bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7645e184e2a93f9199c9f91ab1ab36895fa2cdd9
bakery-ia/MAILU_DEPLOYMENT_ARCHITECTURE.md
Bakery Admin 0183f3ab72 Fix resources isues 5
2026-01-22 11:15:11 +01:00

279 lines
7.8 KiB
Markdown
Raw Blame History

# Mailu Deployment Architecture for Bakery-IA Project
## Executive Summary
This document outlines the recommended architecture for deploying Mailu email services across development and production environments for the Bakery-IA project. The solution addresses DNSSEC validation requirements using CoreDNS with DNS-over-TLS while maintaining consistency across different Kubernetes platforms.
## Environment Overview
### Development Environment
- **Platform**: Kind (Kubernetes in Docker) or Colima
- **Purpose**: Local development and testing
- **Characteristics**: Ephemeral, single-node, resource-constrained
### Production Environment
- **Platform**: MicroK8s on Ubuntu VPS
- **Purpose**: Production email services
- **Characteristics**: Single-node or small cluster, persistent storage, production-grade reliability
## Core Requirements
1. **DNSSEC Validation**: Mailu v1.9+ requires DNSSEC-validating resolver
2. **Cross-Environment Consistency**: Unified approach for dev and prod
3. **Resource Efficiency**: Optimized for constrained environments
4. **Reliability**: Production-grade availability and monitoring
## Architectural Solution
### DNS Resolution Strategy
**Approach**: Use CoreDNS with DNS-over-TLS to Cloudflare (1.1.1.1) for DNSSEC validation
#### Benefits:
- ✅ Leverages existing Kubernetes DNS infrastructure
- ✅ No additional pods required (uses CoreDNS already in cluster)
- ✅ DNSSEC validation provided by Cloudflare's DNS-over-TLS
- ✅ Consistent behavior across dev and prod
- ✅ Meets Mailu's DNSSEC requirements
- ✅ Simple and reliable
### Implementation Components
#### 1. CoreDNS Configuration with DNS-over-TLS
```yaml
# CoreDNS Corefile configuration for DNSSEC via DNS-over-TLS
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
health_check 5s
}
cache 30 {
disable success cluster.local
disable denial cluster.local
}
loop
reload
loadbalance
}
```
#### 2. Mailu Configuration (values.yaml)
```yaml
# Production-tuned Mailu configuration
global:
# Using Kubernetes CoreDNS for DNS resolution
# CoreDNS is configured with DNS-over-TLS (Cloudflare) for DNSSEC validation
custom_dns_servers: "10.152.183.10" # MicroK8s CoreDNS IP (adjust for your cluster)
# DNS configuration - use Kubernetes DNS (ClusterFirst)
# CoreDNS provides DNSSEC validation via DNS-over-TLS to Cloudflare
admin:
dnsPolicy: "ClusterFirst"
rspamd:
dnsPolicy: "ClusterFirst"
# Environment-specific configurations
persistence:
enabled: true
storageClass: "" # Use cluster default
replicas: 1 # Increase in production as needed
# Security settings
secretKey: "generate-strong-key-here"
```
### Environment-Specific Adaptations
#### Development (Kind/Colima)
**Optimizations:**
- Use hostPath volumes for persistence
- Reduce resource requests/limits
- Disable or simplify monitoring
- Use NodePort for external access
**Deployment:**
```bash
# Get CoreDNS service IP
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
# Deploy Mailu with dev-specific values
helm upgrade --install mailu mailu/mailu \
--namespace bakery-ia \
-f infrastructure/platform/mail/mailu-helm/values.yaml \
-f infrastructure/platform/mail/mailu-helm/dev/values.yaml \
--set global.custom_dns_servers=$COREDNS_IP
```
#### Production (MicroK8s/Ubuntu)
**Enhancements:**
- Use microk8s-hostpath for storage
- Enable monitoring and logging
- Configure proper ingress with TLS
- Set up backup solutions
**Deployment:**
```bash
# Enable required MicroK8s addons
microk8s enable dns storage ingress
# Get CoreDNS service IP
COREDNS_IP=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
# Deploy Mailu with production values
helm upgrade --install mailu mailu/mailu \
--namespace bakery-ia \
-f infrastructure/platform/mail/mailu-helm/values.yaml \
-f infrastructure/platform/mail/mailu-helm/prod/values.yaml \
--set global.custom_dns_servers=$COREDNS_IP
```
## Verification Procedures
### DNSSEC Validation Test
```bash
# Test DNS resolution from within a Mailu pod
kubectl exec -it -n bakery-ia deploy/mailu-admin -- bash
# Test DNSSEC validation (via CoreDNS -> Cloudflare DNS-over-TLS)
dig +short +dnssec +adflag example.org A
# Should show AD flag in response indicating DNSSEC validation
```
### Service Health Checks
```bash
# Check CoreDNS is running
kubectl get pods -n kube-system -l k8s-app=kube-dns
# Check Mailu components
kubectl get pods -n bakery-ia | grep mailu
kubectl logs -n bakery-ia -l app.kubernetes.io/name=mailu
```
## Monitoring and Maintenance
### Production Monitoring Setup
CoreDNS exposes Prometheus metrics on port 9153 by default. Monitor:
- DNS query latency
- DNS query success/failure rates
- DNS cache hit ratio
### Backup Strategy
**Production:**
- Daily Velero backups of bakery-ia namespace
- Weekly database dumps
- Monthly full cluster snapshots
**Development:**
- On-demand backups before major changes
- Volume snapshots for critical data
## Troubleshooting Guide
### Common Issues and Solutions
**Issue: DNS resolution failures**
- Verify CoreDNS pods are running
- Check CoreDNS logs: `kubectl logs -n kube-system -l k8s-app=kube-dns`
- Test DNS resolution: `kubectl run -it --rm dns-test --image=busybox -- nslookup google.com`
**Issue: Mailu pods failing to start**
- Confirm DNS configuration in values.yaml
- Verify CoreDNS service is reachable
- Check resource availability
**Issue: DNSSEC validation errors**
- Ensure CoreDNS is configured with DNS-over-TLS
- Test with: `dig +dnssec example.org`
- Verify Cloudflare DNS is reachable
**Issue: Performance problems**
- Monitor CPU/memory usage
- Adjust resource limits
- Consider scaling replicas
## Migration Path
### From Development to Production
1. **Configuration Migration**
- Update storage class from hostPath to production storage
- Adjust resource requests/limits
- Enable monitoring and logging
2. **Data Migration**
- Export development data
- Import into production environment
- Verify data integrity
3. **DNS Configuration**
- Update DNS records to point to production
- Verify TLS certificates
- Test email delivery
## Security Considerations
### Production Security Hardening
1. **Network Security**
- Implement network policies
- Restrict ingress/egress traffic
- Use TLS for all external communications
2. **Access Control**
- Implement RBAC for Mailu namespace
- Restrict admin access
- Use strong authentication
3. **Monitoring and Alerting**
- Set up anomaly detection
- Configure alert thresholds
- Implement log retention policies
## Cost Optimization
### Resource Management
**Development:**
- Use minimal resource allocations
- Scale down when not in use
- Clean up unused resources
**Production:**
- Right-size resource requests
- Implement auto-scaling where possible
- Monitor and optimize usage patterns
## Conclusion
This architecture provides a robust, consistent solution for deploying Mailu across development and production environments. By using CoreDNS with DNS-over-TLS to Cloudflare, we ensure compliance with Mailu's DNSSEC requirements while maintaining simplicity and reliability.
The solution is designed to be:
- **Simple**: Uses existing Kubernetes DNS infrastructure
- **Consistent**: Same core architecture across environments
- **Reliable**: Production-grade availability
- **Efficient**: No additional pods required for DNS
This approach aligns with the Bakery-IA project's requirements for a secure, reliable email infrastructure that can be consistently deployed across different environments.
Reference in New Issue View Git Blame Copy Permalink