Initial commit - production deployment

infrastructure/platform/mail/mailu-helm/values.yaml

@@ -0,0 +1,235 @@
+# Base Mailu Helm values for Bakery-IA
+# Preserves critical configurations from the original Kustomize setup
+
+# Global DNS configuration for DNSSEC validation
+global:
+  # Using Unbound DNS resolver directly for DNSSEC validation
+  # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
+  # Static ClusterIP configured in unbound-helm/values.yaml
+  custom_dns_servers: "10.96.53.53"  # Unbound DNS static ClusterIP
+
+# Domain configuration
+domain: "DOMAIN_PLACEHOLDER"
+hostnames:
+  - "mail.DOMAIN_PLACEHOLDER"
+
+# Mailu version to match the original setup
+mailuVersion: "2024.06"
+
+# Secret key for authentication cookies
+secretKey: "cb61b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7"
+
+# Timezone
+timezone: "Etc/UTC"
+
+# Postmaster configuration
+postmaster: "admin"
+
+# Initial admin account configuration
+# This creates an admin user as part of the Helm deployment
+# Credentials can be provided directly or via Kubernetes secret
+initialAccount:
+  enabled: true
+  username: "admin"
+  domain: ""  # Set in environment-specific values (dev/prod)
+  password: ""  # Leave empty to use existingSecret
+  existingSecret: "mailu-admin-credentials"
+  existingSecretPasswordKey: "password"
+  mode: "ifmissing"  # Only create if account doesn't exist
+
+# TLS configuration
+tls:
+  flavor: "notls"  # Disable TLS for development
+
+# Limits configuration
+limits:
+  messageSizeLimitInMegabytes: 50
+  authRatelimit:
+    ip: "60/hour"
+    user: "100/day"
+  messageRatelimit:
+    value: "200/day"
+
+# External relay configuration (Mailgun)
+# Mailu will relay all outbound emails through Mailgun SMTP
+# Credentials are loaded from Kubernetes secret for security
+externalRelay:
+  host: "[smtp.mailgun.org]:587"
+  # Use existing secret for credentials (recommended for security)
+  secretName: "mailu-mailgun-credentials"
+  usernameKey: "RELAY_USERNAME"
+  passwordKey: "RELAY_PASSWORD"
+
+# Webmail configuration
+webmail:
+  enabled: true
+  type: "roundcube"
+
+# Antivirus and antispam configuration
+antivirus:
+  enabled: false  # Disabled in dev to save resources
+antispam:
+  enabled: true
+  flavor: "rspamd"
+
+# Welcome message
+welcomeMessage:
+  enabled: false  # Disabled during development
+
+# Logging
+logLevel: "INFO"
+
+# Network configuration
+subnet: "10.42.0.0/16"
+
+# Redis configuration - using internal Redis (built-in)
+externalRedis:
+  enabled: false
+  # host: "redis-service.bakery-ia.svc.cluster.local"
+  # port: 6380
+  adminQuotaDbId: 15
+  adminRateLimitDbId: 15
+  rspamdDbId: 15
+
+# Database configuration - using default SQLite (built-in)
+externalDatabase:
+  enabled: false
+  # type: "postgresql"
+  # host: "postgres-service.bakery-ia.svc.cluster.local"
+  # port: 5432
+  # database: "mailu"
+  # username: "mailu"
+  # password: "E8Kz47YmVzDlHGs1M9wAbJzxcKnGONCT"
+
+# Persistence configuration
+persistence:
+  single_pvc: true
+  size: 10Gi
+  storageClass: ""
+  accessModes: [ReadWriteOnce]
+
+# Ingress configuration - disabled to use with existing ingress
+ingress:
+  enabled: false  # Disable chart's Ingress; use existing one
+  tls: false      # Disable TLS in chart since ingress handles it
+  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
+  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
+  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
+  path: /
+  pathType: ImplementationSpecific
+
+  # Optional: Enable PROXY protocol for mail protocols if your Ingress supports TCP proxying
+  proxyProtocol:
+    smtp: false
+    smtps: false
+    submission: false
+    imap: false
+    imaps: false
+    pop3: false
+    pop3s: false
+    manageSieve: false
+
+# Front configuration
+front:
+  image:
+    tag: "2024.06"
+  replicaCount: 1
+  service:
+    type: ClusterIP
+    ports:
+      http: 80
+      https: 443
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 200m
+      memory: 256Mi
+
+# Admin configuration
+admin:
+  image:
+    tag: "2024.06"
+  replicaCount: 1
+  service:
+    type: ClusterIP
+    port: 80
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 300m
+      memory: 512Mi
+
+# Postfix configuration
+postfix:
+  image:
+    tag: "2024.06"
+  replicaCount: 1
+  service:
+    type: ClusterIP
+    ports:
+      smtp: 25
+      submission: 587
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
+
+# Dovecot configuration
+dovecot:
+  image:
+    tag: "2024.06"
+  replicaCount: 1
+  service:
+    type: ClusterIP
+    ports:
+      imap: 143
+      imaps: 993
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
+
+# Rspamd configuration
+rspamd:
+  image:
+    tag: "2024.06"
+  replicaCount: 1
+  service:
+    type: ClusterIP
+    ports:
+      rspamd: 11333
+      rspamd-admin: 11334
+  resources:
+    requests:
+      cpu: 200m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+
+# Network Policy
+networkPolicy:
+  enabled: true
+  ingressController:
+    namespace: ingress-nginx
+    podSelector: |
+      matchLabels:
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/component: controller
+
+# DNS Policy Configuration
+# Use Kubernetes DNS (ClusterFirst) for internal service resolution
+# DNSSEC validation for email is handled by rspamd component
+# Note: For production with DNSSEC needs, configure CoreDNS to forward to Unbound
+dnsPolicy: "ClusterFirst"