Initial commit - production deployment
This commit is contained in:
164
infrastructure/platform/mail/mailu-helm/prod/values.yaml
Normal file
164
infrastructure/platform/mail/mailu-helm/prod/values.yaml
Normal file
@@ -0,0 +1,164 @@
|
||||
# Production-tuned Mailu configuration
|
||||
global:
|
||||
# Using Kubernetes cluster DNS for name resolution
|
||||
custom_dns_servers: "10.96.0.10" # Kubernetes cluster DNS IP
|
||||
|
||||
# Redis configuration - use built-in Mailu Redis (no authentication needed for internal)
|
||||
externalRedis:
|
||||
enabled: false
|
||||
|
||||
# DNS configuration for production
|
||||
# Use Kubernetes DNS (ClusterFirst) which forwards to Unbound via CoreDNS
|
||||
# This is configured automatically by the mailu-helm Tilt resource
|
||||
admin:
|
||||
dnsPolicy: "ClusterFirst"
|
||||
|
||||
rspamd:
|
||||
dnsPolicy: "ClusterFirst"
|
||||
|
||||
# Domain configuration for production
|
||||
domain: "bakewise.ai"
|
||||
hostnames:
|
||||
- "mail.bakewise.ai"
|
||||
|
||||
# Initial admin account for production environment
|
||||
# Password is stored in mailu-admin-credentials secret
|
||||
initialAccount:
|
||||
enabled: true
|
||||
username: "admin"
|
||||
domain: "bakewise.ai"
|
||||
existingSecret: "mailu-admin-credentials"
|
||||
existingSecretPasswordKey: "password"
|
||||
mode: "ifmissing"
|
||||
|
||||
# External relay configuration for production (Mailgun)
|
||||
# All outbound emails will be relayed through Mailgun SMTP
|
||||
# To configure:
|
||||
# 1. Register at mailgun.com and verify your domain (bakewise.ai)
|
||||
# 2. Get your SMTP credentials from Mailgun dashboard
|
||||
# 3. Update the secret in configs/mailgun-credentials-secret.yaml
|
||||
# 4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
|
||||
externalRelay:
|
||||
host: "[smtp.mailgun.org]:587"
|
||||
# Credentials loaded from Kubernetes secret
|
||||
secretName: "mailu-mailgun-credentials"
|
||||
usernameKey: "RELAY_USERNAME"
|
||||
passwordKey: "RELAY_PASSWORD"
|
||||
|
||||
# Environment-specific configurations
|
||||
persistence:
|
||||
enabled: true
|
||||
# Production: use microk8s-hostpath or longhorn
|
||||
storageClass: "longhorn" # Assuming Longhorn is available in production
|
||||
size: "20Gi" # Larger storage for production email volume
|
||||
|
||||
# Resource allocations for production
|
||||
resources:
|
||||
admin:
|
||||
requests:
|
||||
cpu: "200m"
|
||||
memory: "256Mi"
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: "512Mi"
|
||||
front:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "128Mi"
|
||||
limits:
|
||||
cpu: "500m"
|
||||
memory: "256Mi"
|
||||
postfix:
|
||||
requests:
|
||||
cpu: "200m"
|
||||
memory: "256Mi"
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: "512Mi"
|
||||
dovecot:
|
||||
requests:
|
||||
cpu: "200m"
|
||||
memory: "256Mi"
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: "512Mi"
|
||||
rspamd:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "128Mi"
|
||||
limits:
|
||||
cpu: "500m"
|
||||
memory: "256Mi"
|
||||
clamav:
|
||||
requests:
|
||||
cpu: "200m"
|
||||
memory: "512Mi"
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: "1Gi"
|
||||
|
||||
replicaCount: 1 # Can be increased in production as needed
|
||||
|
||||
# Security settings
|
||||
secretKey: "generate-strong-key-here-for-production"
|
||||
|
||||
# Ingress configuration for production - disabled to use with existing ingress
|
||||
ingress:
|
||||
enabled: false # Disable chart's Ingress; use existing one
|
||||
tls: false # Disable TLS in chart since ingress handles it
|
||||
tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS
|
||||
realIpHeader: X-Forwarded-For # Header for client IP from your Ingress
|
||||
realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)
|
||||
path: /
|
||||
pathType: ImplementationSpecific
|
||||
|
||||
# TLS flavor for production (uses Let's Encrypt)
|
||||
tls:
|
||||
flavor: "cert"
|
||||
|
||||
# Welcome message (enabled in production)
|
||||
welcomeMessage:
|
||||
enabled: true
|
||||
subject: "Welcome to Bakewise.ai Email Service"
|
||||
body: "Welcome to our email service. Please change your password and update your profile."
|
||||
|
||||
# Log level for production
|
||||
logLevel: "WARNING"
|
||||
|
||||
# Enable antivirus in production
|
||||
antivirus:
|
||||
enabled: true
|
||||
flavor: "clamav"
|
||||
|
||||
# Production-specific settings
|
||||
env:
|
||||
DEBUG: "false"
|
||||
LOG_LEVEL: "WARNING"
|
||||
TLS_FLAVOR: "cert"
|
||||
REDIS_PASSWORD: "secure-redis-password"
|
||||
|
||||
# Enable monitoring in production
|
||||
monitoring:
|
||||
enabled: true
|
||||
|
||||
# Production-specific security settings
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
fsGroup: 1000
|
||||
|
||||
# Network policies for production
|
||||
networkPolicy:
|
||||
enabled: true
|
||||
ingressController:
|
||||
namespace: ingress-nginx
|
||||
podSelector: |
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: ingress-nginx
|
||||
app.kubernetes.io/instance: ingress-nginx
|
||||
app.kubernetes.io/component: controller
|
||||
monitoring:
|
||||
namespace: monitoring
|
||||
podSelector: |
|
||||
matchLabels:
|
||||
app: signoz-prometheus
|
||||
Reference in New Issue
Block a user