mailu: add validating dns sidecar and disable vip hostports

2025-12-12 01:06:38 -03:00 · 2025-12-12 01:06:38 -03:00 · ca27cc95b6
commit ca27cc95b6
parent 6c77b8e7f8
3 changed files with 82 additions and 2 deletions
--- a/services/mailu/helmrelease.yaml
+++ b/services/mailu/helmrelease.yaml
@ -18,6 +18,8 @@ spec:
    remediation: { retries: 3 }
  upgrade:
    remediation: { retries: 3 }
+    force: true
+    cleanupOnFail: true
  values:
    mailuVersion: "2024.06"
    domain: bstein.dev
@ -94,11 +96,42 @@ spec:
          value: 127.0.0.1,10.42.0.0/16
        - name: DNS_RESOLVERS
          value: 1.1.1.1,9.9.9.9
+      extraVolumes:
+        - name: unbound-config
+          configMap:
+            name: mailu-unbound
+        - name: unbound-run
+          emptyDir: {}
+      extraVolumeMounts:
+        - name: unbound-config
+          mountPath: /etc/unbound
+        - name: unbound-run
+          mountPath: /var/lib/unbound
+      extraContainers:
+        - name: unbound
+          image: ghcr.io/mailu/unbound:1.19
+          args:
+            - -d
+            - -c
+            - /etc/unbound/unbound.conf
+          ports:
+            - containerPort: 53
+              protocol: UDP
+            - containerPort: 53
+              protocol: TCP
+          volumeMounts:
+            - name: unbound-config
+              mountPath: /etc/unbound
+            - name: unbound-run
+              mountPath: /var/lib/unbound
      dnsPolicy: None
      dnsConfig:
        nameservers:
-          - 1.1.1.1
-          - 9.9.9.9
+          - 127.0.0.1
+        searches:
+          - mailu-mailserver.svc.cluster.local
+          - svc.cluster.local
+          - cluster.local
    clamav:
      logLevel: DEBUG
      nodeSelector:
--- a/services/mailu/kustomization.yaml
+++ b/services/mailu/kustomization.yaml
@ -7,3 +7,4 @@ resources:
  - helmrelease.yaml
  - certificate.yaml
  - vip-controller.yaml
+  - unbound-configmap.yaml
--- a/services/mailu/unbound-configmap.yaml
+++ b/services/mailu/unbound-configmap.yaml
@ -0,0 +1,46 @@
+# services/mailu/unbound-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mailu-unbound
+  namespace: mailu-mailserver
+data:
+  unbound.conf: |
+    server:
+      verbosity: 1
+      interface: 0.0.0.0
+      do-ip4: yes
+      do-ip6: no
+      do-udp: yes
+      do-tcp: yes
+      auto-trust-anchor-file: "/var/lib/unbound/root.key"
+      prefetch: yes
+      qname-minimisation: yes
+      harden-dnssec-stripped: yes
+      val-clean-additional: yes
+      cache-min-ttl: 120
+      cache-max-ttl: 86400
+      access-control: 0.0.0.0/0 allow
+
+    forward-zone:
+      name: "mailu-mailserver.svc.cluster.local."
+      forward-addr: 10.43.0.10
+      forward-no-cache: yes
+      forward-first: yes
+
+    forward-zone:
+      name: "svc.cluster.local."
+      forward-addr: 10.43.0.10
+      forward-no-cache: yes
+      forward-first: yes
+
+    forward-zone:
+      name: "cluster.local."
+      forward-addr: 10.43.0.10
+      forward-no-cache: yes
+      forward-first: yes
+
+    forward-zone:
+      name: "."
+      forward-addr: 9.9.9.9
+      forward-addr: 1.1.1.1