Add new infra architecture 12

2026-01-21 16:21:24 +01:00
parent 2512de4173
commit 66dfd50fbc
20 changed files with 4082 additions and 480 deletions
--- a/infrastructure/platform/mail/mailu-helm/configs/mailgun-credentials-secret.yaml
+++ b/infrastructure/platform/mail/mailu-helm/configs/mailgun-credentials-secret.yaml
@@ -3,33 +3,61 @@
 # This secret stores Mailgun credentials for outbound email relay.
 # Mailu uses Mailgun as an external SMTP relay to send all outbound emails.
 #
+# ============================================================================
 # HOW TO CONFIGURE:
+# ============================================================================
+#
 # 1. Go to https://www.mailgun.com and create an account
-# 2. Add and verify your domain (e.g., bakery-ia.dev or bakewise.ai)
-# 3. Go to Domain Settings > SMTP credentials
+#
+# 2. Add and verify your domain:
+#    - For dev: bakery-ia.dev
+#    - For prod: bakewise.ai
+#
+# 3. Go to Domain Settings > SMTP credentials in Mailgun dashboard
+#
 # 4. Note your SMTP credentials:
 #    - SMTP hostname: smtp.mailgun.org
-#    - Port: 587 (TLS)
-#    - Username: usually postmaster@yourdomain.com
-#    - Password: your Mailgun SMTP password (NOT API key)
-# 5. Base64 encode your password:
+#    - Port: 587 (TLS/STARTTLS)
+#    - Username: typically postmaster@yourdomain.com
+#    - Password: your Mailgun SMTP password (NOT the API key)
+#
+# 5. Base64 encode your credentials:
+#    echo -n 'postmaster@bakewise.ai' | base64
 #    echo -n 'your-mailgun-smtp-password' | base64
-# 6. Replace MAILGUN_SMTP_PASSWORD_BASE64 below with the encoded value
+#
+# 6. Replace the placeholder values below with your encoded credentials
+#
 # 7. Apply this secret:
 #    kubectl apply -f mailgun-credentials-secret.yaml -n bakery-ia
 #
+# ============================================================================
 # IMPORTANT NOTES:
-# - Use the SMTP password from Mailgun, not the API key
-# - The username is typically postmaster@yourdomain.com
-# - For sandbox domains, Mailgun requires authorized recipients
-# - Production domains need DNS verification (SPF, DKIM, MX records)
+# ============================================================================
 #
+# - Use the SMTP password from Mailgun, NOT the API key
+# - The username format is: postmaster@yourdomain.com
+# - For sandbox domains, Mailgun requires adding authorized recipients
+# - Production domains need DNS verification (SPF, DKIM records)
+#
+# ============================================================================
 # DNS RECORDS REQUIRED FOR MAILGUN:
-# You will need to add these DNS records for your domain:
-# - SPF: TXT record for email authentication
-# - DKIM: TXT records for email signing (Mailgun provides these)
-# - MX: If you want to receive emails via Mailgun (optional for relay-only)
+# ============================================================================
 #
+# Add these DNS records to your domain for proper email delivery:
+#
+# 1. SPF Record (TXT):
+#    Name: @
+#    Value: v=spf1 include:mailgun.org ~all
+#
+# 2. DKIM Records (TXT):
+#    Mailgun will provide two DKIM keys to add as TXT records
+#    (check your Mailgun domain settings for exact values)
+#
+# 3. MX Records (optional, only if receiving via Mailgun):
+#    Priority 10: mxa.mailgun.org
+#    Priority 10: mxb.mailgun.org
+#
+# ============================================================================
 ---
 apiVersion: v1
 kind: Secret
@@ -39,39 +67,28 @@ metadata:
  labels:
    app: mailu
    component: external-relay
+  annotations:
+    description: "Mailgun SMTP credentials for Mailu external relay"
 type: Opaque
-data:
-  # Base64 encoded Mailgun SMTP password
-  # To encode: echo -n 'your-password' | base64
-  # To decode: echo 'encoded-value' | base64 -d
-  RELAY_PASSWORD: MAILGUN_SMTP_PASSWORD_BASE64
---
-# Development environment secret (separate for different Mailgun domain)
-apiVersion: v1
-kind: Secret
-metadata:
-  name: mailu-mailgun-credentials-dev
-  namespace: bakery-ia
-  labels:
-    app: mailu
-    component: external-relay
-    environment: dev
-type: Opaque
-data:
-  # Mailgun credentials for bakery-ia.dev domain
-  RELAY_PASSWORD: MAILGUN_DEV_SMTP_PASSWORD_BASE64
---
-# Production environment secret
-apiVersion: v1
-kind: Secret
-metadata:
-  name: mailu-mailgun-credentials-prod
-  namespace: bakery-ia
-  labels:
-    app: mailu
-    component: external-relay
-    environment: prod
-type: Opaque
-data:
-  # Mailgun credentials for bakewise.ai domain
-  RELAY_PASSWORD: MAILGUN_PROD_SMTP_PASSWORD_BASE64
+stringData:
+  # ============================================================================
+  # REPLACE THESE VALUES WITH YOUR MAILGUN CREDENTIALS
+  # ============================================================================
+  #
+  # Option 1: Use stringData (plain text - Kubernetes will encode automatically)
+  # This is easier for initial setup but shows credentials in the file
+  #
+  RELAY_USERNAME: "postmaster@sandboxc1bff891532b4f0c83056a68ae080b4c.mailgun.org"
+  RELAY_PASSWORD: "2e47104abadad8eb820d00042ea6d5eb-77c6c375-89c7ea55"
+  #
+  # ============================================================================
+  # ALTERNATIVE: Use pre-encoded values (more secure for version control)
+  # ============================================================================
+  # Comment out stringData above and uncomment data below:
+  #
+  # data:
+  #   # Base64 encoded values
+  #   # echo -n 'postmaster@bakewise.ai' | base64
+  #   RELAY_USERNAME: cG9zdG1hc3RlckBiYWtld2lzZS5haQ==
+  #   # echo -n 'your-password' | base64
+  #   RELAY_PASSWORD: WU9VUl9NQUlMR1VOX1NNVFBfUEFTU1dPUkQ=
--- a/infrastructure/platform/mail/mailu-helm/configs/mailu-admin-credentials-secret.yaml
+++ b/infrastructure/platform/mail/mailu-helm/configs/mailu-admin-credentials-secret.yaml
@@ -0,0 +1,34 @@
+# Mailu Admin Credentials Secret
+# This secret stores the initial admin account password for Mailu
+#
+# The password is used by the Helm chart's initialAccount feature to create
+# the admin user automatically during deployment.
+#
+# IMPORTANT: Replace the base64-encoded password before applying!
+#
+# To generate a secure password and encode it:
+#   PASSWORD=$(openssl rand -base64 16 | tr -d '/+=' | head -c 16)
+#   echo -n "$PASSWORD" | base64
+#
+# To apply this secret:
+#   kubectl apply -f mailu-admin-credentials-secret.yaml -n bakery-ia
+#
+# After deployment, you can log in to the Mailu admin panel at:
+#   https://mail.<domain>/admin
+#   Username: admin@<domain>
+#   Password: <the password you set>
+#
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mailu-admin-credentials
+  namespace: bakery-ia
+  labels:
+    app.kubernetes.io/name: mailu
+    app.kubernetes.io/component: admin
+type: Opaque
+data:
+  # Base64-encoded password
+  # Example: "changeme123" = Y2hhbmdlbWUxMjM=
+  # IMPORTANT: Replace with your own secure password!
+  password: "Y2hhbmdlbWUxMjM="
--- a/infrastructure/platform/mail/mailu-helm/dev/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/dev/values.yaml
@@ -36,17 +36,29 @@ domain: "bakery-ia.dev"
 hostnames:
  - "mail.bakery-ia.dev"

+# Initial admin account for dev environment
+# Password is stored in mailu-admin-credentials secret
+initialAccount:
+  enabled: true
+  username: "admin"
+  domain: "bakery-ia.dev"
+  existingSecret: "mailu-admin-credentials"
+  existingSecretPasswordKey: "password"
+  mode: "ifmissing"
+
 # External relay configuration for dev (Mailgun)
 # All outbound emails will be relayed through Mailgun SMTP
 # To configure:
 #   1. Register at mailgun.com and verify your domain (bakery-ia.dev)
 #   2. Get your SMTP credentials from Mailgun dashboard
 #   3. Update the secret in configs/mailgun-credentials-secret.yaml
-#   4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml
+#   4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
 externalRelay:
  host: "[smtp.mailgun.org]:587"
-  username: "postmaster@bakery-ia.dev"  # Your Mailgun SMTP username (usually postmaster@yourdomain)
-  password: ""  # Will be loaded from secret - see configs/mailgun-credentials-secret.yaml
+  # Credentials loaded from Kubernetes secret
+  secretName: "mailu-mailgun-credentials"
+  usernameKey: "RELAY_USERNAME"
+  passwordKey: "RELAY_PASSWORD"

 # Environment-specific configurations
 persistence:
@@ -92,6 +104,13 @@ resources:
    limits:
      cpu: "200m"
      memory: "128Mi"
+  webmail:
+    requests:
+      cpu: "50m"
+      memory: "64Mi"
+    limits:
+      cpu: "200m"
+      memory: "128Mi"
  clamav:
    requests:
      cpu: "100m"
--- a/infrastructure/platform/mail/mailu-helm/prod/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/prod/values.yaml
@@ -21,17 +21,29 @@ domain: "bakewise.ai"
 hostnames:
  - "mail.bakewise.ai"

+# Initial admin account for production environment
+# Password is stored in mailu-admin-credentials secret
+initialAccount:
+  enabled: true
+  username: "admin"
+  domain: "bakewise.ai"
+  existingSecret: "mailu-admin-credentials"
+  existingSecretPasswordKey: "password"
+  mode: "ifmissing"
+
 # External relay configuration for production (Mailgun)
 # All outbound emails will be relayed through Mailgun SMTP
 # To configure:
 #   1. Register at mailgun.com and verify your domain (bakewise.ai)
 #   2. Get your SMTP credentials from Mailgun dashboard
 #   3. Update the secret in configs/mailgun-credentials-secret.yaml
-#   4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml
+#   4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
 externalRelay:
  host: "[smtp.mailgun.org]:587"
-  username: "postmaster@bakewise.ai"  # Your Mailgun SMTP username
-  password: ""  # Will be loaded from secret - see configs/mailgun-credentials-secret.yaml
+  # Credentials loaded from Kubernetes secret
+  secretName: "mailu-mailgun-credentials"
+  usernameKey: "RELAY_USERNAME"
+  passwordKey: "RELAY_PASSWORD"

 # Environment-specific configurations
 persistence:
--- a/infrastructure/platform/mail/mailu-helm/scripts/deploy-mailu-prod.sh
+++ b/infrastructure/platform/mail/mailu-helm/scripts/deploy-mailu-prod.sh
@@ -7,8 +7,8 @@
 #   1. Unbound DNS deployment (for DNSSEC validation)
 #   2. CoreDNS configuration (forward to Unbound)
 #   3. TLS certificate secret creation
-#   4. Mailu Helm deployment
-#   5. Admin user creation
+#   4. Admin credentials secret creation
+#   5. Mailu Helm deployment (admin user created automatically via initialAccount)
 #
 # Usage:
 #   ./deploy-mailu-prod.sh [--domain DOMAIN] [--admin-password PASSWORD]
@@ -174,9 +174,35 @@ else
 fi

 # =============================================================================
-# Step 4: Deploy Mailu via Helm
+# Step 4: Create Admin Credentials Secret
 # =============================================================================
-print_step "Step 4: Deploying Mailu via Helm..."
+print_step "Step 4: Creating admin credentials secret..."
+
+if kubectl get secret mailu-admin-credentials -n "$NAMESPACE" &>/dev/null; then
+    print_success "Admin credentials secret already exists"
+    # Retrieve existing password for summary output
+    if [ -z "$ADMIN_PASSWORD" ]; then
+        ADMIN_PASSWORD=$(kubectl get secret mailu-admin-credentials -n "$NAMESPACE" -o jsonpath='{.data.password}' | base64 -d)
+    fi
+else
+    if [ -z "$ADMIN_PASSWORD" ]; then
+        # Generate a random password
+        ADMIN_PASSWORD=$(openssl rand -base64 16 | tr -d '/+=' | head -c 16)
+        echo -e "${YELLOW}Generated admin password: $ADMIN_PASSWORD${NC}"
+        echo -e "${YELLOW}Please save this password securely!${NC}"
+    fi
+
+    kubectl create secret generic mailu-admin-credentials \
+        --from-literal=password="$ADMIN_PASSWORD" \
+        -n "$NAMESPACE"
+
+    print_success "Admin credentials secret created"
+fi
+
+# =============================================================================
+# Step 5: Deploy Mailu via Helm
+# =============================================================================
+print_step "Step 5: Deploying Mailu via Helm..."

 # Add Mailu Helm repository
 helm repo add mailu https://mailu.github.io/helm-charts 2>/dev/null || true
@@ -189,12 +215,12 @@ helm upgrade --install mailu mailu/mailu \
    -f "$MAILU_HELM_DIR/prod/values.yaml" \
    --timeout 10m

-print_success "Mailu Helm release deployed"
+print_success "Mailu Helm release deployed (admin user will be created automatically)"

 # =============================================================================
-# Step 5: Wait for Pods to be Ready
+# Step 6: Wait for Pods to be Ready
 # =============================================================================
-print_step "Step 5: Waiting for Mailu pods to be ready..."
+print_step "Step 6: Waiting for Mailu pods to be ready..."

 echo "This may take 5-10 minutes (ClamAV takes time to initialize)..."

@@ -212,24 +238,7 @@ echo ""
 echo "Mailu Pod Status:"
 kubectl get pods -n "$NAMESPACE" | grep mailu

-# =============================================================================
-# Step 6: Create Admin User
-# =============================================================================
-print_step "Step 6: Creating admin user..."
-
-if [ -z "$ADMIN_PASSWORD" ]; then
-    # Generate a random password
-    ADMIN_PASSWORD=$(openssl rand -base64 16 | tr -d '/+=' | head -c 16)
-    echo -e "${YELLOW}Generated admin password: $ADMIN_PASSWORD${NC}"
-    echo -e "${YELLOW}Please save this password securely!${NC}"
-fi
-
-kubectl exec -n "$NAMESPACE" deployment/mailu-admin -- \
-    flask mailu admin admin "$DOMAIN" "$ADMIN_PASSWORD" 2>/dev/null || {
-    print_warning "Admin user may already exist or failed to create"
-}
-
-print_success "Admin user configured"
+print_success "Admin user created automatically via Helm initialAccount"

 # =============================================================================
 # Summary
--- a/infrastructure/platform/mail/mailu-helm/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/values.yaml
@@ -25,6 +25,18 @@ timezone: "Etc/UTC"
 # Postmaster configuration
 postmaster: "admin"

+# Initial admin account configuration
+# This creates an admin user as part of the Helm deployment
+# Credentials can be provided directly or via Kubernetes secret
+initialAccount:
+  enabled: true
+  username: "admin"
+  domain: ""  # Set in environment-specific values (dev/prod)
+  password: ""  # Leave empty to use existingSecret
+  existingSecret: "mailu-admin-credentials"
+  existingSecretPasswordKey: "password"
+  mode: "ifmissing"  # Only create if account doesn't exist
+
 # TLS configuration
 tls:
  flavor: "notls"  # Disable TLS for development
@@ -40,16 +52,18 @@ limits:

 # External relay configuration (Mailgun)
 # Mailu will relay all outbound emails through Mailgun SMTP
-# Credentials should be provided via Kubernetes secret or environment-specific values
+# Credentials are loaded from Kubernetes secret for security
 externalRelay:
  host: "[smtp.mailgun.org]:587"
-  username: ""  # Set in environment-specific values or via secret
-  password: ""  # Set in environment-specific values or via secret
+  # Use existing secret for credentials (recommended for security)
+  secretName: "mailu-mailgun-credentials"
+  usernameKey: "RELAY_USERNAME"
+  passwordKey: "RELAY_PASSWORD"

 # Webmail configuration
 webmail:
  enabled: true
-  flavor: "roundcube"
+  type: "roundcube"

 # Antivirus and antispam configuration
 antivirus: