diff --git a/infrastructure/environments/common/configs/configmap.yaml b/infrastructure/environments/common/configs/configmap.yaml index 2716da46..b5d864e5 100644 --- a/infrastructure/environments/common/configs/configmap.yaml +++ b/infrastructure/environments/common/configs/configmap.yaml @@ -176,9 +176,9 @@ data: # ================================================================ # EMAIL CONFIGURATION # ================================================================ - SMTP_HOST: "mailu-front.bakery-ia.svc.cluster.local" - SMTP_PORT: "587" - SMTP_TLS: "true" + SMTP_HOST: "mailu-postfix.bakery-ia.svc.cluster.local" + SMTP_PORT: "25" + SMTP_TLS: "false" SMTP_SSL: "false" DEFAULT_FROM_EMAIL: "noreply@bakewise.ai" DEFAULT_FROM_NAME: "Bakery-Forecast" diff --git a/infrastructure/environments/prod/k8s-manifests/kustomization.yaml b/infrastructure/environments/prod/k8s-manifests/kustomization.yaml index b579031b..f7d0137f 100644 --- a/infrastructure/environments/prod/k8s-manifests/kustomization.yaml +++ b/infrastructure/environments/prod/k8s-manifests/kustomization.yaml @@ -15,6 +15,7 @@ resources: - ../../../platform/networking/ingress/overlays/prod - ../../../platform/gateway - ../../../platform/storage + - ../../../platform/security/network-policies - ../../../services/databases - ../../../services/microservices # NOTE: CI/CD (gitea, tekton, flux) deployed via Helm, not kustomize diff --git a/infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml b/infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml new file mode 100644 index 00000000..bc9092b4 --- /dev/null +++ b/infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml @@ -0,0 +1,62 @@ +# Network Policy to allow notification service to send emails via Mailu +# This policy allows egress from notification-service to mailu-postfix on SMTP ports +# +# NOTE: Postfix only listens on port 25 (and 10025 internally), NOT 587 +# Port 587 (submission) is handled by mailu-front which proxies to postfix +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-notification-to-mailu-smtp + namespace: bakery-ia + labels: + app: notification-service + component: network-policy + tier: security +spec: + podSelector: + matchLabels: + app: notification-service + policyTypes: + - Egress + egress: + # Allow SMTP traffic to mailu-postfix (port 25) + - to: + - podSelector: + matchLabels: + app.kubernetes.io/instance: mailu + app.kubernetes.io/component: postfix + ports: + - port: 25 + protocol: TCP + - port: 10025 + protocol: TCP +--- +# Allow ingress TO mailu-postfix FROM any pod in bakery-ia namespace +# This is needed because mailu-allow-internal only allows traffic from mailu pods +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-mailu-smtp-from-apps + namespace: bakery-ia + labels: + app: mailu + component: network-policy + tier: security +spec: + podSelector: + matchLabels: + app.kubernetes.io/instance: mailu + app.kubernetes.io/component: postfix + policyTypes: + - Ingress + ingress: + # Allow SMTP from any pod in bakery-ia namespace + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: bakery-ia + ports: + - port: 25 + protocol: TCP + - port: 10025 + protocol: TCP diff --git a/infrastructure/platform/security/network-policies/kustomization.yaml b/infrastructure/platform/security/network-policies/kustomization.yaml new file mode 100644 index 00000000..1e156c77 --- /dev/null +++ b/infrastructure/platform/security/network-policies/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +metadata: + name: network-policies + +resources: + # NOTE: global-default-networkpolicy.yaml and global-project-networkpolicy.yaml + # are excluded for now as they have overlapping/conflicting policies. + # Mailu's Helm chart manages its own network policies. + # Only including specific policies needed for cross-service communication. + - allow-notification-to-mailu.yaml diff --git a/services/notification/app/main.py b/services/notification/app/main.py index a27cb9e2..50e1f0b0 100644 --- a/services/notification/app/main.py +++ b/services/notification/app/main.py @@ -28,7 +28,7 @@ import asyncio class NotificationService(StandardFastAPIService): - """t - Notification Service with standardized setup""" + """t - dfsss Notification Service with standardized setup""" expected_migration_version = "whatsapp001"