wrenix/flux-charts
1
0
Fork 0
Code Issues 14 Pull requests 1 Projects Releases Packages Wiki Activity Actions
flux-charts/mycloud-mail-stalwart/templates/release.yaml

258 lines
7.9 KiB
YAML
Raw Blame History

---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-hr"
spec:
chart:
spec:
sourceRef:
kind: GitRepository
name: "wrenix-helm-charts"
namespace: "flux-system"
chart: "./stalwart-mail"
reconcileStrategy: "Revision"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
valuesFrom:
- kind: Secret
name: {{ .Release.Name | quote }}
valuesKey: admin_password
targetPath: "secrets.env.FALLBACK_ADMIN_SECRET"
- kind: Secret
name: {{ .Release.Name | quote }}
valuesKey: "database_password"
targetPath: "secrets.env.STORE_PGSQL_PASSWORD"
- kind: Secret
name: {{ .Release.Name | quote }}
valuesKey: "metrics_secret"
targetPath: "secrets.env.METRICS_SECRET"
values:
{{- $host := .Values.ingress.host | default (printf "mail.%s" .Values.commons.ingress.domain) }}
config:
lookup:
default:
hostname: {{ $host | quote }}
server:
listener:
smtp:
proxy:
trusted-networks:
{{- toYaml .Values.networks.trustedNetworks | nindent 16 }}
submission:
submissions:
proxy:
trusted-networks:
{{- toYaml .Values.networks.trustedNetworks | nindent 16 }}
imap:
imaptls:
proxy:
trusted-networks:
{{- toYaml .Values.networks.trustedNetworks | nindent 16 }}
pop3:
pop3s:
proxy:
trusted-networks:
{{- toYaml .Values.networks.trustedNetworks | nindent 16 }}
sieve:
proxy:
trusted-networks:
{{- toYaml .Values.networks.trustedNetworks | nindent 16 }}
# without proxy and tls for ingress
http:
protocol: "http"
bind: [ "[::]:8080" ]
https:
url: {{ printf "https://%s" $host | quote }}
bind: [ "[::]:443" ]
proxy:
trusted-networks:
{{- toYaml .Values.networks.trustedNetworks | nindent 16 }}
tls:
implicit: true
storage:
data: "pgsql"
fts: "pgsql"
full-text:
default-language: "en"
blob: "filesystem"
lookup: "pgsql"
directory: "ldap"
store:
rocksdb: null
pgsql:
type: "postgresql"
host: {{ .Values.database.host | quote }}
database: {{ .Values.database.name | quote }}
user: {{ .Values.database.username | quote }}
password: "%{env:STORE_PGSQL_PASSWORD}%"
filesystem:
type: "fs"
path: "/data/blobs"
depth: 2
directory:
internal:
ldap:
type: "ldap"
url: "ldap://{{ .Release.Name }}-auth-authentik-application-ldap:389"
base-dn: "dc=ldap,dc=goauthentik,dc=io"
timeout: "30s"
tls:
enable: false
allow-invalid-certs: false
bind:
dn: "cn=ldap-mail,ou=users,dc=ldap,dc=goauthentik,dc=io"
secret: "oJyh5W3P50glb8fWDdlDABUJlJPIMHp4dGBl14g9aLxv1SNbLudvfBWFMrFJ"
auth:
enable: false
dn: "cn=?,ou=users,dc=ldap,dc=goauthentik,dc=io"
search: true
filter:
name: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(cn=?))"
email: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(|(mail=?)(mailAlias=?)(mailList=?)))"
verify: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(|(mail=*?*)(mailAlias=*?*)))"
expand: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(mailList=?))"
domains: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(|(mail=*@?)(mailAlias=*@?)))"
attributes:
name: "cn"
class: "ak-superuser"
description: "displayName"
# secret: "userPassword"
groups: "memberOf"
email: "mail"
email-alias: "mailAlias"
# quota: "diskQuota"
tracer:
stdout:
level: info
# TODO cleanup
# level: warn
{{- with .Values.commons.tracing }}
{{- if .enabled }}
otel:
enable:
span-exporter: true
log-exporter: false
level: "debug"
{{- if .grpc.enabled }}
transport: "grpc"
endpoint: {{ printf "%s://%s" (.grpc.insecure | ternary "http" "https") .grpc.endpoint }}
{{- else }}
transport: "http"
endpoint: {{ .hrrp.endpoint }}
{{- end }}
{{- end }}
{{- end }}
certificate:
default:
cert: "%{file:/opt/stalwart-mail/etc/certs/tls.crt}%"
private-key: "%{file:/opt/stalwart-mail/etc/certs/tls.key}%"
service:
{{- if .Values.networks.ipv6 }}
ipFamilies: [ "IPv6", "IPv4" ]
ipFamilyPolicy: "RequireDualStack"
{{- end }}
ports:
submission:
imap:
pop3:
http: 8080
ingress:
enabled: true
annotations:
{{- with .Values.commons.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
hosts:
- host: "{{ .Values.commons.ingress.domain }}"
paths:
- path: /.well-known/jmap
pathType: Prefix
- path: /.well-known/mta-sts.txt
pathType: Exact
- path: /.well-known/mail-v1.xml
pathType: Exact
- path: /.well-known/autoconfig
pathType: Prefix
- path: /autodiscover
pathType: Prefix
- host: "autoconfig.{{ .Values.commons.ingress.domain }}"
paths:
- path: /mail
pathType: Prefix
- host: "autodiscover.{{ .Values.commons.ingress.domain }}"
paths:
- path: /autodiscover
pathType: Prefix
- host: "mta-sts.{{ .Values.commons.ingress.domain }}"
paths:
- path: /
pathType: Prefix
{{- if .Values.commons.ingress.tls.enabled }}
tls:
{{- with .Values.commons.ingress.tls.override }}
{{- toYaml . | nindent 8 }}
{{- else }}
- secretName: "{{ .Release.Name }}-cert"
hosts:
- "{{ .Values.commons.ingress.domain }}"
- "autoconfig.{{ .Values.commons.ingress.domain }}"
- "autodiscover.{{ .Values.commons.ingress.domain }}"
- "mta-sts.{{ .Values.commons.ingress.domain }}"
{{- end }}
{{- end }}
traefik:
enabled: true
host: {{ $host | quote }}
ports:
smtp:
match: 'HostSNI(`*`)'
submission:
imap:
pop3:
https:
entrypoint: websecure
certificate:
certmanager:
dnsNames:
- {{ $host | quote }}
prometheus:
servicemonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
persistence:
enabled: true
size: {{ .Values.persistence.size }}
{{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }}
storageClass: {{ . }}
{{- end }}
{{- if .Values.commons.persistence.hostPath.enabled }}
hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/mail-stalwart"
{{- end }}
Reference in a new issue View git blame Copy permalink