bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0183f3ab7212257fce8f4d7133a8c62c8e990d24
bakery-ia/MAILU_DEPLOYMENT_ARCHITECTURE.md
Bakery Admin 0183f3ab72 Fix resources isues 5
2026-01-22 11:15:11 +01:00

7.8 KiB
Raw Blame History

Mailu Deployment Architecture for Bakery-IA Project

Executive Summary

This document outlines the recommended architecture for deploying Mailu email services across development and production environments for the Bakery-IA project. The solution addresses DNSSEC validation requirements using CoreDNS with DNS-over-TLS while maintaining consistency across different Kubernetes platforms.

Environment Overview

Development Environment

  • Platform: Kind (Kubernetes in Docker) or Colima
  • Purpose: Local development and testing
  • Characteristics: Ephemeral, single-node, resource-constrained

Production Environment

  • Platform: MicroK8s on Ubuntu VPS
  • Purpose: Production email services
  • Characteristics: Single-node or small cluster, persistent storage, production-grade reliability

Core Requirements

  1. DNSSEC Validation: Mailu v1.9+ requires DNSSEC-validating resolver
  2. Cross-Environment Consistency: Unified approach for dev and prod
  3. Resource Efficiency: Optimized for constrained environments
  4. Reliability: Production-grade availability and monitoring

Architectural Solution

DNS Resolution Strategy

Approach: Use CoreDNS with DNS-over-TLS to Cloudflare (1.1.1.1) for DNSSEC validation

Benefits:

  • Leverages existing Kubernetes DNS infrastructure
  • No additional pods required (uses CoreDNS already in cluster)
  • DNSSEC validation provided by Cloudflare's DNS-over-TLS
  • Consistent behavior across dev and prod
  • Meets Mailu's DNSSEC requirements
  • Simple and reliable

Implementation Components

1. CoreDNS Configuration with DNS-over-TLS

# CoreDNS Corefile configuration for DNSSEC via DNS-over-TLS
.:53 {
    errors
    health {
       lameduck 5s
    }
    ready
    kubernetes cluster.local in-addr.arpa ip6.arpa {
       pods insecure
       fallthrough in-addr.arpa ip6.arpa
       ttl 30
    }
    prometheus :9153
    forward . tls://1.1.1.1 tls://1.0.0.1 {
       tls_servername cloudflare-dns.com
       health_check 5s
    }
    cache 30 {
       disable success cluster.local
       disable denial cluster.local
    }
    loop
    reload
    loadbalance
}

2. Mailu Configuration (values.yaml)

# Production-tuned Mailu configuration
global:
  # Using Kubernetes CoreDNS for DNS resolution
  # CoreDNS is configured with DNS-over-TLS (Cloudflare) for DNSSEC validation
  custom_dns_servers: "10.152.183.10"  # MicroK8s CoreDNS IP (adjust for your cluster)

# DNS configuration - use Kubernetes DNS (ClusterFirst)
# CoreDNS provides DNSSEC validation via DNS-over-TLS to Cloudflare
admin:
  dnsPolicy: "ClusterFirst"

rspamd:
  dnsPolicy: "ClusterFirst"

# Environment-specific configurations
persistence:
  enabled: true
  storageClass: ""  # Use cluster default

replicas: 1  # Increase in production as needed

# Security settings
secretKey: "generate-strong-key-here"

Environment-Specific Adaptations

Development (Kind/Colima)

Optimizations:

  • Use hostPath volumes for persistence
  • Reduce resource requests/limits
  • Disable or simplify monitoring
  • Use NodePort for external access

Deployment:

# Get CoreDNS service IP
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')

# Deploy Mailu with dev-specific values
helm upgrade --install mailu mailu/mailu \
  --namespace bakery-ia \
  -f infrastructure/platform/mail/mailu-helm/values.yaml \
  -f infrastructure/platform/mail/mailu-helm/dev/values.yaml \
  --set global.custom_dns_servers=$COREDNS_IP

Production (MicroK8s/Ubuntu)

Enhancements:

  • Use microk8s-hostpath for storage
  • Enable monitoring and logging
  • Configure proper ingress with TLS
  • Set up backup solutions

Deployment:

# Enable required MicroK8s addons
microk8s enable dns storage ingress

# Get CoreDNS service IP
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')

# Deploy Mailu with production values
helm upgrade --install mailu mailu/mailu \
  --namespace bakery-ia \
  -f infrastructure/platform/mail/mailu-helm/values.yaml \
  -f infrastructure/platform/mail/mailu-helm/prod/values.yaml \
  --set global.custom_dns_servers=$COREDNS_IP

Verification Procedures

DNSSEC Validation Test

# Test DNS resolution from within a Mailu pod
kubectl exec -it -n bakery-ia deploy/mailu-admin -- bash

# Test DNSSEC validation (via CoreDNS -> Cloudflare DNS-over-TLS)
dig +short +dnssec +adflag example.org A

# Should show AD flag in response indicating DNSSEC validation

Service Health Checks

# Check CoreDNS is running
kubectl get pods -n kube-system -l k8s-app=kube-dns

# Check Mailu components
kubectl get pods -n bakery-ia | grep mailu
kubectl logs -n bakery-ia -l app.kubernetes.io/name=mailu

Monitoring and Maintenance

Production Monitoring Setup

CoreDNS exposes Prometheus metrics on port 9153 by default. Monitor:

  • DNS query latency
  • DNS query success/failure rates
  • DNS cache hit ratio

Backup Strategy

Production:

  • Daily Velero backups of bakery-ia namespace
  • Weekly database dumps
  • Monthly full cluster snapshots

Development:

  • On-demand backups before major changes
  • Volume snapshots for critical data

Troubleshooting Guide

Common Issues and Solutions

Issue: DNS resolution failures

  • Verify CoreDNS pods are running
  • Check CoreDNS logs: kubectl logs -n kube-system -l k8s-app=kube-dns
  • Test DNS resolution: kubectl run -it --rm dns-test --image=busybox -- nslookup google.com

Issue: Mailu pods failing to start

  • Confirm DNS configuration in values.yaml
  • Verify CoreDNS service is reachable
  • Check resource availability

Issue: DNSSEC validation errors

  • Ensure CoreDNS is configured with DNS-over-TLS
  • Test with: dig +dnssec example.org
  • Verify Cloudflare DNS is reachable

Issue: Performance problems

  • Monitor CPU/memory usage
  • Adjust resource limits
  • Consider scaling replicas

Migration Path

From Development to Production

  1. Configuration Migration

    • Update storage class from hostPath to production storage
    • Adjust resource requests/limits
    • Enable monitoring and logging

  2. Data Migration

    • Export development data
    • Import into production environment
    • Verify data integrity

  3. DNS Configuration

    • Update DNS records to point to production
    • Verify TLS certificates
    • Test email delivery

Security Considerations

Production Security Hardening

  1. Network Security

    • Implement network policies
    • Restrict ingress/egress traffic
    • Use TLS for all external communications

  2. Access Control

    • Implement RBAC for Mailu namespace
    • Restrict admin access
    • Use strong authentication

  3. Monitoring and Alerting

    • Set up anomaly detection
    • Configure alert thresholds
    • Implement log retention policies

Cost Optimization

Resource Management

Development:

  • Use minimal resource allocations
  • Scale down when not in use
  • Clean up unused resources

Production:

  • Right-size resource requests
  • Implement auto-scaling where possible
  • Monitor and optimize usage patterns

Conclusion

This architecture provides a robust, consistent solution for deploying Mailu across development and production environments. By using CoreDNS with DNS-over-TLS to Cloudflare, we ensure compliance with Mailu's DNSSEC requirements while maintaining simplicity and reliability.

The solution is designed to be:

  • Simple: Uses existing Kubernetes DNS infrastructure
  • Consistent: Same core architecture across environments
  • Reliable: Production-grade availability
  • Efficient: No additional pods required for DNS

This approach aligns with the Bakery-IA project's requirements for a secure, reliable email infrastructure that can be consistently deployed across different environments.