Fix issues 7

2026-01-23 21:42:31 +01:00
parent e26481e5e8
commit c3defa3a10
7 changed files with 100 additions and 114 deletions
--- a/infrastructure/platform/mail/mailu-helm/configs/mailersend-credentials-secret.yaml
+++ b/infrastructure/platform/mail/mailu-helm/configs/mailersend-credentials-secret.yaml
@@ -42,6 +42,24 @@
 # - Rate limit: 120 requests/minute
 #
 # ============================================================================
+# CRITICAL: AFTER UPDATING THIS SECRET
+# ============================================================================
+#
+# Mailu's Postfix reads SASL credentials ONLY at pod startup. It does NOT
+# automatically reload when this secret changes. You MUST do one of:
+#
+# Option 1: Update the credentials-version annotation in values.yaml and run helm upgrade
+#   - Edit prod/values.yaml: postfix.podAnnotations.credentials-version
+#   - Set to current timestamp: date +%s
+#   - Run: helm upgrade mailu mailu/mailu -f values.yaml -f prod/values.yaml -n bakery-ia
+#
+# Option 2: Manually restart Postfix pod
+#   kubectl rollout restart deployment/mailu-postfix -n bakery-ia
+#
+# Option 3: Delete the Postfix pod (it will be recreated)
+#   kubectl delete pod -l app.kubernetes.io/component=postfix -n bakery-ia
+#
+# ============================================================================
 # DNS RECORDS REQUIRED FOR MAILERSEND:
 # ============================================================================
 #
@@ -84,21 +102,7 @@ stringData:
  # ============================================================================
  # REPLACE THESE VALUES WITH YOUR MAILERSEND CREDENTIALS
  # ============================================================================
+  # Key names match Mailu Helm chart defaults (relay-username, relay-password)
  #
-  # Option 1: Use stringData (plain text - Kubernetes will encode automatically)
-  # This is easier for initial setup but shows credentials in the file
-  #
-  RELAY_USERNAME: "MS_d34ZtW@bakewise.ai"
-  RELAY_PASSWORD: "mssp.Z6GRHQ8.zr6ke4nvq6egon12.IDyvEi7"
-  #
-  # ============================================================================
-  # ALTERNATIVE: Use pre-encoded values (more secure for version control)
-  # ============================================================================
-  # Comment out stringData above and uncomment data below:
-  #
-  # data:
-  #   # Base64 encoded values
-  #   # echo -n 'your-mailersend-username' | base64
-  #   RELAY_USERNAME: WU9VUl9NQUlMRVJTRU5EX1NNVFBfVVNFUk5BTUU=
-  #   # echo -n 'your-mailersend-password' | base64
-  #   RELAY_PASSWORD: WU9VUl9NQUlMRVJTRU5EX1NNVFBfUEFTU1dPUkQ=
+  relay-username: "MS_d34ZtW@bakewise.ai"
+  relay-password: "mssp.Z6GRHQ8.zr6ke4nvq6egon12.IDyvEi7"
--- a/infrastructure/platform/mail/mailu-helm/dev/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/dev/values.yaml
@@ -44,9 +44,18 @@ initialAccount:
 externalRelay:
  host: "[smtp.mailgun.org]:587"
  # Credentials loaded from Kubernetes secret
-  secretName: "mailu-mailgun-credentials"
-  usernameKey: "RELAY_USERNAME"
-  passwordKey: "RELAY_PASSWORD"
+  # Key names use Helm chart defaults: relay-username, relay-password
+  existingSecret: "mailu-mailgun-credentials"
+
+# Postfix configuration
+# CRITICAL: podAnnotations ensures Postfix restarts when credentials change
+# Without this, Mailu reads SASL credentials only at pod startup and won't pick up secret updates
+postfix:
+  podAnnotations:
+    # UPDATE THIS VALUE when changing mailu-mailgun-credentials secret
+    # This triggers a rolling restart of Postfix to reload SASL credentials
+    # Generate new value: date +%s or use the secret's resourceVersion
+    credentials-version: "1706054400"

 # Environment-specific configurations
 persistence:
--- a/infrastructure/platform/mail/mailu-helm/prod/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/prod/values.yaml
@@ -42,9 +42,18 @@ initialAccount:
 externalRelay:
  host: "[smtp.mailersend.net]:2525"
  # Credentials loaded from existing Kubernetes secret
-  secretName: "mailu-mailersend-credentials"
-  usernameKey: "RELAY_USERNAME"
-  passwordKey: "RELAY_PASSWORD"
+  # Key names use Helm chart defaults (relay-username, relay-password)
+  existingSecret: "mailu-mailersend-credentials"
+
+# Postfix configuration
+# CRITICAL: podAnnotations ensures Postfix restarts when credentials change
+# Without this, Mailu reads SASL credentials only at pod startup and won't pick up secret updates
+postfix:
+  podAnnotations:
+    # UPDATE THIS VALUE when changing mailu-mailersend-credentials secret
+    # This triggers a rolling restart of Postfix to reload SASL credentials
+    # Generate new value: date +%s or use the secret's resourceVersion
+    credentials-version: "1706054400"

 # Environment-specific configurations
 persistence:
--- a/infrastructure/platform/mail/mailu-helm/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/values.yaml
@@ -57,9 +57,8 @@ limits:
 externalRelay:
  host: "[smtp.mailersend.net]:587"
  # Use existing secret for credentials (recommended for security)
-  secretName: "mailu-mailersend-credentials"
-  usernameKey: "RELAY_USERNAME"
-  passwordKey: "RELAY_PASSWORD"
+  # Key names use Helm chart defaults: relay-username, relay-password
+  existingSecret: "mailu-mailersend-credentials"

 # Webmail configuration
 webmail: