bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mailu: use vault sidecar env

Browse Source
This commit is contained in:
Brad Stein 2026-01-15 01:02:41 -03:00
parent 511403c4a6
commit f5a3894c2b
5 changed files with 464 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
services/comms/helmrelease.yaml
View File

@ -241,6 +241,7 @@ spec:
" enabled: true" \ " enabled: true" \
" endpoint: http://matrix-authentication-service:8080/" \ " endpoint: http://matrix-authentication-service:8080/" \
" secret: '$(esc "${MAS_SHARED_SECRET:-}")'" \ " secret: '$(esc "${MAS_SHARED_SECRET:-}")'" \
"registration_shared_secret: '$(esc "${REGISTRATION_SHARED_SECRET:-}")'" \
"turn_shared_secret: '$(esc "${TURN_SECRET:-}")'" \ "turn_shared_secret: '$(esc "${TURN_SECRET:-}")'" \
"macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'" \ "macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'" \
> /synapse/config/conf.d/runtime-secrets.yaml > /synapse/config/conf.d/runtime-secrets.yaml

423
services/mailu/helmrelease.yaml
View File

@ -305,3 +305,426 @@ spec:
submission: submission:
port: 587 port: 587
targetPort: 587 targetPort: 587
postRenderers:
- kustomize:
patches:
- target:
kind: Deployment
name: mailu-admin
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailu-admin
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "mailu-mailserver"
vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret"
vault.hashicorp.com/agent-inject-template-mailu-env.sh: |
{{ with secret "kv/data/atlas/mailu/mailu-secret" }}
export SECRET_KEY="{{ index .Data.data "secret-key" }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-db-secret" }}
export DB_PW="{{ .Data.data.password }}"
export ROUNDCUBE_DB_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}
export INITIAL_ADMIN_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/shared/postmark-relay" }}
export RELAYUSER="{{ index .Data.data "relay-username" }}"
export RELAYPASSWORD="{{ index .Data.data "relay-password" }}"
{{ end }}
spec:
serviceAccountName: mailu-vault-sync
automountServiceAccountToken: true
containers:
- name: admin
command:
- /entrypoint.sh
args:
- python3
- /start.py
env:
- name: SECRET_KEY
$patch: delete
- name: INITIAL_ADMIN_PW
$patch: delete
- name: DB_PW
$patch: delete
- name: RELAYUSER
$patch: delete
- name: RELAYPASSWORD
$patch: delete
- name: VAULT_ENV_FILE
value: /vault/secrets/mailu-env.sh
volumeMounts:
- name: mailu-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: mailu-vault-entrypoint
configMap:
name: mailu-vault-entrypoint
defaultMode: 493
- target:
kind: Deployment
name: mailu-front
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailu-front
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "mailu-mailserver"
vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret"
vault.hashicorp.com/agent-inject-template-mailu-env.sh: |
{{ with secret "kv/data/atlas/mailu/mailu-secret" }}
export SECRET_KEY="{{ index .Data.data "secret-key" }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-db-secret" }}
export DB_PW="{{ .Data.data.password }}"
export ROUNDCUBE_DB_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}
export INITIAL_ADMIN_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/shared/postmark-relay" }}
export RELAYUSER="{{ index .Data.data "relay-username" }}"
export RELAYPASSWORD="{{ index .Data.data "relay-password" }}"
{{ end }}
spec:
serviceAccountName: mailu-vault-sync
automountServiceAccountToken: true
containers:
- name: front
command:
- /entrypoint.sh
args:
- python3
- /start.py
env:
- name: SECRET_KEY
$patch: delete
- name: INITIAL_ADMIN_PW
$patch: delete
- name: DB_PW
$patch: delete
- name: RELAYUSER
$patch: delete
- name: RELAYPASSWORD
$patch: delete
- name: VAULT_ENV_FILE
value: /vault/secrets/mailu-env.sh
volumeMounts:
- name: mailu-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: mailu-vault-entrypoint
configMap:
name: mailu-vault-entrypoint
defaultMode: 493
- target:
kind: Deployment
name: mailu-postfix
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailu-postfix
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "mailu-mailserver"
vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret"
vault.hashicorp.com/agent-inject-template-mailu-env.sh: |
{{ with secret "kv/data/atlas/mailu/mailu-secret" }}
export SECRET_KEY="{{ index .Data.data "secret-key" }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-db-secret" }}
export DB_PW="{{ .Data.data.password }}"
export ROUNDCUBE_DB_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}
export INITIAL_ADMIN_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/shared/postmark-relay" }}
export RELAYUSER="{{ index .Data.data "relay-username" }}"
export RELAYPASSWORD="{{ index .Data.data "relay-password" }}"
{{ end }}
spec:
serviceAccountName: mailu-vault-sync
automountServiceAccountToken: true
containers:
- name: postfix
command:
- /entrypoint.sh
args:
- python3
- /start.py
env:
- name: SECRET_KEY
$patch: delete
- name: INITIAL_ADMIN_PW
$patch: delete
- name: DB_PW
$patch: delete
- name: RELAYUSER
$patch: delete
- name: RELAYPASSWORD
$patch: delete
- name: VAULT_ENV_FILE
value: /vault/secrets/mailu-env.sh
volumeMounts:
- name: mailu-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: mailu-vault-entrypoint
configMap:
name: mailu-vault-entrypoint
defaultMode: 493
- target:
kind: Deployment
name: mailu-dovecot
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailu-dovecot
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "mailu-mailserver"
vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret"
vault.hashicorp.com/agent-inject-template-mailu-env.sh: |
{{ with secret "kv/data/atlas/mailu/mailu-secret" }}
export SECRET_KEY="{{ index .Data.data "secret-key" }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-db-secret" }}
export DB_PW="{{ .Data.data.password }}"
export ROUNDCUBE_DB_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}
export INITIAL_ADMIN_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/shared/postmark-relay" }}
export RELAYUSER="{{ index .Data.data "relay-username" }}"
export RELAYPASSWORD="{{ index .Data.data "relay-password" }}"
{{ end }}
spec:
serviceAccountName: mailu-vault-sync
automountServiceAccountToken: true
containers:
- name: dovecot
command:
- /entrypoint.sh
args:
- python3
- /start.py
env:
- name: SECRET_KEY
$patch: delete
- name: INITIAL_ADMIN_PW
$patch: delete
- name: DB_PW
$patch: delete
- name: RELAYUSER
$patch: delete
- name: RELAYPASSWORD
$patch: delete
- name: VAULT_ENV_FILE
value: /vault/secrets/mailu-env.sh
volumeMounts:
- name: mailu-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: mailu-vault-entrypoint
configMap:
name: mailu-vault-entrypoint
defaultMode: 493
- target:
kind: Deployment
name: mailu-rspamd
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailu-rspamd
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "mailu-mailserver"
vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret"
vault.hashicorp.com/agent-inject-template-mailu-env.sh: |
{{ with secret "kv/data/atlas/mailu/mailu-secret" }}
export SECRET_KEY="{{ index .Data.data "secret-key" }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-db-secret" }}
export DB_PW="{{ .Data.data.password }}"
export ROUNDCUBE_DB_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}
export INITIAL_ADMIN_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/shared/postmark-relay" }}
export RELAYUSER="{{ index .Data.data "relay-username" }}"
export RELAYPASSWORD="{{ index .Data.data "relay-password" }}"
{{ end }}
spec:
serviceAccountName: mailu-vault-sync
automountServiceAccountToken: true
containers:
- name: rspamd
command:
- /entrypoint.sh
args:
- python3
- /start.py
env:
- name: SECRET_KEY
$patch: delete
- name: INITIAL_ADMIN_PW
$patch: delete
- name: DB_PW
$patch: delete
- name: RELAYUSER
$patch: delete
- name: RELAYPASSWORD
$patch: delete
- name: VAULT_ENV_FILE
value: /vault/secrets/mailu-env.sh
volumeMounts:
- name: mailu-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: mailu-vault-entrypoint
configMap:
name: mailu-vault-entrypoint
defaultMode: 493
- target:
kind: Deployment
name: mailu-oletools
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailu-oletools
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "mailu-mailserver"
vault.hashicorp.com/agent-inject-secret-mailu-env.sh: "kv/data/atlas/mailu/mailu-secret"
vault.hashicorp.com/agent-inject-template-mailu-env.sh: |
{{ with secret "kv/data/atlas/mailu/mailu-secret" }}
export SECRET_KEY="{{ index .Data.data "secret-key" }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-db-secret" }}
export DB_PW="{{ .Data.data.password }}"
export ROUNDCUBE_DB_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}
export INITIAL_ADMIN_PW="{{ .Data.data.password }}"
{{ end }}
{{ with secret "kv/data/atlas/shared/postmark-relay" }}
export RELAYUSER="{{ index .Data.data "relay-username" }}"
export RELAYPASSWORD="{{ index .Data.data "relay-password" }}"
{{ end }}
spec:
serviceAccountName: mailu-vault-sync
automountServiceAccountToken: true
containers:
- name: oletools
command:
- /entrypoint.sh
args:
- python3
- /start.py
env:
- name: SECRET_KEY
$patch: delete
- name: INITIAL_ADMIN_PW
$patch: delete
- name: DB_PW
$patch: delete
- name: RELAYUSER
$patch: delete
- name: RELAYPASSWORD
$patch: delete
- name: VAULT_ENV_FILE
value: /vault/secrets/mailu-env.sh
volumeMounts:
- name: mailu-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: mailu-vault-entrypoint
configMap:
name: mailu-vault-entrypoint
defaultMode: 493
- target:
kind: StatefulSet
name: mailu-clamav
patch: |-
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mailu-clamav
spec:
template:
spec:
containers:
- name: clamav
env:
- name: SECRET_KEY
$patch: delete
- name: INITIAL_ADMIN_PW
$patch: delete
- name: DB_PW
$patch: delete
- name: RELAYUSER
$patch: delete
- name: RELAYPASSWORD
$patch: delete
- target:
kind: Deployment
name: mailu-tika
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailu-tika
spec:
template:
spec:
containers:
- name: tika
env:
- name: SECRET_KEY
$patch: delete
- name: INITIAL_ADMIN_PW
$patch: delete
- name: DB_PW
$patch: delete
- name: RELAYUSER
$patch: delete
- name: RELAYPASSWORD
$patch: delete

6
services/mailu/kustomization.yaml
View File

@ -35,3 +35,9 @@ configMapGenerator:
namespace: mailu-mailserver namespace: mailu-mailserver
files: files:
- listener.py=scripts/mailu_sync_listener.py - listener.py=scripts/mailu_sync_listener.py
- name: mailu-vault-entrypoint
namespace: mailu-mailserver
files:
- vault-entrypoint.sh=scripts/vault-entrypoint.sh
options:
disableNameSuffixHash: true

34
services/mailu/scripts/vault-entrypoint.sh Normal file
View File

@ -0,0 +1,34 @@
#!/bin/sh
set -eu
if [ -n "${VAULT_ENV_FILE:-}" ]; then
if [ -f "${VAULT_ENV_FILE}" ]; then
# shellcheck disable=SC1090
. "${VAULT_ENV_FILE}"
else
echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2
exit 1
fi
fi
if [ -n "${VAULT_COPY_FILES:-}" ]; then
old_ifs="$IFS"
IFS=','
for pair in ${VAULT_COPY_FILES}; do
src="${pair%%:*}"
dest="${pair#*:}"
if [ -z "${src}" ] || [ -z "${dest}" ]; then
echo "Vault copy entry malformed: ${pair}" >&2
exit 1
fi
if [ ! -f "${src}" ]; then
echo "Vault file not found: ${src}" >&2
exit 1
fi
mkdir -p "$(dirname "${dest}")"
cp "${src}" "${dest}"
done
IFS="$old_ifs"
fi
exec "$@"

65
services/mailu/secretproviderclass.yaml
View File

@ -10,75 +10,10 @@ spec:
vaultAddress: "http://vault.vault.svc.cluster.local:8200" vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "mailu-mailserver" roleName: "mailu-mailserver"
objects: | objects: |
- objectName: "mailu-secret__secret-key"
secretPath: "kv/data/atlas/mailu/mailu-secret"
secretKey: "secret-key"
- objectName: "postmark-relay__relay-username"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
- objectName: "postmark-relay__relay-password"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "mailu-db-secret__database"
secretPath: "kv/data/atlas/mailu/mailu-db-secret"
secretKey: "database"
- objectName: "mailu-db-secret__username"
secretPath: "kv/data/atlas/mailu/mailu-db-secret"
secretKey: "username"
- objectName: "mailu-db-secret__password"
secretPath: "kv/data/atlas/mailu/mailu-db-secret"
secretKey: "password"
- objectName: "mailu-db-secret__url"
secretPath: "kv/data/atlas/mailu/mailu-db-secret"
secretKey: "url"
- objectName: "mailu-initial-account-secret__password"
secretPath: "kv/data/atlas/mailu/mailu-initial-account-secret"
secretKey: "password"
- objectName: "mailu-sync-credentials__client-id"
secretPath: "kv/data/atlas/mailu/mailu-sync-credentials"
secretKey: "client-id"
- objectName: "mailu-sync-credentials__client-secret"
secretPath: "kv/data/atlas/mailu/mailu-sync-credentials"
secretKey: "client-secret"
- objectName: "harbor-pull__dockerconfigjson" - objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/mailu-mailserver" secretPath: "kv/data/atlas/harbor-pull/mailu-mailserver"
secretKey: "dockerconfigjson" secretKey: "dockerconfigjson"
secretObjects: secretObjects:
- secretName: mailu-secret
type: Opaque
data:
- objectName: mailu-secret__secret-key
key: secret-key
- secretName: mailu-postmark-relay
type: Opaque
data:
- objectName: postmark-relay__relay-username
key: relay-username
- objectName: postmark-relay__relay-password
key: relay-password
- secretName: mailu-db-secret
type: Opaque
data:
- objectName: mailu-db-secret__database
key: database
- objectName: mailu-db-secret__username
key: username
- objectName: mailu-db-secret__password
key: password
- objectName: mailu-db-secret__url
key: url
- secretName: mailu-initial-account-secret
type: Opaque
data:
- objectName: mailu-initial-account-secret__password
key: password
- secretName: mailu-sync-credentials
type: Opaque
data:
- objectName: mailu-sync-credentials__client-id
key: client-id
- objectName: mailu-sync-credentials__client-secret
key: client-secret
- secretName: harbor-regcred - secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson type: kubernetes.io/dockerconfigjson
data: data: