Add new infra architecture 5

infrastructure/platform/infrastructure/gateway-service.yaml

@@ -19,8 +19,6 @@ spec:
         app.kubernetes.io/name: gateway
         app.kubernetes.io/component: gateway
     spec:
-      imagePullSecrets:
-      - name: dockerhub-creds
       containers:
       - name: gateway
         image: bakery/gateway:latest

infrastructure/platform/infrastructure/kustomization.yaml

@@ -5,3 +5,4 @@ resources:
   - gateway-service.yaml
   - nominatim/nominatim.yaml
   - nominatim/nominatim-init-job.yaml
+  - unbound/unbound.yaml

infrastructure/platform/infrastructure/nominatim/nominatim-init-job.yaml

@@ -15,8 +15,6 @@ spec:
         app.kubernetes.io/name: nominatim-init
         app.kubernetes.io/component: data-init
     spec:
-      imagePullSecrets:
-      - name: dockerhub-creds
       restartPolicy: OnFailure
       containers:
       - name: nominatim-import

infrastructure/platform/infrastructure/unbound/unbound.yaml

@@ -0,0 +1,81 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: unbound-resolver
+  namespace: bakery-ia
+  labels:
+    app.kubernetes.io/name: unbound-resolver
+    app.kubernetes.io/component: dns
+    app.kubernetes.io/part-of: bakery-ia
+spec:
+  replicas: 1  # Scale to 2+ in production with anti-affinity
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: unbound-resolver
+      app.kubernetes.io/component: dns
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: unbound-resolver
+        app.kubernetes.io/component: dns
+    spec:
+      containers:
+      - name: unbound
+        image: mvance/unbound:latest
+        ports:
+        - containerPort: 53
+          name: dns-udp
+          protocol: UDP
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "300m"
+            memory: "384Mi"
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - drill @127.0.0.1 -p 53 +dnssec example.org || nslookup -type=A example.org 127.0.0.1
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - drill @127.0.0.1 -p 53 +dnssec example.org || nslookup -type=A example.org 127.0.0.1
+          initialDelaySeconds: 30
+          periodSeconds: 60
+        securityContext:
+          capabilities:
+            add: ["NET_BIND_SERVICE"]
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: unbound-dns
+  namespace: bakery-ia
+  labels:
+    app.kubernetes.io/name: unbound-resolver
+    app.kubernetes.io/component: dns
+spec:
+  type: ClusterIP
+  ports:
+  - name: dns-udp
+    port: 53
+    targetPort: 53
+    protocol: UDP
+  - name: dns-tcp
+    port: 53
+    targetPort: 53
+    protocol: TCP
+  selector:
+    app.kubernetes.io/name: unbound-resolver
+    app.kubernetes.io/component: dns

infrastructure/platform/mail/mailu-helm/dev/values.yaml

@@ -1,5 +1,20 @@
-# Dev-specific Mailu Helm values for Bakery-IA
-# Overrides base configuration for development environment
+# Development-tuned Mailu configuration
+global:
+  # Use the unbound service IP - will be replaced during deployment
+  custom_dns_servers: "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP
+
+# Component-specific DNS configuration
+admin:
+  dnsPolicy: "None"
+  dnsConfig:
+    nameservers:
+      - "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP
+
+rspamd:
+  dnsPolicy: "None"
+  dnsConfig:
+    nameservers:
+      - "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP
 
 # Domain configuration for dev
 domain: "bakery-ia.local"
@@ -12,7 +27,64 @@ externalRelay:
   username: "postmaster@bakery-ia.local"
   password: "mailgun-api-key-replace-in-production"
 
-# Ingress configuration for dev - disabled to use with existing ingress
+# Environment-specific configurations
+persistence:
+  enabled: true
+  # Development: use default storage class
+  storageClass: "standard"
+  size: "5Gi"
+
+# Resource optimizations for development
+resources:
+  admin:
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+    limits:
+      cpu: "500m"
+      memory: "256Mi"
+  front:
+    requests:
+      cpu: "50m"
+      memory: "64Mi"
+    limits:
+      cpu: "200m"
+      memory: "128Mi"
+  postfix:
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+    limits:
+      cpu: "300m"
+      memory: "256Mi"
+  dovecot:
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+    limits:
+      cpu: "300m"
+      memory: "256Mi"
+  rspamd:
+    requests:
+      cpu: "50m"
+      memory: "64Mi"
+    limits:
+      cpu: "200m"
+      memory: "128Mi"
+  clamav:
+    requests:
+      cpu: "100m"
+      memory: "256Mi"
+    limits:
+      cpu: "300m"
+      memory: "512Mi"
+
+replicaCount: 1  # Single replica for development
+
+# Security settings
+secretKey: "generate-strong-key-here-for-development"
+
+# Ingress configuration for development - disabled to use with existing ingress
 ingress:
   enabled: false  # Disable chart's Ingress; use existing one
   tls: false      # Disable TLS in chart since ingress handles it
@@ -33,6 +105,15 @@ welcomeMessage:
 # Log level for dev
 logLevel: "DEBUG"
 
+# Development-specific overrides
+env:
+  DEBUG: "true"
+  LOG_LEVEL: "INFO"
+
+# Disable or simplify monitoring in development
+monitoring:
+  enabled: false
+
 # Network Policy for dev
 networkPolicy:
   enabled: true

infrastructure/platform/mail/mailu-helm/prod/values.yaml

@@ -1,5 +1,20 @@
-# Production-specific Mailu Helm values for Bakery-IA
-# Overrides base configuration for production environment
+# Production-tuned Mailu configuration
+global:
+  # Use the unbound service IP - will be replaced during deployment
+  custom_dns_servers: "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP
+
+# Component-specific DNS configuration
+admin:
+  dnsPolicy: "None"
+  dnsConfig:
+    nameservers:
+      - "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP
+
+rspamd:
+  dnsPolicy: "None"
+  dnsConfig:
+    nameservers:
+      - "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP
 
 # Domain configuration for production
 domain: "bakewise.ai"
@@ -12,6 +27,63 @@ externalRelay:
   username: "postmaster@bakewise.ai"
   password: "PRODUCTION_MAILGUN_API_KEY"  # This should be set via secret
 
+# Environment-specific configurations
+persistence:
+  enabled: true
+  # Production: use microk8s-hostpath or longhorn
+  storageClass: "longhorn"  # Assuming Longhorn is available in production
+  size: "20Gi"  # Larger storage for production email volume
+
+# Resource allocations for production
+resources:
+  admin:
+    requests:
+      cpu: "200m"
+      memory: "256Mi"
+    limits:
+      cpu: "1"
+      memory: "512Mi"
+  front:
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+    limits:
+      cpu: "500m"
+      memory: "256Mi"
+  postfix:
+    requests:
+      cpu: "200m"
+      memory: "256Mi"
+    limits:
+      cpu: "1"
+      memory: "512Mi"
+  dovecot:
+    requests:
+      cpu: "200m"
+      memory: "256Mi"
+    limits:
+      cpu: "1"
+      memory: "512Mi"
+  rspamd:
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+    limits:
+      cpu: "500m"
+      memory: "256Mi"
+  clamav:
+    requests:
+      cpu: "200m"
+      memory: "512Mi"
+    limits:
+      cpu: "1"
+      memory: "1Gi"
+
+replicaCount: 1  # Can be increased in production as needed
+
+# Security settings
+secretKey: "generate-strong-key-here-for-production"
+
 # Ingress configuration for production - disabled to use with existing ingress
 ingress:
   enabled: false  # Disable chart's Ingress; use existing one
@@ -40,7 +112,24 @@ antivirus:
   enabled: true
   flavor: "clamav"
 
-# Network Policy for production
+# Production-specific settings
+env:
+  DEBUG: "false"
+  LOG_LEVEL: "WARNING"
+  TLS_FLAVOR: "cert"
+  REDIS_PASSWORD: "secure-redis-password"
+
+# Enable monitoring in production
+monitoring:
+  enabled: true
+
+# Production-specific security settings
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  fsGroup: 1000
+
+# Network policies for production
 networkPolicy:
   enabled: true
   ingressController:

infrastructure/platform/mail/mailu-helm/values.yaml

@@ -1,6 +1,11 @@
 # Base Mailu Helm values for Bakery-IA
 # Preserves critical configurations from the original Kustomize setup
 
+# Global DNS configuration for DNSSEC validation
+global:
+  # This will be replaced with the actual Unbound service IP during deployment
+  custom_dns_servers: "unbound-dns.bakery-ia.svc.cluster.local"  # Using service DNS name instead of IP
+
 # Domain configuration
 domain: "DOMAIN_PLACEHOLDER"
 hostnames:
@@ -203,4 +208,18 @@ networkPolicy:
       matchLabels:
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/component: controller
+        app.kubernetes.io/component: controller
+
+# DNS Policy Configuration for DNSSEC validation
+# These settings ensure Mailu components use the Unbound DNS resolver
+dnsPolicy: "None"
+dnsConfig:
+  nameservers:
+    - "unbound-dns.bakery-ia.svc.cluster.local"  # Points to the Unbound service in the bakery-ia namespace
+  options:
+    - name: ndots
+      value: "5"
+    - name: timeout
+      value: "5"
+    - name: attempts
+      value: "3"

infrastructure/platform/storage/postgres/postgres-template.yaml

@@ -19,8 +19,6 @@ spec:
         app.kubernetes.io/name: {{SERVICE_NAME}}-db
         app.kubernetes.io/component: database
     spec:
-      imagePullSecrets:
-      - name: dockerhub-creds
       containers:
       - name: postgres
         image: postgres:17-alpine

infrastructure/platform/storage/redis/redis.yaml

@@ -19,8 +19,6 @@ spec:
         app.kubernetes.io/name: redis
         app.kubernetes.io/component: cache
     spec:
-      imagePullSecrets:
-      - name: dockerhub-creds
       securityContext:
         fsGroup: 999  # redis group
       initContainers: