feat: add smtp TLS support

hoverkraft-tech · Jan 3, 2025 · abb25c4 · abb25c4
1 parent a9d5f7f
commit abb25c4
Show file tree

Hide file tree

Showing 6 changed files with 85 additions and 21 deletions.
diff --git a/postal/ci/smtp-tls-values.yaml b/postal/ci/smtp-tls-values.yaml
@@ -0,0 +1,37 @@
+global:
+  railsSecretKey: 61a476b314ca633b67734951b4565f1f27489195e3ba0be5b569e4385d776cd126c3000df6c046de338719c14d36c8a7867140a741e76b6ea3d4a15b11c6af94
+  signingKey: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7FSCnvzdKiA7d
+    +q47EXn4gXx96+maosDtg49W+AF6owNilF/ptAIE8Cm+NLIOZ/bQnIL1n1yP72iN
+    rPtJylDNfoYJMyzCBmQib/8RqBVCDXnR0KbrMoogeofAVbUY75iw+B+S2ZbGv97I
+    A+5k5r5feZWvzoRHSNk5Bn11/Eg1DhnIvqtvPtKmaHetJAVBO299cB+mALUzQE5X
+    KLU8EVEAPF6AGaEtDuHGdvkn3gNGlaiEQ46/MsEWoLSSJxCaxyImZTtYFuTK0lQM
+    bS3a8lL/Wl0RuMX0XLCNJim3QYQPxmghieK/khXCKKaslHIIMEkCiPBkmot/Mipw
+    iu9ih531AgMBAAECggEAU6puMTbdxlI0u+dJFheJwa4++52Oml5hA5eLeixtlOfk
+    MqkCf+TF5ml1cZ/lZXXvNnpYQvqjDafWzU1oECcPnecQkHq3cIolLBWEL+RIpYKb
+    UU8L5zFx/nZt0YFC/UTht3svu5/dw0K5oh/H9I4Q42ffnoEwPSUCKHOTljleHYNN
+    WQSlxo+j1XETmVcJBASJ977aXFDOyxL+/4qFLGRq7J9ru9VWYK2VZ5mXx22tdnXu
+    NIu11FD3SnFduKSpS1T0ZX51b680w+i4cy5mjwC1H0u4yYYSvVpMxOjxWqrqInr2
+    hnmzGKKwFQX/tlZlJ3Fsi234NvAbd0ZCUUTOaZ33fQKBgQDvCaUTEGAkb9TlPcN3
+    L9KvQvxVCtK0Fg537vDZtQMxAdyVZDR8zFeytat4XldXKf7/7XIwt1RSVny04wPn
+    4jWaEcYlw4H+UHDPDq8sawp3/k3vonorh1eM4ZIlzOWyMUBEMDn5X3XEe+n+K89d
+    R16Lv8oGCF9zc+BHpn0vVwRCjwKBgQDIW6qQVT/f8mMIsCWVyfJ+j0rRHuLTTXIs
+    5ECn2tuTV2J2xnHV/EBgTyjPhR0DBNg7Q4R5XF5PNOXeY1g2jDraQnzWPIX6UmYX
+    3ye9PkPdIqJWWNm3nOcBEirpGFxsmQgDj1gFYBhUCXpepBdfl4ssWPzzfRiUj2fZ
+    GRvXfBbJOwKBgQCp5A36HbJnU0BZ6erp5Ah23kIfY0DcE60W2rE92mQ5SZxwZTbU
+    2BsgffQv6cVjwwpk9WsqarI4jxW1LoARJ/p21Vkib/ENQjjbQRGJnU5keE8GGVGB
+    bIDyNUQ9L4K1gkGt9STPM2StUHC/YH3SSy5MXvSEEyFcGih2ZEMnCU6SywKBgGUt
+    XTGryyjFF1vA0AoXRBzDMa3u4e6AsoKW9UuOismaHEAMsFm2G7BG6T36Y48tuCAd
+    VV2P1pQ7C0XFdzt8jw+++ZmaULH7QFEXwNKhCdY28jGWhsNhOYph6UdypOG2WcSq
+    c3GreD2f16rJRIBiX8aSXZJ7/piu3mtUcancoQkXAoGAceHeeqfkgzBIaQ/eyp1/
+    1Ri30uMr2VAEr8SRqPHk940cZVSoPjqdvDph4NpDb2h0Sch1A93K2QH5fKeoTwWb
+    MtOHJv8UieLT+5AtJp9/1VDI7bTnpj8y9GzYcKKPkiDMa6FOJdBj/qyHATIGyHA8
+    wwoL2dTdesL4u1/nRHp19lU=
+    -----END PRIVATE KEY-----
+
+smtp:
+  tls:
+    enabled: true
+    hosts:
+      - smtp.example.local
diff --git a/postal/templates/configMap.yaml b/postal/templates/configMap.yaml
@@ -55,7 +55,11 @@ data:
   SMTP_SERVER_DEFAULT_PORT: {{ .Values.smtp.containerPort | quote }}
   SMTP_SERVER_DEFAULT_HEALTH_SERVER_PORT: {{ .Values.smtp.healthAndMetricsServerPort | quote }}
   SMTP_SERVER_DEFAULT_HEALTH_SERVER_BIND_ADDRESS: "0.0.0.0"
+  {{- if .Values.smtp.tls.enabled }}
   SMTP_SERVER_TLS_ENABLED: {{ .Values.smtp.tls.enabled | quote }}
+  SMTP_SERVER_TLS_CERTIFICATE_PATH: "/config/certs/tls.crt"
+  SMTP_SERVER_TLS_PRIVATE_KEY_PATH: "/config/certs/tls.key"
+  {{- end }}
   SMTP_SERVER_PROXY_PROTOCOL: {{ .Values.smtp.proxyProtocol | quote }}
   SMTP_SERVER_LOG_CONNECTIONS: {{ .Values.smtp.logConnections | quote }}
   SMTP_SERVER_MAX_MESSAGE_SIZE: {{ .Values.smtp.maxMessageSize | quote }}
@@ -67,4 +71,4 @@ data:
 
   CLAMAV_ENABLED: {{ .Values.clamAv.enabled | quote }}
   CLAMAV_HOST: {{ .Values.clamAv.host | quote }}
-  CLAMAV_PORT: {{ .Values.clamAv.port | quote }}
+  CLAMAV_PORT: {{ .Values.clamAv.port | quote }}
diff --git a/postal/templates/secret.yaml b/postal/templates/secret.yaml
@@ -1,5 +1,4 @@
 {{- if not .Values.global.existingSecretName }}
-{{- $key := genPrivateKey "rsa" }}
 kind: Secret
 apiVersion: v1
 metadata:

diff --git a/postal/templates/smtp/deployment.yaml b/postal/templates/smtp/deployment.yaml
@@ -79,12 +79,8 @@ spec:
               mountPath: "/config/signing.key"
               subPath: "signing.key"
             {{- if .Values.smtp.tls.enabled }}
-            - name: {{ include "postal.fullname" . }}-smtp-cert
-              mountPath: "/config/smtp.cert"
-              subPath: "smtp.cert"
-            - name: {{ include "postal.fullname" . }}-smtp-key
-              mountPath: "/config/smtp.key"
-              subPath: "smtp.key"
+            - name: smtp-tls
+              mountPath: "/config/certs"
             {{- end }}
       volumes:
         - name: {{ include "postal.fullname" . }}
@@ -97,18 +93,9 @@ spec:
               - key: signing-key
                 path: "signing.key"
         {{- if .Values.smtp.tls.enabled }}
-        - name: {{ include "postal.fullname" . }}-smtp-cert
+        - name: smtp-tls
           secret:
-            secretName: {{ .Values.global.secretName }}
-            items:
-              - key: smtp-cert
-                path: "smtp.cert"
-        - name: {{ include "postal.fullname" . }}-smtp-key
-          secret:
-            secretName: {{ .Values.global.secretName }}
-            items:
-              - key: smtp-key
-                path: "smtp.key"
+            secretName: {{ include "postal.smtp.fullname" . }}-tls
         {{- end }}
       {{- with .Values.smtp.nodeSelector }}
       nodeSelector:

diff --git a/postal/templates/smtp/tls-cert.yaml b/postal/templates/smtp/tls-cert.yaml
@@ -0,0 +1,26 @@
+{{- if and .Values.smtp.tls.enabled (eq .Values.smtp.tls.source "cert-manager") }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "postal.smtp.fullname" . }}
+  {{- $merged := merge .Values.commonsAnnotations .Values.smtp.tls.annotations }}
+  {{- if $merged }}
+  annotations:
+    {{- range $key, $value := $merged }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  secretName: {{ include "postal.smtp.fullname" . }}-tls
+  dnsNames:
+    {{- range .Values.smtp.tls.hosts }}
+    - {{ . }}
+    {{- end }}
+  usages:
+    - digital signature
+    - key encipherment
+  issuerRef:
+    name: {{ .Values.smtp.tls.certManager.issuer.name }}
+    kind: {{ .Values.smtp.tls.certManager.issuer.kind }}
+    group: {{ .Values.smtp.tls.certManager.issuer.group }}
+{{- end }}
diff --git a/postal/values.yaml b/postal/values.yaml
@@ -194,10 +194,21 @@ smtp:
   # A regular expression to use to exclude connections from logging
   logIpAddressExclusionMatcher: ""
 
-  # Enabled TLS
-  # Postal secret must contains SMTP server's TLS private key and SMTP server's TLS certificate
   tls:
+    # -- enable TLS support for smtp
     enabled: false
+    # -- specify the source of the TLS certificate (for now only cert-manager is supported)
+    source: cert-manager
+    # -- specify annotations for the TLS object (cert-manager Certificate)
+    annotations: {}
+    # -- specify the hosts that must be covered by the TLS certificate
+    hosts: []
+    certManager:
+      issuer:
+        # -- cert-manager issuer name
+        name: lestencrypt
+        kind: ClusterIssuer
+        group: cert-manager.io/v1
 
   serviceAccount:
     # Specifies whether a service account should be created