYyaE4xam80S1BkRG1KcC96bTJNOWxyU0x0TnM4dGg1CkRhVEdnS0ZaQWdNQkFBRUNnZ0VBSW51TFQzTVNYYnFrYmdXNmNjblVuOGw0N1JOYTN4SGtsdU1WSkdEWUJ6L0kKbU5VdUlvTW1EMWNCUi9ZVFhVbWhvczh6MDBtRXZHN3d1c25CdE9qL2ppSjBGRi9EUUZZa0JGOFZGTVk1VlArNQo1eXlJRnZqTW9pRnlVdW93L0lOYnFtcUs1YVZVQWk3T3ozZHhvTG9LL1IyZUxiaDFXb3BzZGRPZTRValBUenBVCnU1TVl4NXlMVnVZc1A3U09TSHRrd2UvMDN5RFJLckl2V3k1QlBtYzJRVEhUcEJPVUJHNC9DcFJWR1ozZjhLa0QKN2QrNlZlNzd1TWV1eERPOG1HZ1paNTRpd0NuMStYR2NFcVFVR1Z1WngrcVpodVhTZks0ajR3eWVtbndlRUFCdgptTlNZSXQ2OG91SSs0cEFyV1ZONEFjaXhWRUxIV1d6MDRYTm56WFUyNFFLQmdRRDBlc0JZenVkRzJaU2t5SWJRCnU4SXhwT2RzRjRnU1lpekNkMTNLQktGbm9obTFrVzlYemRmS3ZObnJxcFRPRnJIYkRXUTdpaUhKM2NqVjlBVTUKTlEwMVUzWXY0SzhkdWtnb2MvRUFhbnQvRjhvMG5qc0pJZ2Z2WTFuUHNPVFVFcGtRQk1QSGpraGpyM3FBNkh4dgp4b0I2OEdVdU1OVHRkQitBV0Y0dXR1T2JoUUtCZ1FER2pnNmJnbGpXRVR4TnhBalQxc21reEpzQ2xmbFFteXRmCmNiaDVWempzdGNad2lLSjh1b0xjT0d4b05HWDJIaGJRQU5wRWhUR3FuMEZIbGxFc1BYbXBoeUJVY01JUFZTWEkKRUlLeU9kL3ZMYjhjWG9ydDZMaDNNS0FoakVLbExENVZOcDhXbVlQM3dCVE1ia3BrM0NDdWxDSEJLcEJXV2Y2NgpQWFp0RUZKa3hRS0JnQjNSTHM1bUJhME5jbVNhbEY2MjE1dG9hbFV6bFlQd2QxY01hZUx1cDZUVkQxK21xamJDClF6UlZ6aHBCQnI4UDQ0YzgzZUdwR2kvZG5kWUNXZlM5Tkt3eFRyUE9LbTFzdjhvM1FjaDBORFd1K0Jsc3h2UjUKTXhDT1JIRGhPVGRvUVVURDRBRGhxSkNINFdBQmV0UERHUDVsZldHaDBRWlk2RktsOUc2c0haeGxBb0dBWnlLLwpIN1B6WlM2S3ZuSkhpNUlVSjh3Z0lKVzZiVTVNbDBWQTUzYVJFUlBTd2YyWE9XYkFOcGZ3WjZoZ0ZobkhDOENGCm4vWDN1SU1FcTZTL0FWWGxibFBNVFZCTTNSNERoQXBmZVNocTA1aFZudXpWQ1lOSzNrNlp2eE5XUXVuYWJ2VHkKYWhEUDVjOFdmcUlEYnFTUkxWMndzdC9qSFplZG95dnQ2ZlVDZDJrQ2dZRUFsbzRZelRabC8vays0WGlpeHVMQQpnZ2ZieTBoS3M1QWlLcFY0Q3pVZVE1Y0tZT2k5SXpvQzJMckxTWCtVckgvd0w3MGdCRzZneUNSZ1dLaW1RbmFWCnRZTy8xM1NyUFVnbm51R2o2Q0I1YUVreXYyTGFPVmV2WEZFcmlFbWQ1cWJKSXJYMENmZ1FuRnI2dm5RZDRwUFMKOGRVMkdhaDRiNVdNSjVJdzgwU3BjR0k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K

infrastructure/platform/mail/mailu-helm/dev/values.yaml

@@ -1,18 +1,27 @@
 # Development-tuned Mailu configuration
 global:
-  # Using Kubernetes cluster DNS for name resolution
+  # Using Unbound DNS for DNSSEC validation (required by Mailu admin)
   # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
-  custom_dns_servers: "10.96.0.10"  # Kubernetes cluster DNS IP
+  custom_dns_servers: "10.98.197.120"  # Unbound DNS service IP
 
 # Redis configuration - use built-in Mailu Redis (no authentication needed)
 externalRedis:
   enabled: false
 
 # Component-specific DNS configuration
-# Admin uses Kubernetes DNS (ClusterFirst) to resolve internal services like Redis
-# DNSSEC validation is handled at the application level by rspamd
+# Admin requires DNSSEC validation - use Unbound DNS (forwards cluster.local to kube-dns)
 admin:
-  dnsPolicy: "ClusterFirst"
+  dnsPolicy: "None"
+  dnsConfig:
+    nameservers:
+      - "10.98.197.120"   # Unbound DNS for DNSSEC validation (forwards cluster.local to kube-dns)
+    searches:
+      - "bakery-ia.svc.cluster.local"
+      - "svc.cluster.local"
+      - "cluster.local"
+    options:
+      - name: ndots
+        value: "5"
 
 # RSPAMD needs Unbound for DNSSEC validation (DKIM/SPF/DMARC checks)
 # Using ClusterFirst with search domains + Kubernetes DNS which can forward to Unbound
@@ -20,14 +29,16 @@ rspamd:
   dnsPolicy: "ClusterFirst"
 
 # Domain configuration for dev
-domain: "bakery-ia.local"
+# NOTE: Using .dev TLD instead of .local because email-validator library
+# rejects .local domains as "special-use or reserved names" (RFC 6761)
+domain: "bakery-ia.dev"
 hostnames:
-  - "mail.bakery-ia.local"
+  - "mail.bakery-ia.dev"
 
 # External relay configuration for dev
 externalRelay:
   host: "[smtp.mailgun.org]:587"
-  username: "postmaster@bakery-ia.local"
+  username: "postmaster@bakery-ia.dev"
   password: "mailgun-api-key-replace-in-production"
 
 # Environment-specific configurations

infrastructure/platform/mail/mailu-helm/mailu-ingress.yaml

@@ -13,10 +13,10 @@ metadata:
 spec:
   tls:
   - hosts:
-    - mail.bakery-ia.local  # or mail.bakewise.ai for prod
+    - mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     secretName: mail-tls-secret  # Your TLS Secret
   rules:
-  - host: mail.bakery-ia.local  # or mail.bakewise.ai for prod
+  - host: mail.bakery-ia.dev  # or mail.bakewise.ai for prod
     http:
       paths:
       - path: /