Fix resources isues

2026-01-22 07:54:56 +01:00
parent aeff6b1537
commit 8dc422e0e5
5 changed files with 272 additions and 70 deletions
--- a/infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml
@@ -1,5 +1,18 @@
 # Production-specific values for unbound DNS resolver
 # Overrides for the production environment
+#
+# ARCHITECTURE NOTE:
+# Unbound provides DNSSEC validation required by Mailu (rspamd for DKIM/SPF/DMARC).
+# CoreDNS does NOT support DNSSEC, so we need Unbound as a dedicated resolver.
+#
+# Two deployment options:
+# 1. Mailu-only: Only Mailu pods use Unbound (via dnsPolicy: None)
+#    - CoreDNS forwards to public DNS (8.8.8.8, 1.1.1.1)
+#    - Lower resource usage, simpler architecture
+#
+# 2. Cluster-wide: CoreDNS forwards ALL external queries to Unbound
+#    - All pods get DNSSEC validation
+#    - Higher resource usage, single point of failure for DNS

 # Use official image for production
 image:
@@ -7,44 +20,47 @@ image:
  tag: "latest"
  pullPolicy: "IfNotPresent"

-# Production resource settings (higher limits for reliability)
+# Production resource settings - MINIMAL for single-node clusters
+# Unbound is very lightweight - DNS queries use minimal CPU
 resources:
  requests:
+    cpu: "50m"
+    memory: "64Mi"
+  limits:
    cpu: "200m"
    memory: "256Mi"
-  limits:
-    cpu: "500m"
-    memory: "512Mi"

-# Production-specific settings
-replicaCount: 2
+# Single replica for single-node clusters (saves resources)
+# Increase to 2 for multi-node HA deployments
+replicaCount: 1

 # Production annotations
 podAnnotations:
  environment: "production"
  critical: "true"

-# Anti-affinity for high availability in production
-affinity:
-  podAntiAffinity:
-    preferredDuringSchedulingIgnoredDuringExecution:
-    - weight: 100
-      podAffinityTerm:
-        labelSelector:
-          matchExpressions:
-          - key: app.kubernetes.io/name
-            operator: In
-            values:
-            - unbound
-        topologyKey: "kubernetes.io/hostname"
+# Anti-affinity disabled for single-node clusters
+# Uncomment for multi-node HA deployments
+# affinity:
+#   podAntiAffinity:
+#     preferredDuringSchedulingIgnoredDuringExecution:
+#     - weight: 100
+#       podAffinityTerm:
+#         labelSelector:
+#           matchExpressions:
+#           - key: app.kubernetes.io/name
+#             operator: In
+#             values:
+#             - unbound
+#         topologyKey: "kubernetes.io/hostname"

 # Production probe settings (more conservative)
 probes:
  readiness:
-    initialDelaySeconds: 20
+    initialDelaySeconds: 10
    periodSeconds: 30
    command: "sh -c 'echo \"\" | nc -w 3 127.0.0.1 53 || exit 1'"
  liveness:
-    initialDelaySeconds: 60
+    initialDelaySeconds: 30
    periodSeconds: 60
    command: "sh -c 'echo \"\" | nc -w 3 127.0.0.1 53 || exit 1'"
--- a/infrastructure/platform/networking/dns/unbound-helm/values.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/values.yaml
@@ -1,6 +1,10 @@
 # Default values for unbound DNS resolver
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
+#
+# PURPOSE: Provides DNSSEC validation for Mailu email server
+# CoreDNS does NOT support DNSSEC, so Unbound fills this gap.
+# Mailu's rspamd requires DNSSEC for DKIM/SPF/DMARC validation.

 # Global settings
 global:
@@ -18,13 +22,14 @@ image:
 replicaCount: 1

 # Resource limits and requests
+# Unbound is very lightweight - these minimal resources are sufficient
 resources:
  requests:
+    cpu: "25m"
+    memory: "32Mi"
+  limits:
    cpu: "100m"
    memory: "128Mi"
-  limits:
-    cpu: "300m"
-    memory: "384Mi"

 # Security context
 securityContext: