Add new infra architecture 6

2026-01-19 16:31:11 +01:00
parent b78399da2c
commit 7d6845574c
58 changed files with 2360 additions and 492 deletions
--- a/infrastructure/platform/mail/mailu-helm/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/values.yaml
@@ -3,8 +3,9 @@

 # Global DNS configuration for DNSSEC validation
 global:
-  # This will be replaced with the actual Unbound service IP during deployment
-  custom_dns_servers: "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP
+  # Using Unbound DNS resolver directly for DNSSEC validation
+  # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
+  custom_dns_servers: "10.104.127.213"  # Unbound service IP

 # Domain configuration
 domain: "DOMAIN_PLACEHOLDER"
@@ -25,7 +26,7 @@ postmaster: "admin"

 # TLS configuration
 tls:
-  flavor: "cert"
+  flavor: "notls"  # Disable TLS for development

 # Limits configuration
 limits:
@@ -64,24 +65,24 @@ logLevel: "INFO"
 # Network configuration
 subnet: "10.42.0.0/16"

-# Redis configuration - using external Redis (shared cluster Redis)
+# Redis configuration - using internal Redis (built-in)
 externalRedis:
-  enabled: true
-  host: "redis-service.bakery-ia.svc.cluster.local"
-  port: 6380
+  enabled: false
+  # host: "redis-service.bakery-ia.svc.cluster.local"
+  # port: 6380
  adminQuotaDbId: 15
  adminRateLimitDbId: 15
  rspamdDbId: 15

-# Database configuration - using external database
+# Database configuration - using default SQLite (built-in)
 externalDatabase:
-  enabled: true
-  type: "postgresql"
-  host: "postgres-service.bakery-ia.svc.cluster.local"
-  port: 5432
-  database: "mailu"
-  username: "mailu"
-  password: "E8Kz47YmVzDlHGs1M9wAbJzxcKnGONCT"
+  enabled: false
+  # type: "postgresql"
+  # host: "postgres-service.bakery-ia.svc.cluster.local"
+  # port: 5432
+  # database: "mailu"
+  # username: "mailu"
+  # password: "E8Kz47YmVzDlHGs1M9wAbJzxcKnGONCT"

 # Persistence configuration
 persistence:
@@ -210,16 +211,8 @@ networkPolicy:
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller

-# DNS Policy Configuration for DNSSEC validation
-# These settings ensure Mailu components use the Unbound DNS resolver
-dnsPolicy: "None"
-dnsConfig:
-  nameservers:
-    - "unbound-dns.bakery-ia.svc.cluster.local"  # Points to the Unbound service in the bakery-ia namespace
-  options:
-    - name: ndots
-      value: "5"
-    - name: timeout
-      value: "5"
-    - name: attempts
-      value: "3"
+# DNS Policy Configuration
+# Use Kubernetes DNS (ClusterFirst) for internal service resolution
+# DNSSEC validation for email is handled by rspamd component
+# Note: For production with DNSSEC needs, configure CoreDNS to forward to Unbound
+dnsPolicy: "ClusterFirst"