From f5a3894c2b1788aaf439ec6af03d90d141448b1f Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Thu, 15 Jan 2026 01:02:41 -0300 Subject: [PATCH] mailu: use vault sidecar env --- services/comms/helmrelease.yaml | 1 + services/mailu/helmrelease.yaml | 423 +++++++++++++++++++++ services/mailu/kustomization.yaml | 6 + services/mailu/scripts/vault-entrypoint.sh | 34 ++ services/mailu/secretproviderclass.yaml | 65 ---- 5 files changed, 464 insertions(+), 65 deletions(-) create mode 100644 services/mailu/scripts/vault-entrypoint.sh diff --git a/services/comms/helmrelease.yaml b/services/comms/helmrelease.yaml index 139ad25..2b049c8 100644 --- a/services/comms/helmrelease.yaml +++ b/services/comms/helmrelease.yaml @@ -241,6 +241,7 @@ spec: " enabled: true" \ " endpoint: http://matrix-authentication-service:8080/" \ " secret: '$(esc "${MAS_SHARED_SECRET:-}")'" \ + "registration_shared_secret: '$(esc "${REGISTRATION_SHARED_SECRET:-}")'" \ "turn_shared_secret: '$(esc "${TURN_SECRET:-}")'" \ "macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'" \ > /synapse/config/conf.d/runtime-secrets.yaml diff --git a/services/mailu/helmrelease.yaml b/services/mailu/helmrelease.yaml index e675961..ceb3e0c 100644 --- a/services/mailu/helmrelease.yaml +++ b/services/mailu/helmrelease.yaml @@ -305,3 +305,426 @@ spec: submission: port: 587 targetPort: 587 + postRenderers: + - kustomize: + patches: + - target: + kind: Deployment + name: mailu-admin + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mailu-admin + spec: + template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "mailu-mailserver" + vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret" + vault.hashicorp.com/agent-inject-template-mailu-env.sh: | + {{ with secret "kv/data/atlas/mailu/mailu-secret" }} + export SECRET_KEY="{{ index .Data.data "secret-key" }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-db-secret" }} + export DB_PW="{{ .Data.data.password }}" + export ROUNDCUBE_DB_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }} + export INITIAL_ADMIN_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/shared/postmark-relay" }} + export RELAYUSER="{{ index .Data.data "relay-username" }}" + export RELAYPASSWORD="{{ index .Data.data "relay-password" }}" + {{ end }} + spec: + serviceAccountName: mailu-vault-sync + automountServiceAccountToken: true + containers: + - name: admin + command: + - /entrypoint.sh + args: + - python3 + - /start.py + env: + - name: SECRET_KEY + $patch: delete + - name: INITIAL_ADMIN_PW + $patch: delete + - name: DB_PW + $patch: delete + - name: RELAYUSER + $patch: delete + - name: RELAYPASSWORD + $patch: delete + - name: VAULT_ENV_FILE + value: /vault/secrets/mailu-env.sh + volumeMounts: + - name: mailu-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh + volumes: + - name: mailu-vault-entrypoint + configMap: + name: mailu-vault-entrypoint + defaultMode: 493 + - target: + kind: Deployment + name: mailu-front + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mailu-front + spec: + template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "mailu-mailserver" + vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret" + vault.hashicorp.com/agent-inject-template-mailu-env.sh: | + {{ with secret "kv/data/atlas/mailu/mailu-secret" }} + export SECRET_KEY="{{ index .Data.data "secret-key" }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-db-secret" }} + export DB_PW="{{ .Data.data.password }}" + export ROUNDCUBE_DB_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }} + export INITIAL_ADMIN_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/shared/postmark-relay" }} + export RELAYUSER="{{ index .Data.data "relay-username" }}" + export RELAYPASSWORD="{{ index .Data.data "relay-password" }}" + {{ end }} + spec: + serviceAccountName: mailu-vault-sync + automountServiceAccountToken: true + containers: + - name: front + command: + - /entrypoint.sh + args: + - python3 + - /start.py + env: + - name: SECRET_KEY + $patch: delete + - name: INITIAL_ADMIN_PW + $patch: delete + - name: DB_PW + $patch: delete + - name: RELAYUSER + $patch: delete + - name: RELAYPASSWORD + $patch: delete + - name: VAULT_ENV_FILE + value: /vault/secrets/mailu-env.sh + volumeMounts: + - name: mailu-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh + volumes: + - name: mailu-vault-entrypoint + configMap: + name: mailu-vault-entrypoint + defaultMode: 493 + - target: + kind: Deployment + name: mailu-postfix + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mailu-postfix + spec: + template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "mailu-mailserver" + vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret" + vault.hashicorp.com/agent-inject-template-mailu-env.sh: | + {{ with secret "kv/data/atlas/mailu/mailu-secret" }} + export SECRET_KEY="{{ index .Data.data "secret-key" }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-db-secret" }} + export DB_PW="{{ .Data.data.password }}" + export ROUNDCUBE_DB_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }} + export INITIAL_ADMIN_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/shared/postmark-relay" }} + export RELAYUSER="{{ index .Data.data "relay-username" }}" + export RELAYPASSWORD="{{ index .Data.data "relay-password" }}" + {{ end }} + spec: + serviceAccountName: mailu-vault-sync + automountServiceAccountToken: true + containers: + - name: postfix + command: + - /entrypoint.sh + args: + - python3 + - /start.py + env: + - name: SECRET_KEY + $patch: delete + - name: INITIAL_ADMIN_PW + $patch: delete + - name: DB_PW + $patch: delete + - name: RELAYUSER + $patch: delete + - name: RELAYPASSWORD + $patch: delete + - name: VAULT_ENV_FILE + value: /vault/secrets/mailu-env.sh + volumeMounts: + - name: mailu-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh + volumes: + - name: mailu-vault-entrypoint + configMap: + name: mailu-vault-entrypoint + defaultMode: 493 + - target: + kind: Deployment + name: mailu-dovecot + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mailu-dovecot + spec: + template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "mailu-mailserver" + vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret" + vault.hashicorp.com/agent-inject-template-mailu-env.sh: | + {{ with secret "kv/data/atlas/mailu/mailu-secret" }} + export SECRET_KEY="{{ index .Data.data "secret-key" }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-db-secret" }} + export DB_PW="{{ .Data.data.password }}" + export ROUNDCUBE_DB_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }} + export INITIAL_ADMIN_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/shared/postmark-relay" }} + export RELAYUSER="{{ index .Data.data "relay-username" }}" + export RELAYPASSWORD="{{ index .Data.data "relay-password" }}" + {{ end }} + spec: + serviceAccountName: mailu-vault-sync + automountServiceAccountToken: true + containers: + - name: dovecot + command: + - /entrypoint.sh + args: + - python3 + - /start.py + env: + - name: SECRET_KEY + $patch: delete + - name: INITIAL_ADMIN_PW + $patch: delete + - name: DB_PW + $patch: delete + - name: RELAYUSER + $patch: delete + - name: RELAYPASSWORD + $patch: delete + - name: VAULT_ENV_FILE + value: /vault/secrets/mailu-env.sh + volumeMounts: + - name: mailu-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh + volumes: + - name: mailu-vault-entrypoint + configMap: + name: mailu-vault-entrypoint + defaultMode: 493 + - target: + kind: Deployment + name: mailu-rspamd + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mailu-rspamd + spec: + template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "mailu-mailserver" + vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret" + vault.hashicorp.com/agent-inject-template-mailu-env.sh: | + {{ with secret "kv/data/atlas/mailu/mailu-secret" }} + export SECRET_KEY="{{ index .Data.data "secret-key" }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-db-secret" }} + export DB_PW="{{ .Data.data.password }}" + export ROUNDCUBE_DB_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }} + export INITIAL_ADMIN_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/shared/postmark-relay" }} + export RELAYUSER="{{ index .Data.data "relay-username" }}" + export RELAYPASSWORD="{{ index .Data.data "relay-password" }}" + {{ end }} + spec: + serviceAccountName: mailu-vault-sync + automountServiceAccountToken: true + containers: + - name: rspamd + command: + - /entrypoint.sh + args: + - python3 + - /start.py + env: + - name: SECRET_KEY + $patch: delete + - name: INITIAL_ADMIN_PW + $patch: delete + - name: DB_PW + $patch: delete + - name: RELAYUSER + $patch: delete + - name: RELAYPASSWORD + $patch: delete + - name: VAULT_ENV_FILE + value: /vault/secrets/mailu-env.sh + volumeMounts: + - name: mailu-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh + volumes: + - name: mailu-vault-entrypoint + configMap: + name: mailu-vault-entrypoint + defaultMode: 493 + - target: + kind: Deployment + name: mailu-oletools + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mailu-oletools + spec: + template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "mailu-mailserver" + vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret" + vault.hashicorp.com/agent-inject-template-mailu-env.sh: | + {{ with secret "kv/data/atlas/mailu/mailu-secret" }} + export SECRET_KEY="{{ index .Data.data "secret-key" }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-db-secret" }} + export DB_PW="{{ .Data.data.password }}" + export ROUNDCUBE_DB_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }} + export INITIAL_ADMIN_PW="{{ .Data.data.password }}" + {{ end }} + {{ with secret "kv/data/atlas/shared/postmark-relay" }} + export RELAYUSER="{{ index .Data.data "relay-username" }}" + export RELAYPASSWORD="{{ index .Data.data "relay-password" }}" + {{ end }} + spec: + serviceAccountName: mailu-vault-sync + automountServiceAccountToken: true + containers: + - name: oletools + command: + - /entrypoint.sh + args: + - python3 + - /start.py + env: + - name: SECRET_KEY + $patch: delete + - name: INITIAL_ADMIN_PW + $patch: delete + - name: DB_PW + $patch: delete + - name: RELAYUSER + $patch: delete + - name: RELAYPASSWORD + $patch: delete + - name: VAULT_ENV_FILE + value: /vault/secrets/mailu-env.sh + volumeMounts: + - name: mailu-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh + volumes: + - name: mailu-vault-entrypoint + configMap: + name: mailu-vault-entrypoint + defaultMode: 493 + - target: + kind: StatefulSet + name: mailu-clamav + patch: |- + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: mailu-clamav + spec: + template: + spec: + containers: + - name: clamav + env: + - name: SECRET_KEY + $patch: delete + - name: INITIAL_ADMIN_PW + $patch: delete + - name: DB_PW + $patch: delete + - name: RELAYUSER + $patch: delete + - name: RELAYPASSWORD + $patch: delete + - target: + kind: Deployment + name: mailu-tika + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: mailu-tika + spec: + template: + spec: + containers: + - name: tika + env: + - name: SECRET_KEY + $patch: delete + - name: INITIAL_ADMIN_PW + $patch: delete + - name: DB_PW + $patch: delete + - name: RELAYUSER + $patch: delete + - name: RELAYPASSWORD + $patch: delete diff --git a/services/mailu/kustomization.yaml b/services/mailu/kustomization.yaml index 31b1cb9..5c111eb 100644 --- a/services/mailu/kustomization.yaml +++ b/services/mailu/kustomization.yaml @@ -35,3 +35,9 @@ configMapGenerator: namespace: mailu-mailserver files: - listener.py=scripts/mailu_sync_listener.py + - name: mailu-vault-entrypoint + namespace: mailu-mailserver + files: + - vault-entrypoint.sh=scripts/vault-entrypoint.sh + options: + disableNameSuffixHash: true diff --git a/services/mailu/scripts/vault-entrypoint.sh b/services/mailu/scripts/vault-entrypoint.sh new file mode 100644 index 0000000..fa3b791 --- /dev/null +++ b/services/mailu/scripts/vault-entrypoint.sh @@ -0,0 +1,34 @@ +#!/bin/sh +set -eu + +if [ -n "${VAULT_ENV_FILE:-}" ]; then + if [ -f "${VAULT_ENV_FILE}" ]; then + # shellcheck disable=SC1090 + . "${VAULT_ENV_FILE}" + else + echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2 + exit 1 + fi +fi + +if [ -n "${VAULT_COPY_FILES:-}" ]; then + old_ifs="$IFS" + IFS=',' + for pair in ${VAULT_COPY_FILES}; do + src="${pair%%:*}" + dest="${pair#*:}" + if [ -z "${src}" ] || [ -z "${dest}" ]; then + echo "Vault copy entry malformed: ${pair}" >&2 + exit 1 + fi + if [ ! -f "${src}" ]; then + echo "Vault file not found: ${src}" >&2 + exit 1 + fi + mkdir -p "$(dirname "${dest}")" + cp "${src}" "${dest}" + done + IFS="$old_ifs" +fi + +exec "$@" diff --git a/services/mailu/secretproviderclass.yaml b/services/mailu/secretproviderclass.yaml index 11cc2fe..f58c69b 100644 --- a/services/mailu/secretproviderclass.yaml +++ b/services/mailu/secretproviderclass.yaml @@ -10,75 +10,10 @@ spec: vaultAddress: "http://vault.vault.svc.cluster.local:8200" roleName: "mailu-mailserver" objects: | - - objectName: "mailu-secret__secret-key" - secretPath: "kv/data/atlas/mailu/mailu-secret" - secretKey: "secret-key" - - objectName: "postmark-relay__relay-username" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-username" - - objectName: "postmark-relay__relay-password" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-password" - - objectName: "mailu-db-secret__database" - secretPath: "kv/data/atlas/mailu/mailu-db-secret" - secretKey: "database" - - objectName: "mailu-db-secret__username" - secretPath: "kv/data/atlas/mailu/mailu-db-secret" - secretKey: "username" - - objectName: "mailu-db-secret__password" - secretPath: "kv/data/atlas/mailu/mailu-db-secret" - secretKey: "password" - - objectName: "mailu-db-secret__url" - secretPath: "kv/data/atlas/mailu/mailu-db-secret" - secretKey: "url" - - objectName: "mailu-initial-account-secret__password" - secretPath: "kv/data/atlas/mailu/mailu-initial-account-secret" - secretKey: "password" - - objectName: "mailu-sync-credentials__client-id" - secretPath: "kv/data/atlas/mailu/mailu-sync-credentials" - secretKey: "client-id" - - objectName: "mailu-sync-credentials__client-secret" - secretPath: "kv/data/atlas/mailu/mailu-sync-credentials" - secretKey: "client-secret" - objectName: "harbor-pull__dockerconfigjson" secretPath: "kv/data/atlas/harbor-pull/mailu-mailserver" secretKey: "dockerconfigjson" secretObjects: - - secretName: mailu-secret - type: Opaque - data: - - objectName: mailu-secret__secret-key - key: secret-key - - secretName: mailu-postmark-relay - type: Opaque - data: - - objectName: postmark-relay__relay-username - key: relay-username - - objectName: postmark-relay__relay-password - key: relay-password - - secretName: mailu-db-secret - type: Opaque - data: - - objectName: mailu-db-secret__database - key: database - - objectName: mailu-db-secret__username - key: username - - objectName: mailu-db-secret__password - key: password - - objectName: mailu-db-secret__url - key: url - - secretName: mailu-initial-account-secret - type: Opaque - data: - - objectName: mailu-initial-account-secret__password - key: password - - secretName: mailu-sync-credentials - type: Opaque - data: - - objectName: mailu-sync-credentials__client-id - key: client-id - - objectName: mailu-sync-credentials__client-secret - key: client-secret - secretName: harbor-regcred type: kubernetes.io/dockerconfigjson data: