Fix some issues 7

2026-01-26 07:33:38 +01:00
parent 546fb8c84c
commit 6c136c1a95
5 changed files with 79 additions and 4 deletions
--- a/infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml
+++ b/infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml
@@ -0,0 +1,62 @@
+# Network Policy to allow notification service to send emails via Mailu
+# This policy allows egress from notification-service to mailu-postfix on SMTP ports
+#
+# NOTE: Postfix only listens on port 25 (and 10025 internally), NOT 587
+# Port 587 (submission) is handled by mailu-front which proxies to postfix
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-notification-to-mailu-smtp
+  namespace: bakery-ia
+  labels:
+    app: notification-service
+    component: network-policy
+    tier: security
+spec:
+  podSelector:
+    matchLabels:
+      app: notification-service
+  policyTypes:
+    - Egress
+  egress:
+    # Allow SMTP traffic to mailu-postfix (port 25)
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: mailu
+              app.kubernetes.io/component: postfix
+      ports:
+        - port: 25
+          protocol: TCP
+        - port: 10025
+          protocol: TCP
+---
+# Allow ingress TO mailu-postfix FROM any pod in bakery-ia namespace
+# This is needed because mailu-allow-internal only allows traffic from mailu pods
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-mailu-smtp-from-apps
+  namespace: bakery-ia
+  labels:
+    app: mailu
+    component: network-policy
+    tier: security
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: mailu
+      app.kubernetes.io/component: postfix
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow SMTP from any pod in bakery-ia namespace
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: bakery-ia
+      ports:
+        - port: 25
+          protocol: TCP
+        - port: 10025
+          protocol: TCP
--- a/infrastructure/platform/security/network-policies/kustomization.yaml
+++ b/infrastructure/platform/security/network-policies/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+metadata:
+  name: network-policies
+
+resources:
+  # NOTE: global-default-networkpolicy.yaml and global-project-networkpolicy.yaml
+  # are excluded for now as they have overlapping/conflicting policies.
+  # Mailu's Helm chart manages its own network policies.
+  # Only including specific policies needed for cross-service communication.
+  - allow-notification-to-mailu.yaml