Fix resources isues

2026-01-22 07:54:56 +01:00
parent aeff6b1537
commit 8dc422e0e5
5 changed files with 272 additions and 70 deletions
--- a/infrastructure/platform/mail/mailu-helm/dev/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/dev/values.yaml
@@ -1,9 +1,11 @@
 # Development-tuned Mailu configuration
 global:
  # Using Unbound DNS for DNSSEC validation (required by Mailu admin)
-  # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
-  # Static ClusterIP configured in unbound-helm/values.yaml
-  custom_dns_servers: "10.96.53.53"  # Unbound DNS static ClusterIP
+  # This value is dynamically set via --set during helm install:
+  #   UNBOUND_IP=$(kubectl get svc unbound-dns -n bakery-ia -o jsonpath='{.spec.clusterIP}')
+  #   helm upgrade --install mailu ... --set global.custom_dns_servers="$UNBOUND_IP"
+  # Default fallback to Kubernetes DNS (will be overridden by --set)
+  custom_dns_servers: "10.96.0.10"  # Override with Unbound IP via --set

 # Redis configuration - use built-in Mailu Redis (no authentication needed)
 externalRedis:
@@ -11,11 +13,12 @@ externalRedis:

 # Component-specific DNS configuration
 # Admin requires DNSSEC validation - use Unbound DNS (forwards cluster.local to kube-dns)
+# NOTE: dnsConfig.nameservers is dynamically set via --set during helm install
 admin:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
-      - "10.96.53.53"   # Unbound DNS static ClusterIP (forwards cluster.local to kube-dns)
+      - "10.96.0.10"   # Override with Unbound IP via --set admin.dnsConfig.nameservers[0]
    searches:
      - "bakery-ia.svc.cluster.local"
      - "svc.cluster.local"
--- a/infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml
@@ -1,5 +1,18 @@
 # Production-specific values for unbound DNS resolver
 # Overrides for the production environment
+#
+# ARCHITECTURE NOTE:
+# Unbound provides DNSSEC validation required by Mailu (rspamd for DKIM/SPF/DMARC).
+# CoreDNS does NOT support DNSSEC, so we need Unbound as a dedicated resolver.
+#
+# Two deployment options:
+# 1. Mailu-only: Only Mailu pods use Unbound (via dnsPolicy: None)
+#    - CoreDNS forwards to public DNS (8.8.8.8, 1.1.1.1)
+#    - Lower resource usage, simpler architecture
+#
+# 2. Cluster-wide: CoreDNS forwards ALL external queries to Unbound
+#    - All pods get DNSSEC validation
+#    - Higher resource usage, single point of failure for DNS

 # Use official image for production
 image:
@@ -7,44 +20,47 @@ image:
  tag: "latest"
  pullPolicy: "IfNotPresent"

-# Production resource settings (higher limits for reliability)
+# Production resource settings - MINIMAL for single-node clusters
+# Unbound is very lightweight - DNS queries use minimal CPU
 resources:
  requests:
+    cpu: "50m"
+    memory: "64Mi"
+  limits:
    cpu: "200m"
    memory: "256Mi"
-  limits:
-    cpu: "500m"
-    memory: "512Mi"

-# Production-specific settings
-replicaCount: 2
+# Single replica for single-node clusters (saves resources)
+# Increase to 2 for multi-node HA deployments
+replicaCount: 1

 # Production annotations
 podAnnotations:
  environment: "production"
  critical: "true"

-# Anti-affinity for high availability in production
-affinity:
-  podAntiAffinity:
-    preferredDuringSchedulingIgnoredDuringExecution:
-    - weight: 100
-      podAffinityTerm:
-        labelSelector:
-          matchExpressions:
-          - key: app.kubernetes.io/name
-            operator: In
-            values:
-            - unbound
-        topologyKey: "kubernetes.io/hostname"
+# Anti-affinity disabled for single-node clusters
+# Uncomment for multi-node HA deployments
+# affinity:
+#   podAntiAffinity:
+#     preferredDuringSchedulingIgnoredDuringExecution:
+#     - weight: 100
+#       podAffinityTerm:
+#         labelSelector:
+#           matchExpressions:
+#           - key: app.kubernetes.io/name
+#             operator: In
+#             values:
+#             - unbound
+#         topologyKey: "kubernetes.io/hostname"

 # Production probe settings (more conservative)
 probes:
  readiness:
-    initialDelaySeconds: 20
+    initialDelaySeconds: 10
    periodSeconds: 30
    command: "sh -c 'echo \"\" | nc -w 3 127.0.0.1 53 || exit 1'"
  liveness:
-    initialDelaySeconds: 60
+    initialDelaySeconds: 30
    periodSeconds: 60
    command: "sh -c 'echo \"\" | nc -w 3 127.0.0.1 53 || exit 1'"
--- a/infrastructure/platform/networking/dns/unbound-helm/values.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/values.yaml
@@ -1,6 +1,10 @@
 # Default values for unbound DNS resolver
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
+#
+# PURPOSE: Provides DNSSEC validation for Mailu email server
+# CoreDNS does NOT support DNSSEC, so Unbound fills this gap.
+# Mailu's rspamd requires DNSSEC for DKIM/SPF/DMARC validation.

 # Global settings
 global:
@@ -18,13 +22,14 @@ image:
 replicaCount: 1

 # Resource limits and requests
+# Unbound is very lightweight - these minimal resources are sufficient
 resources:
  requests:
+    cpu: "25m"
+    memory: "32Mi"
+  limits:
    cpu: "100m"
    memory: "128Mi"
-  limits:
-    cpu: "300m"
-    memory: "384Mi"

 # Security context
 securityContext: