feat: Refactor env vars (#50)

fastlorenzo · Dec 14, 2022 · 07feb7a · 07feb7a
2 parents be37152 + 607c463
commit 07feb7a
Show file tree

Hide file tree

Showing 16 changed files with 848 additions and 449 deletions.
diff --git a/mailu/README.md b/mailu/README.md
diff --git a/mailu/templates/_secrets.tpl b/mailu/templates/_secrets.tpl
@@ -32,3 +32,58 @@
 {{- define "mailu.certificatesSecretName" -}}
 {{- include "common.secrets.name" (dict "existingSecret" .Values.ingress.existingSecret "defaultNameSuffix" "certificates" "context" .) }}
 {{- end -}}
+
+{{/* Get the mailu externalRelay secret */}}
+{{- define "mailu.externalRelay.secretName" -}}
+{{- include "common.secrets.name" (dict "existingSecret" .Values.externalRelay.existingSecret "defaultNameSuffix" "external-relay" "context" .) }}
+{{- end -}}
+
+{{/* Get the mailu externalRelay username value */}}
+{{- define "mailu.externalRelay.username" -}}
+{{- include "common.secrets.passwords.manage" (dict "secret" (include "mailu.externalRelay.secretName" .) "key" .Values.externalRelay.usernameKey "providedValues" (list "externalRelay.username") "length" 10 "strong" false "context" .) }}
+{{- end -}}
+
+{{/* Get the mailu externalRelay password value */}}
+{{- define "mailu.externalRelay.password" -}}
+{{- include "common.secrets.passwords.manage" (dict "secret" (include "mailu.externalRelay.secretName" .) "key" .Values.externalRelay.passwordKey "providedValues" (list "externalRelay.password") "length" 24 "strong" true "context" .) }}
+{{- end -}}
+
+{{/* Get the mailu env vars secrets */}}
+{{- define "mailu.envvars.secrets" -}}
+- name: SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ template "mailu.secretName" . }}
+      key: secret-key
+{{- if .Values.initialAccount.enabled }}
+- name: INITIAL_ADMIN_PW
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "mailu.initialAccount.secretName" . }}
+      key: {{ include "mailu.initialAccount.secretKey" . }}
+{{- end }}
+{{- if not (eq (include "mailu.database.type" .) "sqlite") }}
+- name: DB_PW
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "mailu.database.secretName" . }}
+      key: {{ include "mailu.database.secretKey" . }}
+- name: ROUNDCUBE_DB_PW
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "mailu.database.roundcube.secretName" . }}
+      key: {{ include "mailu.database.roundcube.secretKey" . }}
+{{- end }}
+{{- if and .Values.externalRelay.host (not .Values.externalRelay.existingSecret) }}
+- name: RELAYUSER
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "mailu.externalRelay.secretName" . }}
+      key: {{ .Values.externalRelay.usernameKey }}
+- name: RELAYPASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "mailu.externalRelay.secretName" . }}
+      key: {{ .Values.externalRelay.passwordKey }}
+{{- end }}
+{{- end -}}
diff --git a/mailu/templates/admin/deployment.yaml b/mailu/templates/admin/deployment.yaml
@@ -79,112 +79,13 @@ spec:
               value: {{ default .Values.logLevel .Values.admin.logLevel }}
             - name: QUOTA_STORAGE_URL
               value: {{ printf "redis://%s:%s/%s" (include "mailu.redis.serviceFqdn" .) (include "mailu.redis.port" .) (include "mailu.redis.db.adminQuota" .) }}
-            - name: RATELIMIT_STORAGE_URL
-              value: {{ printf "redis://%s:%s/%s" (include "mailu.redis.serviceFqdn" .) (include "mailu.redis.port" .) (include "mailu.redis.db.rateLimit" .) }}
-            - name: POSTMASTER
-              value: {{ default "postmaster" .Values.postmaster }}
-            - name: DOMAIN
-              value: "{{ required "'domain' needs to be set" .Values.domain }}"
-            - name: HOSTNAMES
-              value: "{{ join "," .Values.hostnames }}"
-            - name: IMAP_ADDRESS
-              value: {{ include "mailu.dovecot.serviceFqdn" . }}
-            - name: POP3_ADDRESS
-              value: {{ include "mailu.dovecot.serviceFqdn" . }}
-            - name: SMTP_ADDRESS
-              value: {{ include "mailu.postfix.serviceFqdn" . }}
-            - name: AUTHSMTP_ADDRESS
-              value: {{ include "mailu.postfix.serviceFqdn" . }}
-            - name: REDIS_ADDRESS
-              value: {{ include "mailu.redis.serviceFqdn" . }}
-            {{- if .Values.webmail.enabled }}
-            - name: WEBMAIL
-              value: {{ .Values.webmail.type | quote }}
-            - name: WEB_WEBMAIL
-              value: {{ required "webmail.uri" .Values.webmail.uri }}
-            - name: WEBMAIL_ADDRESS
-              value: {{ include "mailu.webmail.serviceFqdn" . }}
-            {{- else }}
-            - name: WEBMAIL
-              value: none
-            - name: WEBMAIL_ADDRESS
-              value: localhost
-            - name: WEB_WEBMAIL
-              value: /
-            {{- end }}
-            - name: FRONT_ADDRESS
-              value: {{ include "mailu.front.serviceFqdn" . }}
-            - name: RECIPIENT_DELIMITER
-              value: +
-            - name: SUBNET
-              value: {{ .Values.subnet }}
-            - name: CREDENTIAL_ROUNDS
-              value: {{ .Values.credentialRounds | quote }}
-            - name: SESSION_COOKIE_SECURE
-              value: {{ .Values.sessionCookieSecure | quote }}
-            - name: SESSION_TIMEOUT
-              value: {{ .Values.sessionTimeout | quote }}
-            - name: PERMANENT_SESSION_LIFETIME
-              value: {{ .Values.permanentSessionLifetime | quote }}
-            - name: LETSENCRYPT_SHORTCHAIN
-              value: {{ .Values.letsencryptShortchain | quote }}
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mailu.secretName" . }}
-                  key: secret-key
-            - name: MESSAGE_RATELIMIT
-              value: "{{ required "limits.messageRatelimit.value" .Values.limits.messageRatelimit.value }}"
-            - name: MESSAGE_RATELIMIT_EXEMPTION
-              value: "{{ default "" .Values.limits.messageRatelimit.exemption }}"
-            - name: AUTH_RATELIMIT_IP
-              value: "{{ required "limits.authRatelimit.ip" .Values.limits.authRatelimit.ip }}"
-            - name: AUTH_RATELIMIT_IP_V4_MASK
-              value: "{{ required "limits.authRatelimit.ipv4Mask" .Values.limits.authRatelimit.ipv4Mask }}"
-            - name: AUTH_RATELIMIT_IP_V6_MASK
-              value: "{{ required "limits.authRatelimit.ipv6Mask" .Values.limits.authRatelimit.ipv6Mask }}"
-            - name: AUTH_RATELIMIT_USER
-              value: "{{ required "limits.authRatelimit.user" .Values.limits.authRatelimit.user }}"
-            - name: AUTH_RATELIMIT_EXEMPTION_LENGTH
-              value: "{{ required "limits.authRatelimit.exemptionLength" .Values.limits.authRatelimit.exemptionLength }}"
-            - name: AUTH_RATELIMIT_EXEMPTION
-              value: "{{ default "" .Values.limits.authRatelimit.exemption }}"
-            {{- if .Values.initialAccount.enabled }}
-            - name: INITIAL_ADMIN_MODE
-              value: {{ .Values.initialAccount.mode }}
-            - name: INITIAL_ADMIN_ACCOUNT
-              value: {{ required "'initialAccount.username' needs to be set if 'initialAccount' is used." .Values.initialAccount.username }}
-            - name: INITIAL_ADMIN_DOMAIN
-              value: {{ required "'initialAccount.domain' needs to be set if 'initialAccount' is used." .Values.initialAccount.domain }}
-            - name: INITIAL_ADMIN_PW
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "mailu.initialAccount.secretName" . }}
-                  key: {{ include "mailu.initialAccount.secretKey" . }}
-            {{- end }}
-            - name: DB_FLAVOR
-              value: {{ include "mailu.database.type" .}}
-            {{- if not (eq (include "mailu.database.type" .) "sqlite") }}
-            - name: DB_USER
-              value: {{ include "mailu.database.username" . }}
-            - name: DB_PW
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "mailu.database.secretName" . }}
-                  key: {{ include "mailu.database.secretKey" . }}
-            - name: DB_HOST
-              value: {{ printf "%s:%s" (include "mailu.database.host" .) (include "mailu.database.port" .) | quote}}
-            - name: DB_NAME
-              value: {{ include "mailu.database.name" . }}
-            {{- end }}
-            {{- if .Values.timezone }}
-            - name: TZ
-              value: {{ .Values.timezone }}
-            {{- end }}
+            {{- tpl (include "mailu.envvars.secrets" .) $ | nindent 12 }}
             {{- if .Values.admin.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.admin.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}
           envFrom:
+            - configMapRef:
+                name: {{ printf "%s-envvars" (include "mailu.fullname" .) }}
             {{- if .Values.admin.extraEnvVarsCM }}
             - configMapRef:
                 name: {{ include "common.tplvalues.render" (dict "value" .Values.admin.extraEnvVarsCM "context" $) }}

diff --git a/mailu/templates/clamav/statefulset.yaml b/mailu/templates/clamav/statefulset.yaml
@@ -76,14 +76,13 @@ spec:
           env:
             - name: LOG_LEVEL
               value: {{ default .Values.logLevel .Values.clamav.logLevel }}
-            {{- if .Values.timezone }}
-            - name: TZ
-              value: {{ .Values.timezone }}
-            {{- end }}
+            {{- tpl (include "mailu.envvars.secrets" .) $ | nindent 12 }}
             {{- if .Values.clamav.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.clamav.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}
           envFrom:
+            - configMapRef:
+                name: {{ printf "%s-envvars" (include "mailu.fullname" .) }}
             {{- if .Values.clamav.extraEnvVarsCM }}
             - configMapRef:
                 name: {{ include "common.tplvalues.render" (dict "value" .Values.clamav.extraEnvVarsCM "context" $) }}

diff --git a/mailu/templates/dovecot/deployment.yaml b/mailu/templates/dovecot/deployment.yaml
@@ -82,39 +82,13 @@ spec:
           env:
             - name: LOG_LEVEL
               value: {{ default .Values.logLevel .Values.dovecot.logLevel }}
-            - name: FRONT_ADDRESS
-              value: {{ include "mailu.front.serviceFqdn" . }}
-            - name: ADMIN_ADDRESS
-              value: {{ include "mailu.admin.serviceFqdn" . }}
-            - name: ANTISPAM_WEBUI_ADDRESS
-              value: {{ printf "%s:11334" (include "mailu.rspamd.serviceFqdn" .) }}
-            - name: POSTMASTER
-              value: {{ default "postmaster" .Values.postmaster }}
-            - name: DOMAIN
-              value: {{ include "mailu.domain" . }}
-            - name: HOSTNAMES
-              value: "{{ join "," .Values.hostnames }}"
-            - name: RECIPIENT_DELIMITER
-              value: +
-            - name: COMPRESSION
-              value: {{ .Values.dovecot.compression | quote }}
-            - name: COMPRESSION_LEVEL
-              value: {{ .Values.dovecot.compressionLevel | quote }}
-            - name: WEBMAIL
-              value: none
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mailu.secretName" . }}
-                  key: secret-key
-            {{- if .Values.timezone }}
-            - name: TZ
-              value: {{ .Values.timezone }}
-            {{- end }}
+            {{- tpl (include "mailu.envvars.secrets" .) $ | nindent 12 }}
             {{- if .Values.dovecot.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.dovecot.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}
           envFrom:
+            - configMapRef:
+                name: {{ printf "%s-envvars" (include "mailu.fullname" .) }}
             {{- if .Values.dovecot.extraEnvVarsCM }}
             - configMapRef:
                 name: {{ include "common.tplvalues.render" (dict "value" .Values.dovecot.extraEnvVarsCM "context" $) }}

diff --git a/mailu/templates/envvars-configmap.yaml b/mailu/templates/envvars-configmap.yaml
@@ -0,0 +1,150 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-envvars" (include "mailu.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+  ADMIN: {{ .Values.admin.enabled | quote }}
+  ANTIVIRUS_ACTION: {{ .Values.rspamd.antivirusAction | quote }}
+  AUTH_RATELIMIT_EXEMPTION_LENGTH: {{ .Values.limits.authRatelimit.exemptionLength | quote }}
+  AUTH_RATELIMIT_EXEMPTION: {{ .Values.limits.authRatelimit.exemption | quote }}
+  AUTH_RATELIMIT_IP_V4_MASK: {{ .Values.limits.authRatelimit.ipv4Mask | quote }}
+  AUTH_RATELIMIT_IP_V6_MASK: {{ .Values.limits.authRatelimit.ipv6Mask | quote }}
+  AUTH_RATELIMIT_IP: {{ .Values.limits.authRatelimit.ip | quote  }}
+  AUTH_RATELIMIT_USER: {{ .Values.limits.authRatelimit.user | quote  }}
+  BABEL_DEFAULT_LOCALE: "en"
+  BABEL_DEFAULT_TIMEZONE: "UTC"
+  BOOTSTRAP_SERVE_LOCAL: "true"
+  COMPRESSION_LEVEL: {{ .Values.dovecot.compressionLevel | quote }}
+  COMPRESSION: {{ .Values.dovecot.compression | quote }}
+  CREDENTIAL_ROUNDS: {{ .Values.credentialRounds | quote }}
+  DB_FLAVOR: {{ include "mailu.database.type" . }}
+  DB_HOST: {{ printf "%s:%s" (include "mailu.database.host" .) (include "mailu.database.port" .) | quote}}
+  DB_NAME: {{ include "mailu.database.name" . }}
+  # DB_PW => via secret
+  DB_USER: {{ include "mailu.database.username" . }}
+  DEBUG_ASSETS: ""
+  DEBUG: "false"
+  DEBUG_PROFILER: "false"
+  DEBUG_TB_INTERCEPT_REDIRECTS: "false"
+  DEFAULT_QUOTA: "1000000000"
+  DEFAULT_SPAM_THRESHOLD: "80"
+  DEFER_ON_TLS_ERROR: "true"
+  DISABLE_STATISTICS: "false"
+  DKIM_PATH: "/dkim/{domain}.{selector}.key"
+  DKIM_SELECTOR: "dkim"
+  DMARC_RUA: {{ .Values.dmarc.rua | quote }}
+  DMARC_RUF: {{ .Values.dmarc.ruf | quote }}
+  DOMAIN_REGISTRATION: "false"
+  DOMAIN: {{ .Values.domain | quote }}
+  FETCHMAIL_DELAY: {{ .Values.fetchmail.delay | quote }}
+  FETCHMAIL_ENABLED: {{ .Values.fetchmail.enabled | quote }}
+  HOSTNAMES: {{ join "," .Values.hostnames }}
+  INBOUND_TLS_ENFORCE: "false"
+  INSTANCE_ID_PATH: "/data/instance"
+  KUBERNETES_INGRESS: {{ .Values.ingress.enabled | quote }}
+  LETSENCRYPT_SHORTCHAIN: {{ .Values.letsencryptShortchain | quote }}
+  LOG_LEVEL: {{ .Values.logLevel | quote }}
+  LOGO_BACKGROUND: {{ .Values.customization.logoBackground | quote }}
+  LOGO_URL: {{ .Values.customization.logoUrl | quote }}
+  MEMORY_SESSIONS: "false"
+  MESSAGE_RATELIMIT_EXEMPTION: {{ .Values.limits.messageRatelimit.exemption | quote }}
+  MESSAGE_RATELIMIT: {{ .Values.limits.messageRatelimit.value | quote  }}
+  MESSAGE_SIZE_LIMIT: "{{ mul .Values.limits.messageSizeLimitInMegabytes (mul 1024 1024) }}"
+  PERMANENT_SESSION_LIFETIME: {{ .Values.permanentSessionLifetime | quote }}
+  POSTMASTER: {{ .Values.postmaster | quote }}
+  PROXY_AUTH_CREATE: "false"
+  PROXY_AUTH_HEADER: "X-Auth-Email"
+  PROXY_AUTH_WHITELIST: ""
+  RATELIMIT_STORAGE_URL: {{ printf "redis://%s:%s/%s" (include "mailu.redis.serviceFqdn" .) (include "mailu.redis.port" .) (include "mailu.redis.db.rateLimit" .) }}
+  REAL_IP_FROM: {{ .Values.ingress.realIpFrom | quote }}
+  REAL_IP_HEADER: {{ .Values.ingress.realIpHeader | quote }}
+  RECAPTCHA_PRIVATE_KEY: ""
+  RECAPTCHA_PUBLIC_KEY: ""
+  RECIPIENT_DELIMITER: {{ .Values.recipientDelimiter | quote }}
+  REJECT_UNLISTED_RECIPIENT: "yes"
+  RELAYHOST: {{ .Values.externalRelay.host | quote }}
+  RELAYNETS: {{ (join "," .Values.externalRelay.networks) | quote }}
+  ROUNDCUBE_DB_FLAVOR: {{ include "mailu.database.type" . }}
+  # SECRET_KEY => via secret
+  SESSION_COOKIE_SECURE: {{ .Values.sessionCookieSecure | quote }}
+  # SESSION_KEY_BITS: 128 # TODO: Fix Mailu to parse int when from string
+  SESSION_TIMEOUT: {{ .Values.sessionTimeout | quote }}
+  SITENAME: {{ .Values.customization.siteName | quote }}
+  SQLALCHEMY_DATABASE_URI: "sqlite:////data/main.db"
+  SQLALCHEMY_TRACK_MODIFICATIONS: "false"
+  SQLITE_DATABASE_FILE: "data/main.db"
+  STATS_ENDPOINT: "19.{}.stats.mailu.io"
+  SUBNET6: {{ .Values.subnet6 | quote }}
+  SUBNET: {{ .Values.subnet | quote }}
+  TEMPLATES_AUTO_RELOAD: "true"
+  TLS_FLAVOR: {{ include "mailu.tlsFlavor" . }}
+  TLS_PERMISSIVE: "true"
+  TZ: {{ .Values.timezone | quote }}
+  WEB_ADMIN: {{ .Values.admin.uri | quote }}
+  WEBSITE: {{ .Values.customization.website | quote }}
+  WELCOME_BODY: {{ .Values.welcomeMessage.body | quote }}
+  WELCOME_SUBJECT: {{ .Values.welcomeMessage.subject | quote }}
+  WELCOME: {{ .Values.welcomeMessage.enabled | quote}}
+  WILDCARD_SENDERS: ""
+
+  # Addresses
+  ADMIN_ADDRESS: {{ include "mailu.admin.serviceFqdn" . }}
+  ANTISPAM_MILTER_ADDRESS: {{ printf "%s:11332" (include "mailu.rspamd.serviceFqdn" .) }}
+  ANTISPAM_WEBUI_ADDRESS: {{ printf "%s:11334" (include "mailu.rspamd.serviceFqdn" .) }}
+  AUTHSMTP_ADDRESS: {{ include "mailu.postfix.serviceFqdn" . }}
+  FRONT_ADDRESS: {{ include "mailu.front.serviceFqdn" . }}
+  IMAP_ADDRESS: {{ include "mailu.dovecot.serviceFqdn" . }}
+  LMTP_ADDRESS: {{ printf "%s:2525" (include "mailu.dovecot.serviceFqdn" .) }}
+  POP3_ADDRESS: {{ include "mailu.dovecot.serviceFqdn" . }}
+  REDIS_ADDRESS: {{ include "mailu.redis.serviceFqdn" . }}
+  SMTP_ADDRESS: {{ include "mailu.postfix.serviceFqdn" . }}
+
+
+{{- if not (eq (include "mailu.database.type" .) "sqlite") }}
+  ROUNDCUBE_DB_USER: {{ include "mailu.database.roundcube.username" . }}
+  ROUNDCUBE_DB_NAME: {{ include "mailu.database.roundcube.name" . }}
+  ROUNDCUBE_DB_HOST: {{ printf "%s:%s" (include "mailu.database.host" .) (include "mailu.database.port" .) | quote}}
+{{- end }}
+
+{{- if .Values.initialAccount.enabled }}
+  INITIAL_ADMIN_MODE: {{ .Values.initialAccount.mode | quote }}
+  INITIAL_ADMIN_ACCOUNT: {{ .Values.initialAccount.username | quote }}
+  INITIAL_ADMIN_DOMAIN: {{ .Values.initialAccount.domain | quote }}
+{{- end }}
+
+{{- if .Values.webmail.enabled }}
+  WEBMAIL: {{ .Values.webmail.type | quote }}
+  WEB_WEBMAIL: {{ .Values.webmail.uri | quote }}
+  WEBMAIL_ADDRESS: {{ include "mailu.webmail.serviceFqdn" . }}
+  WEBROOT_REDIRECT: {{ .Values.webmail.uri | quote }}
+  ROUNDCUBE_PLUGINS: {{ (join "," .Values.webmail.roundcubePlugins) | quote }}
+{{- else }}
+  WEBMAIL: none
+  WEBMAIL_ADDRESS: localhost
+  WEB_WEBMAIL: /
+  WEBROOT_REDIRECT: /admin/
+{{- end }}
+
+{{- if .Values.webdav.enabled }}
+  WEBDAV: radicale
+  WEBDAV_ADDRESS: {{ include "mailu.webdav.serviceFqdn" . }}
+{{- else }}
+  WEBDAV: none
+  WEBDAV_ADDRESS: localhost
+{{- end }}
+
+{{- if .Values.clamav.enabled }}
+  ANTIVIRUS: clamav
+  ANTIVIRUS_ADDRESS: {{ printf "%s:3310" (include "mailu.clamav.serviceFqdn" .) }}
+{{- else }}
+  ANTIVIRUS: none
+  ANTIVIRUS_ADDRESS: localhost
+{{- end }}