From 0a6f3448ec082faeb4fe9db18536902bb88e15c1 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 24 Aug 2021 18:42:51 +0200 Subject: [PATCH 1/2] k8s is helm-chart only --- docs/kubernetes/mailu/admin.yaml | 63 ----- docs/kubernetes/mailu/configmap.yaml | 175 -------------- docs/kubernetes/mailu/fetchmail.yaml | 39 ---- docs/kubernetes/mailu/front.yaml | 148 ------------ docs/kubernetes/mailu/imap.yaml | 84 ------- docs/kubernetes/mailu/index.rst | 221 +----------------- docs/kubernetes/mailu/ingress.yaml | 25 -- docs/kubernetes/mailu/pvc.yaml | 27 --- docs/kubernetes/mailu/rbac.yaml | 4 - docs/kubernetes/mailu/redis.yaml | 60 ----- docs/kubernetes/mailu/security.yaml | 115 --------- docs/kubernetes/mailu/smtp.yaml | 80 ------- docs/kubernetes/mailu/webdav.yaml | 63 ----- docs/kubernetes/mailu/webmail.yaml | 57 ----- .../nginx/default-http-backend.yaml | 55 ----- docs/kubernetes/nginx/nginx-ingress.yaml | 127 ---------- docs/kubernetes/nginx/rbac.yaml | 129 ---------- 17 files changed, 4 insertions(+), 1468 deletions(-) delete mode 100644 docs/kubernetes/mailu/admin.yaml delete mode 100644 docs/kubernetes/mailu/configmap.yaml delete mode 100644 docs/kubernetes/mailu/fetchmail.yaml delete mode 100644 docs/kubernetes/mailu/front.yaml delete mode 100644 docs/kubernetes/mailu/imap.yaml delete mode 100644 docs/kubernetes/mailu/ingress.yaml delete mode 100644 docs/kubernetes/mailu/pvc.yaml delete mode 100644 docs/kubernetes/mailu/rbac.yaml delete mode 100644 docs/kubernetes/mailu/redis.yaml delete mode 100644 docs/kubernetes/mailu/security.yaml delete mode 100644 docs/kubernetes/mailu/smtp.yaml delete mode 100644 docs/kubernetes/mailu/webdav.yaml delete mode 100644 docs/kubernetes/mailu/webmail.yaml delete mode 100644 docs/kubernetes/nginx/default-http-backend.yaml delete mode 100644 docs/kubernetes/nginx/nginx-ingress.yaml delete mode 100644 docs/kubernetes/nginx/rbac.yaml diff --git a/docs/kubernetes/mailu/admin.yaml b/docs/kubernetes/mailu/admin.yaml deleted file mode 100644 index 08c06e44..00000000 --- a/docs/kubernetes/mailu/admin.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mailu-admin - namespace: mailu-mailserver -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-admin - role: mail - tier: backend - spec: - containers: - - name: admin - image: mailu/admin:master - imagePullPolicy: Always - envFrom: - - configMapRef: - name: mailu-config - volumeMounts: - - name: maildata - mountPath: /data - subPath: maildata - - name: maildata - mountPath: /dkim - subPath: dkim - ports: - - name: http - containerPort: 80 - protocol: TCP - resources: - requests: - memory: 500Mi - cpu: 500m - limits: - memory: 500Mi - cpu: 500m - volumes: - - name: maildata - persistentVolumeClaim: - claimName: mail-storage ---- - -apiVersion: v1 -kind: Service -metadata: - name: admin - namespace: mailu-mailserver - labels: - app: mailu-admin - role: mail - tier: backend -spec: - selector: - app: mailu-admin - role: mail - tier: backend - ports: - - name: http - port: 80 - protocol: TCP diff --git a/docs/kubernetes/mailu/configmap.yaml b/docs/kubernetes/mailu/configmap.yaml deleted file mode 100644 index 6a674c53..00000000 --- a/docs/kubernetes/mailu/configmap.yaml +++ /dev/null @@ -1,175 +0,0 @@ - apiVersion: v1 - kind: ConfigMap - metadata: - name: mailu-config - namespace: mailu-mailserver - data: - # Mailu main configuration file - # - # Most configuration variables can be modified through the Web interface, - # these few settings must however be configured before starting the mail - # server and require a restart upon change. - - ################################### - # Common configuration variables - ################################### - - # Set this to the path where Mailu data and configuration is stored - ROOT: "/mailu" - - # Mailu version to run (1.0, 1.1, etc. or master) - VERSION: "master" - - # Set to a randomly generated 16 bytes string - SECRET_KEY: "MySup3rS3cr3tPas" - - # Address where listening ports should bind - BIND_ADDRESS4: "127.0.0.1" - #BIND_ADDRESS6: "::1" - - # Main mail domain - DOMAIN: "example.com" - - # Hostnames for this server, separated with comas - HOSTNAMES: "mail.example.com" - - # Postmaster local part (will append the main mail domain) - POSTMASTER: "admin" - - # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt) - TLS_FLAVOR: "cert" - - # Authentication rate limit (per source IP address) - AUTH_RATELIMIT: "10/minute;1000/hour" - - # Opt-out of statistics, replace with "True" to opt out - DISABLE_STATISTICS: "False" - - ################################### - # Kubernetes configuration - ################################### - - # Use Kubernetes Ingress Controller to handle all actions on port 80 and 443 - # This way we can make use of the advantages of the cert-manager deployment - KUBERNETES_INGRESS: "true" - - # POD_ADDRESS_RANGE is normally provided by default with Kubernetes - # Only use this value when you are using Flannel, Calico or a special kind of CNI - # Provide the IPs of your network interface or bridge which is used for VXLAN network traffic - # POD_ADDRESS_RANGE: 10.2.0.0/16,10.1.6.0/24 - - ################################### - # Optional features - ################################### - - # Expose the admin interface (value: true, false) - ADMIN: "true" - # Run the admin interface in debug mode - #DEBUG: "True" - - # Choose which webmail to run if any (values: roundcube, rainloop, none) - WEBMAIL: "roundcube" - - # Dav server implementation (value: radicale, none) - WEBDAV: "radicale" - - # Antivirus solution (value: clamav, none) - ANTIVIRUS: "clamav" - - ################################### - # Mail settings - ################################### - - # Message size limit in bytes - # Default: accept messages up to 50MB - MESSAGE_SIZE_LIMIT: "50000000" - - # Will relay all outgoing mails if configured - #RELAYHOST= - - # This part is needed for the XCLIENT login for postfix. This should be the POD ADDRESS range - FRONT_ADDRESS: "front.mailu-mailserver.svc.cluster.local" - - # This value is needed by the webmail to find the correct imap backend - IMAP_ADDRESS: "imap.mailu-mailserver.svc.cluster.local" - - # This value is used by Dovecot to find the Redis server in the cluster - REDIS_ADDRESS: "redis.mailu-mailserver.svc.cluster.local" - - # Fetchmail delay - FETCHMAIL_DELAY: "600" - - # Recipient delimiter, character used to delimiter localpart from custom address part - # e.g. localpart+custom@domain;tld - RECIPIENT_DELIMITER: "+" - - # DMARC rua and ruf email - DMARC_RUA: "root" - DMARC_RUF: "root" - - # Welcome email, enable and set a topic and body if you wish to send welcome - # emails to all users. - WELCOME: "false" - WELCOME_SUBJECT: "Welcome to your new email account" - WELCOME_BODY: "Welcome to your new email account, if you can read this, then it is configured properly!" - - ################################### - # Web settings - ################################### - - # Path to the admin interface if enabled - # Kubernetes addition: You need to change ALL the ingresses, when you want this URL to be different!!! - WEB_ADMIN: "/admin" - - # Path to the webmail if enabled - # Currently, this is not used, because we intended to use a different subdomain: webmail.example.com - # This option can be added in a feature release - WEB_WEBMAIL: "/webmail" - - # Website name - SITENAME: "Mailu" - - # Linked Website URL - WEBSITE: "https://example.com" - - # Registration reCaptcha settings (warning, this has some privacy impact) - # RECAPTCHA_PUBLIC_KEY= - # RECAPTCHA_PRIVATE_KEY= - - # Domain registration, uncomment to enable - # DOMAIN_REGISTRATION=true - - ################################### - # Advanced settings - ################################### - - # Create an admin account if it does not exist yet. It will also create the email domain for the account. - # INITIAL_ADMIN_ACCOUNT: "admin" - # INITIAL_ADMIN_DOMAIN: "example.com" - # INITIAL_ADMIN_PW: "s3cr3t" - - # Docker-compose project name, this will prepended to containers names. - COMPOSE_PROJECT_NAME: "mailu" - - # Default password scheme used for newly created accounts and changed passwords - # (value: SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT) - PASSWORD_SCHEME: "SHA512-CRYPT" - - # Header to take the real ip from - #REAL_IP_HEADER: - - # IPs for nginx set_real_ip_from (CIDR list separated by commas) - #REAL_IP_FROM: - - # Host settings - HOST_IMAP: "imap.mailu-mailserver.svc.cluster.local" - HOST_POP3: "imap.mailu-mailserver.svc.cluster.local" - HOST_SMTP: "smtp.mailu-mailserver.svc.cluster.local" - HOST_AUTHSMTP: "smtp.mailu-mailserver.svc.cluster.local" - HOST_WEBMAIL: "webmail.mailu-mailserver.svc.cluster.local" - HOST_ADMIN: "admin.mailu-mailserver.svc.cluster.local" - HOST_WEBDAV: "webdav.mailu-mailserver.svc.cluster.local:5232" - HOST_ANTISPAM_MILTER: "antispam.mailu-mailserver.svc.cluster.local:11332" - HOST_ANTISPAM_WEBUI: "antispam.mailu-mailserver.svc.cluster.local:11334" - HOST_ANTIVIRUS: "antivirus.mailu-mailserver.svc.cluster.local:3310" - HOST_REDIS: "redis.mailu-mailserver.svc.cluster.local" diff --git a/docs/kubernetes/mailu/fetchmail.yaml b/docs/kubernetes/mailu/fetchmail.yaml deleted file mode 100644 index d454f95b..00000000 --- a/docs/kubernetes/mailu/fetchmail.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mailu-fetchmail - namespace: mailu-mailserver -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-fetchmail - role: mail - tier: backend - spec: - containers: - - name: fetchmail - image: mailu/fetchmail:master - imagePullPolicy: Always - envFrom: - - configMapRef: - name: mailu-config - volumeMounts: - - name: maildata - mountPath: /data - subPath: maildata - ports: - - containerPort: 5232 - - containerPort: 80 - resources: - requests: - memory: 100Mi - cpu: 100m - limits: - memory: 100Mi - cpu: 100m - volumes: - - name: maildata - persistentVolumeClaim: - claimName: mail-storage diff --git a/docs/kubernetes/mailu/front.yaml b/docs/kubernetes/mailu/front.yaml deleted file mode 100644 index 2fba1026..00000000 --- a/docs/kubernetes/mailu/front.yaml +++ /dev/null @@ -1,148 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: mailu-front - namespace: mailu-mailserver - labels: - k8s-app: mail-loadbalancer - component: ingress-controller - type: nginx -spec: - selector: - matchLabels: - k8s-app: mail-loadbalancer - component: ingress-controller - type: nginx - template: - metadata: - labels: - k8s-app: mail-loadbalancer - component: ingress-controller - type: nginx - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/node - operator: Exists - nodeSelector: - node-role.kubernetes.io/node: "" - dnsPolicy: ClusterFirstWithHostNet - restartPolicy: Always - terminationGracePeriodSeconds: 60 - containers: - - name: front - image: mailu/nginx:master - imagePullPolicy: Always - envFrom: - - configMapRef: - name: mailu-config - volumeMounts: - - name: certs - mountPath: /certs - ports: - - name: pop3 - containerPort: 110 - hostPort: 110 - protocol: TCP - - name: pop3s - containerPort: 995 - hostPort: 995 - protocol: TCP - - name: imap - containerPort: 143 - hostPort: 143 - protocol: TCP - - name: imaps - containerPort: 993 - hostPort: 993 - protocol: TCP - - name: smtp - containerPort: 25 - hostPort: 25 - protocol: TCP - - name: smtps - containerPort: 465 - hostPort: 465 - protocol: TCP - - name: smtpd - containerPort: 587 - hostPort: 587 - protocol: TCP - # internal services (not exposed externally) - - name: smtp-auth - containerPort: 10025 - protocol: TCP - - name: imap-auth - containerPort: 10143 - protocol: TCP - - name: auth - containerPort: 8000 - protocol: TCP - - name: http - containerPort: 80 - protocol: TCP - resources: - requests: - memory: 100Mi - cpu: 100m - limits: - memory: 200Mi - cpu: 200m - volumes: - - name: certs - secret: - items: - - key: tls.crt - path: cert.pem - - key: tls.key - path: key.pem - secretName: letsencrypt-certs-all ---- -apiVersion: v1 -kind: Service -metadata: - name: front - namespace: mailu-mailserver - labels: - k8s-app: mail-loadbalancer - component: ingress-controller - type: nginx -spec: - selector: - k8s-app: mail-loadbalancer - component: ingress-controller - type: nginx - ports: - - name: pop3 - port: 110 - protocol: TCP - - name: pop3s - port: 995 - protocol: TCP - - name: imap - port: 143 - protocol: TCP - - name: imaps - port: 993 - protocol: TCP - - name: smtp - port: 25 - protocol: TCP - - name: smtps - port: 465 - protocol: TCP - - name: smtpd - port: 587 - protocol: TCP - - name: smtp-auth - port: 10025 - protocol: TCP - - name: imap-auth - port: 10143 - protocol: TCP - - name: http - port: 80 - protocol: TCP diff --git a/docs/kubernetes/mailu/imap.yaml b/docs/kubernetes/mailu/imap.yaml deleted file mode 100644 index 64e69930..00000000 --- a/docs/kubernetes/mailu/imap.yaml +++ /dev/null @@ -1,84 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mailu-imap - namespace: mailu-mailserver -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-imap - role: mail - tier: backend - spec: - containers: - - name: imap - image: mailu/dovecot:master - imagePullPolicy: Always - envFrom: - - configMapRef: - name: mailu-config - volumeMounts: - - mountPath: /data - name: maildata - subPath: maildata - - mountPath: /mail - name: maildata - subPath: mailstate - - mountPath: /overrides - name: maildata - subPath: overrides - ports: - - name: imap-auth - containerPort: 2102 - - name: imap-transport - containerPort: 2525 - - name: pop3 - containerPort: 110 - - name: imap-default - containerPort: 143 - - name: sieve - containerPort: 4190 - resources: - requests: - memory: 1Gi - cpu: 1000m - limits: - memory: 1Gi - cpu: 1000m - volumes: - - name: maildata - persistentVolumeClaim: - claimName: mail-storage ---- -apiVersion: v1 -kind: Service -metadata: - name: imap - namespace: mailu-mailserver - labels: - app: mailu - role: mail - tier: backend -spec: - selector: - app: mailu-imap - role: mail - tier: backend - ports: - - name: imap-auth - port: 2102 - protocol: TCP - - name: imap-transport - port: 2525 - protocol: TCP - - name: pop3 - port: 110 - protocol: TCP - - name: imap-default - port: 143 - protocol: TCP - - name: sieve - port: 4190 - protocol: TCP diff --git a/docs/kubernetes/mailu/index.rst b/docs/kubernetes/mailu/index.rst index 0af3942e..db4b98cd 100644 --- a/docs/kubernetes/mailu/index.rst +++ b/docs/kubernetes/mailu/index.rst @@ -3,222 +3,9 @@ Kubernetes setup ================ -> Hold up! -> These instructions are not recommended for setting up Mailu in a production Kubernetes environment. -> Please see [the Helm Chart documentation](https://github.com/Mailu/helm-charts/blob/master/mailu/README.md). +Hold up! These instructions are not recommended for setting up Mailu in a production Kubernetes environment. Please see `the Helm Chart documentation`_. -Prequisites ------------ +We are looking for maintainers: if you are interested please join our `Matrix`_ room. -Structure -~~~~~~~~~ - -There’s chosen to have a double NGINX stack for Mailu, this way the main -ingress can still be used to access other websites/domains on your -cluster. This is the current structure: - -- ``NGINX Ingress controller``: Listens to the nodes ports 80 & 443. We have chosen to have a double NGINX stack for Mailu. -- ``Cert manager``: Creates automatic Lets Encrypt certificates based on an ``Ingress``-objects domain name. -- ``Mailu NGINX Front daemonset``: This daemonset runs in parallel with the Nginx Ingress Controller and only listens on all E-mail specific ports (25, 110, 143, 587,...). It also listens on 80 and delegates the various http endpoints to the correct services. -- ``Mailu components``: All Mailu components (imap, smtp, security, webmail,...) are split into separate files to make them more handy to use, you can find the ``YAML`` files in this directory - -What you need -~~~~~~~~~~~~~ - -- A working Kubernetes cluster (tested with 1.10.5) -- A working `cert-manager`_ installation -- A working nginx-ingress controller needed for the lets-encrypt - certificates. You can find those files in the ``nginx`` subfolder. - Other ingress controllers that support cert-manager (e.g. traefik) - should also work. - -Cert manager -^^^^^^^^^^^^ - -The ``Cert-manager`` is quite easy to deploy using Helm when reading the -`docs`_. After booting the ``Cert-manager`` you’ll need a -``ClusterIssuer`` which takes care of all required certificates through -``Ingress`` items. We chose to provide a ``clusterIssuer`` so you can provide SSL certificates -for other namespaces (different websites/services), if you don't need this option, you can easily change this by -changing ``clusterIssuer`` to ``Issuer`` and adding the ``namespace: mailu-mailserver`` to the metadata. -An example of a production and a staging ``clusterIssuer``: - -.. code:: yaml - - # This clusterIssuer example uses the staging environment for testing first - apiVersion: certmanager.k8s.io/v1alpha1 - kind: ClusterIssuer - metadata: - name: letsencrypt-stage - spec: - acme: - email: something@example.com - http01: {} - privateKeySecretRef: - name: letsencrypt-stage - server: https://acme-staging-v02.api.letsencrypt.org/directory - -.. code:: yaml - - # This clusterIssuer example uses the production environment - apiVersion: certmanager.k8s.io/v1alpha1 - kind: ClusterIssuer - metadata: - name: letsencrypt-prod - spec: - acme: - email: something@example.com - http01: {} - privateKeySecretRef: - name: letsencrypt-prod - server: https://acme-v02.api.letsencrypt.org/directory - -**IMPORTANT**: ``ingress.yaml`` uses the ``letsencrypt-stage`` ``clusterIssuer``. If you are ready for production, -change this field in ``ingress.yaml`` file to ``letsencrypt-prod`` or whatever name you chose for the production. -If you choose for ``Issuer`` instead of ``clusterIssuer`` you also need to change the annotation to ``certmanager.k8s.io/issuer`` instead of ``certmanager.k8s.io/cluster-issuer`` - -Deploying Mailu ---------------- - -All manifests can be found in the ``mailu`` subdirectory. All commands -below need to be run from this subdirectory - -Personalization -~~~~~~~~~~~~~~~ - -- All services run in the same namespace, currently ``mailu-mailserver``. So if you want to use a different one, change the ``namespace`` value in **every** file -- Check the ``storage-class`` field in the ``pvc.yaml`` file, you can also change the sizes to your liking. Note that you need ``RWX`` (read-write-many) and ``RWO`` (read-write-once) storageclasses. -- Check the ``configmap.yaml`` and adapt it to your needs. Be sure to check the kubernetes DNS values at the end (if you use a different namespace) -- Check the ``ingress.yaml`` file and change it to the domain you want (this is for the kubernetes ingress controller to handle the admin, webmail, webdav and auth connections) - -Installation ------------- - -Boot the Mailu components -~~~~~~~~~~~~~~~~~~~~~~~~~ - -To start Mailu, run the following commands from the ``docs/kubernetes/mailu`` directory - -.. code-block:: bash - - kubectl create -f rbac.yaml - kubectl create -f configmap.yaml - kubectl create -f pvc.yaml - kubectl create -f redis.yaml - kubectl create -f front.yaml - kubectl create -f webmail.yaml - kubectl create -f imap.yaml - kubectl create -f security.yaml - kubectl create -f smtp.yaml - kubectl create -f fetchmail.yaml - kubectl create -f admin.yaml - kubectl create -f webdav.yaml - kubectl create -f ingress.yaml - - -Create the first admin account -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -When the cluster is online you need to create you master user to access https://mail.example.com/admin - -You can create it now manually, or have the system create it automatically. - -If you want the system to create the admin user account automatically, see :ref:`admin_account` -about the environment variables needed (``INITIAL_ADMIN_*``). -Also, important, taking into consideration that a pod in Kubernetes can be stopped/rescheduled at -any time, you should set ``INITIAL_ADMIN_MODE`` to either ``update`` or ``ifmissing`` - depending on what you -want to happen to its password. - - -To create the admin user account manually, enter the main ``admin`` pod: - -.. code-block:: bash - - kubectl -n mailu-mailserver get po - kubectl -n mailu-mailserver exec -it mailu-admin-.... /bin/sh - -And in the pod run the following command. The command uses following entries: - -.. code-block:: bash - - flask mailu admin root example.com password - -- ``admin`` Make it an admin user -- ``root`` The first part of the e-mail address (ROOT@example.com) -- ``example.com`` the domain appendix -- ``password`` the chosen password for the user - - -Now you should be able to login on the mail account: https://mail.example.com/admin - - -Adaptations ------------ - -Dovecot -~~~~~~~ - -- If you are using Dovecot on a shared file system (Glusterfs, NFS,...), you need to create a special override otherwise a lot of indexing errors will occur on your Dovecot pod. -- I also higher the number of max connections per IP. Now it's limited to 10. - -Enter the dovecot pod: - -.. code:: bash - - kubectl -n mailu-mailserver get po - kubectl -n mailu-mailserver exec -it mailu-imap-.... /bin/sh - -Create the file ``overrides/dovecot.conf`` - -.. code:: bash - - vi /overrides/dovecot.conf - -And enter following contents: - -.. code:: bash - - mail_nfs_index = yes - mail_nfs_storage = yes - mail_fsync = always - mmap_disable = yes - mail_max_userip_connections=100 - -Save and close the file and delete the imap pod to get it recreated. - -.. code:: bash - - kubectl -n mailu-mailserver delete po/mailu-imap-.... - -Wait for the pod to recreate and you're online! -Happy mailing! - -.. _here: https://github.com/hacor/Mailu/blob/master/core/postfix/conf/main.cf#L35 -.. _cert-manager: https://github.com/jetstack/cert-manager -.. _docs: https://cert-manager.io/docs/installation/kubernetes/#installing-with-helm - -Imap login fix -~~~~~~~~~~~~~~ - -If it seems you're not able to login using IMAP on your Mailu accounts, check the logs of the imap container to see whether it's a permissions problem on the database. -This problem can be easily fixed by running following commands: - -.. code:: bash - - kubectl -n mailu-mailserver exec -it mailu-imap-... /bin/sh - chmod 777 /data/main.db - -If the login problem still persists, or more specific, happens now and then and you see some Auth problems on your webmail or mail client, try following steps: - -- Add ``auth_debug=yes`` to the ``/overrides/dovecot.conf`` file and delete the pod in order to start a new one, which loads the configuration -- Depending on your network configuration you could still see some ``allow_nets check failed`` results in the logs. This means that the IP is not allowed a login -- If this is happening your network plugin has troubles with the Nginx Ingress Controller using the ``hostNetwork: true`` option. Known cases: Flannel and Calico. -- You should uncomment ``POD_ADDRESS_RANGE`` in the ``configmap.yaml`` file and add the IP range of your pod network bridge (the range that sadly has failed the ``allowed_nets`` test) -- Delete the Admin pod and wait for it to restart - -.. code:: bash - - kubectl -n mailu-mailserver get po - kubectl -n mailu-mailserver delete po/mailu-admin... - -Happy mailing! +.. _`the Helm Chart documentation`: https://github.com/Mailu/helm-charts/blob/master/mailu/README.md +.. _`Matrix`: https://matrix.to/#/#mailu:tedomum.net diff --git a/docs/kubernetes/mailu/ingress.yaml b/docs/kubernetes/mailu/ingress.yaml deleted file mode 100644 index 5a941e97..00000000 --- a/docs/kubernetes/mailu/ingress.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apps/v1 -kind: Ingress -metadata: - name: mailu-ingress - namespace: mailu-mailserver - annotations: - kubernetes.io/tls-acme: "true" - certmanager.k8s.io/cluster-issuer: letsencrypt-stage - labels: - app: mailu - role: mail - tier: backend -spec: - tls: - - hosts: - - "mail.example.com" - secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt - rules: - - host: "mail.example.com" - http: - paths: - - path: "/" - backend: - serviceName: front - servicePort: 80 diff --git a/docs/kubernetes/mailu/pvc.yaml b/docs/kubernetes/mailu/pvc.yaml deleted file mode 100644 index 0ec2852f..00000000 --- a/docs/kubernetes/mailu/pvc.yaml +++ /dev/null @@ -1,27 +0,0 @@ -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: redis-hdd - namespace: mailu-mailserver - annotations: - volume.beta.kubernetes.io/storage-class: "glusterblock-hdd" -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: mail-storage - namespace: mailu-mailserver - annotations: - volume.beta.kubernetes.io/storage-class: "gluster-heketi-hdd" -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 100Gi diff --git a/docs/kubernetes/mailu/rbac.yaml b/docs/kubernetes/mailu/rbac.yaml deleted file mode 100644 index 33255130..00000000 --- a/docs/kubernetes/mailu/rbac.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: mailu-mailserver \ No newline at end of file diff --git a/docs/kubernetes/mailu/redis.yaml b/docs/kubernetes/mailu/redis.yaml deleted file mode 100644 index f453a3ff..00000000 --- a/docs/kubernetes/mailu/redis.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mailu-redis - namespace: mailu-mailserver -spec: - replicas: 1 - selector: - matchLabels: - app: mailu-redis - role: mail - tier: backend - template: - metadata: - labels: - app: mailu-redis - role: mail - tier: backend - spec: - containers: - - name: redis - image: redis:5-alpine - imagePullPolicy: Always - volumeMounts: - - mountPath: /data - name: redisdata - ports: - - containerPort: 6379 - name: redis - protocol: TCP - resources: - requests: - memory: 200Mi - cpu: 100m - limits: - memory: 300Mi - cpu: 200m - volumes: - - name: redisdata - persistentVolumeClaim: - claimName: redis-hdd ---- -apiVersion: v1 -kind: Service -metadata: - name: redis - namespace: mailu-mailserver - labels: - app: mailu-redis - role: mail - tier: backend -spec: - selector: - app: mailu-redis - role: mail - tier: backend - ports: - - name: redis - port: 6379 - protocol: TCP diff --git a/docs/kubernetes/mailu/security.yaml b/docs/kubernetes/mailu/security.yaml deleted file mode 100644 index 419c7ac4..00000000 --- a/docs/kubernetes/mailu/security.yaml +++ /dev/null @@ -1,115 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mailu-security - namespace: mailu-mailserver -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-security - role: mail - tier: backend - spec: - containers: - - name: antispam - image: mailu/rspamd:master - imagePullPolicy: Always - envFrom: - - configMapRef: - name: mailu-config - resources: - requests: - memory: 100Mi - cpu: 100m - limits: - memory: 200Mi - cpu: 200m - ports: - - name: antispam - containerPort: 11332 - protocol: TCP - - name: antispam-http - containerPort: 11334 - protocol: TCP - volumeMounts: - - name: filter - subPath: filter - mountPath: /var/lib/rspamd - - name: filter - mountPath: /dkim - subPath: dkim - - name: filter - mountPath: /etc/rspamd/override.d - subPath: rspamd-overrides - - name: antivirus - image: mailu/clamav:master - imagePullPolicy: Always - resources: - requests: - memory: 1Gi - cpu: 1000m - limits: - memory: 2Gi - cpu: 1000m - envFrom: - - configMapRef: - name: mailu-config - ports: - - name: antivirus - containerPort: 3310 - protocol: TCP - volumeMounts: - - name: filter - subPath: filter - mountPath: /data - volumes: - - name: filter - persistentVolumeClaim: - claimName: mail-storage - ---- - -apiVersion: v1 -kind: Service -metadata: - name: antispam - namespace: mailu-mailserver - labels: - app: mailu-antispam - role: mail - tier: backend -spec: - selector: - app: mailu-security - role: mail - tier: backend - ports: - - name: antispam - port: 11332 - protocol: TCP - - name: antispam-http - protocol: TCP - port: 11334 - ---- - -apiVersion: v1 -kind: Service -metadata: - name: antivirus - namespace: mailu-mailserver - labels: - app: mailu-antivirus - role: mail - tier: backend -spec: - selector: - app: mailu-security - role: mail - tier: backend - ports: - - name: antivirus - port: 3310 - protocol: TCP diff --git a/docs/kubernetes/mailu/smtp.yaml b/docs/kubernetes/mailu/smtp.yaml deleted file mode 100644 index 6002d508..00000000 --- a/docs/kubernetes/mailu/smtp.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mailu-smtp - namespace: mailu-mailserver -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-smtp - role: mail - tier: backend - spec: - containers: - - name: smtp - image: mailu/postfix:master - imagePullPolicy: Always - envFrom: - - configMapRef: - name: mailu-config - resources: - requests: - memory: 2Gi - cpu: 500m - limits: - memory: 2Gi - cpu: 500m - volumeMounts: - - mountPath: /queue - name: maildata - subPath: mailqueue - - mountPath: /overrides - name: maildata - subPath: overrides - ports: - - name: smtp - containerPort: 25 - protocol: TCP - - name: smtp-ssl - containerPort: 465 - protocol: TCP - - name: smtp-starttls - containerPort: 587 - protocol: TCP - - name: smtp-auth - containerPort: 10025 - protocol: TCP - volumes: - - name: maildata - persistentVolumeClaim: - claimName: mail-storage ---- -apiVersion: v1 -kind: Service -metadata: - name: smtp - namespace: mailu-mailserver - labels: - app: mailu - role: mail - tier: backend -spec: - selector: - app: mailu-smtp - role: mail - tier: backend - ports: - - name: smtp - port: 25 - protocol: TCP - - name: smtp-ssl - port: 465 - protocol: TCP - - name: smtp-starttls - port: 587 - protocol: TCP - - name: smtp-auth - port: 10025 - protocol: TCP diff --git a/docs/kubernetes/mailu/webdav.yaml b/docs/kubernetes/mailu/webdav.yaml deleted file mode 100644 index 57dde9a9..00000000 --- a/docs/kubernetes/mailu/webdav.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mailu-webdav - namespace: mailu-mailserver -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-webdav - role: mail - tier: backend - spec: - containers: - - name: radicale - image: mailu/radicale:master - imagePullPolicy: Always - envFrom: - - configMapRef: - name: mailu-config - volumeMounts: - - mountPath: /data - name: maildata - subPath: dav - ports: - - containerPort: 5232 - - containerPort: 80 - resources: - requests: - memory: 100Mi - cpu: 100m - limits: - memory: 100Mi - cpu: 100m - volumes: - - name: maildata - persistentVolumeClaim: - claimName: mail-storage ---- - -apiVersion: v1 -kind: Service -metadata: - name: webdav - namespace: mailu-mailserver - labels: - app: mailu-webdav - role: mail - tier: backend -spec: - selector: - app: mailu-webdav - role: mail - tier: backend - ports: - ports: - - name: http - port: 80 - protocol: TCP - - name: http-ui - port: 5232 - protocol: TCP diff --git a/docs/kubernetes/mailu/webmail.yaml b/docs/kubernetes/mailu/webmail.yaml deleted file mode 100644 index 679ea84a..00000000 --- a/docs/kubernetes/mailu/webmail.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mailu-roundcube - namespace: mailu-mailserver -spec: - replicas: 1 - template: - metadata: - labels: - app: mailu-roundcube - role: mail - tier: frontend - spec: - containers: - - name: roundcube - image: mailu/roundcube:master - imagePullPolicy: Always - envFrom: - - configMapRef: - name: mailu-config - resources: - requests: - memory: 100Mi - cpu: 100m - limits: - memory: 200Mi - cpu: 200m - volumeMounts: - - mountPath: /data - name: maildata - subPath: webmail - ports: - - containerPort: 80 - volumes: - - name: maildata - persistentVolumeClaim: - claimName: mail-storage ---- -apiVersion: v1 -kind: Service -metadata: - name: webmail - namespace: mailu-mailserver - labels: - app: mailu-roundcube - role: mail - tier: frontend -spec: - selector: - app: mailu-roundcube - role: mail - tier: frontend - ports: - - name: http - port: 80 - protocol: TCP diff --git a/docs/kubernetes/nginx/default-http-backend.yaml b/docs/kubernetes/nginx/default-http-backend.yaml deleted file mode 100644 index cf881c53..00000000 --- a/docs/kubernetes/nginx/default-http-backend.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: default-http-backend - labels: - app: default-http-backend - namespace: kube-ingress -spec: - replicas: 1 - selector: - matchLabels: - app: default-http-backend - template: - metadata: - labels: - app: default-http-backend - spec: - terminationGracePeriodSeconds: 60 - containers: - - name: default-http-backend - # Any image is permissible as long as: - # 1. It serves a 404 page at / - # 2. It serves 200 on a /healthz endpoint - image: gcr.io/google_containers/defaultbackend:1.4 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 5 - ports: - - containerPort: 8080 - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi ---- - -apiVersion: v1 -kind: Service -metadata: - name: default-http-backend - namespace: kube-ingress - labels: - app: default-http-backend -spec: - ports: - - port: 80 - targetPort: 8080 - selector: - app: default-http-backend diff --git a/docs/kubernetes/nginx/nginx-ingress.yaml b/docs/kubernetes/nginx/nginx-ingress.yaml deleted file mode 100644 index d8b71e21..00000000 --- a/docs/kubernetes/nginx/nginx-ingress.yaml +++ /dev/null @@ -1,127 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - # keep it under 24 chars - name: ingress-lb - namespace: kube-ingress - labels: - k8s-app: ingress-lb - component: ingress-controller -spec: - type: ClusterIP - selector: - k8s-app: ingress-lb - component: ingress-controller - ports: - - name: http - protocol: TCP - port: 80 - targetPort: 80 - - name: https - protocol: TCP - port: 443 - targetPort: 443 ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: udp-services - namespace: kube-ingress - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: tcp-services - namespace: kube-ingress -data: - ---- -apiVersion: v1 -data: - enable-vts-status: "true" -kind: ConfigMap -metadata: - name: nginx-ingress-lb-conf - namespace: kube-ingress ---- -apiVersion: apps/v1beta2 -kind: DaemonSet -metadata: - name: ingress-controller - namespace: kube-ingress - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - labels: - k8s-app: ingress-lb - component: ingress-controller - type: nginx -spec: - updateStrategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - selector: - matchLabels: - k8s-app: ingress-lb - component: ingress-controller - type: nginx - template: - metadata: - labels: - k8s-app: ingress-lb - component: ingress-controller - type: nginx - spec: - serviceAccount: kube-nginx-ingress - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: DoesNotExist - containers: - - name: nginx-ingress-lb - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.16.2 - args: - - /nginx-ingress-controller - - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --annotations-prefix=ingress.kubernetes.io - - --enable-ssl-passthrough - # use downward API - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - readinessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - livenessProbe: - initialDelaySeconds: 10 - timeoutSeconds: 1 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - hostNetwork: true - nodeSelector: - node-role.kubernetes.io/node: "" - dnsPolicy: ClusterFirstWithHostNet - restartPolicy: Always - terminationGracePeriodSeconds: 60 diff --git a/docs/kubernetes/nginx/rbac.yaml b/docs/kubernetes/nginx/rbac.yaml deleted file mode 100644 index d3c01384..00000000 --- a/docs/kubernetes/nginx/rbac.yaml +++ /dev/null @@ -1,129 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: kube-ingress ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-nginx-ingress - namespace: kube-ingress ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: kube-nginx-ingress -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - update - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - resources: - - ingresses/status - verbs: - - update ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: kube-nginx-ingress - namespace: kube-ingress -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - "ingress-controller-leader-nginx" - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - - create - - update ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: kube-nginx-ingress - namespace: kube-ingress -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kube-nginx-ingress -subjects: - - kind: ServiceAccount - name: kube-nginx-ingress - namespace: kube-ingress ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: kube-nginx-ingress -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kube-nginx-ingress -subjects: - - kind: ServiceAccount - name: kube-nginx-ingress - namespace: kube-ingress \ No newline at end of file From e742c5432be91ebd9ac4bd48da0e48c40034e623 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 24 Aug 2021 18:49:27 +0200 Subject: [PATCH 2/2] simplify --- docs/kubernetes/mailu/index.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/kubernetes/mailu/index.rst b/docs/kubernetes/mailu/index.rst index db4b98cd..853f3689 100644 --- a/docs/kubernetes/mailu/index.rst +++ b/docs/kubernetes/mailu/index.rst @@ -3,7 +3,7 @@ Kubernetes setup ================ -Hold up! These instructions are not recommended for setting up Mailu in a production Kubernetes environment. Please see `the Helm Chart documentation`_. +Please see `the Helm Chart documentation`_. We are looking for maintainers: if you are interested please join our `Matrix`_ room.