Page MenuHomePhorge
Files F117751764

No OneTemporary
Actions

Authored By
Unknown
Size
15 KB
Referenced Files
None
Subscribers
None

View Options

diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
index 173c1ff..5dc8a56 100644
--- a/helm/templates/_helpers.tpl
+++ b/helm/templates/_helpers.tpl
@@ -1,136 +1,155 @@
#USE This to set default labels etc
{{/*
Expand the name of the chart.
*/}}
{{- define "kolab.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kolab.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kolab.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Get the tls secret name based on the configuration.
*/}}
{{- define "kolab.tlsSecretName" -}}
{{- if eq .Values.tlsSecret.type "external" }}
{{- printf "%s" .Values.tlsSecret.secretName }}
{{- else }}
{{- printf "kolab-cert-%s" .Values.tlsSecret.type }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kolab.labels" -}}
helm.sh/chart: {{ include "kolab.chart" . }}
{{ include "kolab.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kolab.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kolab.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kolab.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kolab.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
websiteDomain
*/}}
{{- define "kolab.websiteDomain" -}}
{{- default .Values.domainName .Values.websiteDomainName }}
{{- end }}
{{/*
Email domain
*/}}
{{- define "kolab.emailDomain" -}}
{{- .Values.domainName }}
{{- end }}
{{/*
Define a pvc, and an associated pv when using localPath storage
*/}}
{{- define "kolab.pvc" -}}
{{- if .localPath }}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ .name }}
spec:
capacity:
storage: {{ .capacity }}
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: local-storage
local:
path: {{ .localPath }}
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kolab.org/nodegroup
operator: In
values:
- {{ .node }}
---
{{- end }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .name }}
spec:
accessModes:
- ReadWriteOnce
storageClassName: {{ .storageClassName }}
resources:
requests:
storage: {{ .capacity }}
{{- if .localPath }}
volumeName: {{ .name }}
{{- end }}
{{- end -}}
+
+
+{{/*
+Define a volumeclaimtemplate
+*/}}
+{{- define "kolab.volumeClaimTemplate" -}}
+ - metadata:
+ name: {{ .name }}
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ storageClassName: {{ .storageClassName }}
+ resources:
+ requests:
+ storage: {{ .capacity }}
+ {{- if .localPath }}
+ volumeName: {{ .name }}
+ {{- end }}
+{{- end -}}
diff --git a/helm/templates/postfix-deployment.yaml b/helm/templates/postfix-deployment.yaml
index 9b1e670..6f0be01 100644
--- a/helm/templates/postfix-deployment.yaml
+++ b/helm/templates/postfix-deployment.yaml
@@ -1,306 +1,329 @@
{{- if .Values.postfix.enabled -}}
apiVersion: apps/v1
+{{- if .Values.postfix.replicas }}
+kind: StatefulSet
+{{- else }}
kind: Deployment
+{{- end }}
metadata:
annotations:
alpha.image.policy.openshift.io/resolve-names: '*'
labels:
app: postfix
app.kubernetes.io/name: postfix
app.kubernetes.io/part-of: kolab-app
name: postfix
spec:
- replicas: 1
+ replicas: {{ .Values.postfix.replicas }}
+{{- if .Values.postfix.replicas }}
+ serviceName: postfix-headless
+{{- end }}
revisionHistoryLimit: 10
selector:
matchLabels:
app: postfix
+{{- if .Values.postfix.replicas }}
+ podManagementPolicy: Parallel
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 1
+ volumeClaimTemplates:
+ {{ include "kolab.volumeClaimTemplate" .Values.postfix.volumes.spool }}
+ {{ include "kolab.volumeClaimTemplate" .Values.postfix.volumes.lib }}
+ {{ include "kolab.volumeClaimTemplate" .Values.amavis.volumes.spool }}
+ {{ include "kolab.volumeClaimTemplate" .Values.amavis.volumes.spamassassinLib }}
+ {{ include "kolab.volumeClaimTemplate" .Values.amavis.volumes.clamavLib }}
+{{- else }}
strategy:
type: Recreate
+{{- end }}
template:
metadata:
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/mariadb-secret.yaml") . | sha256sum }}
labels:
app: postfix
spec:
# Allows to run as root
{{- if .Values.openshift }}
serviceAccountName: postfixserviceaccount
{{- end }}
volumes:
+{{- if not .Values.postfix.replicas }}
- name: postfix-spool
persistentVolumeClaim:
claimName: postfix-spool
- name: postfix-lib
persistentVolumeClaim:
claimName: postfix-lib
- - name: kolab-cert
- secret:
- {{- $secretName := include "kolab.tlsSecretName" . }}
- secretName: {{ default .Values.postfix.tlsSecretName $secretName }}
- name: amavis-spool
persistentVolumeClaim:
claimName: amavis-spool
- name: spamassassin-lib
persistentVolumeClaim:
claimName: spamassassin-lib
- name: clamav-lib
persistentVolumeClaim:
claimName: clamav-lib
+{{- end }}
+ - name: kolab-cert
+ secret:
+ {{- $secretName := include "kolab.tlsSecretName" . }}
+ secretName: {{ default .Values.postfix.tlsSecretName $secretName }}
- name: dkim-cert
secret:
secretName: dkim-cert
- name: postfix-scripts
configMap:
name: postfix-scripts
defaultMode: 0777
{{- if .Values.image.pullSecret }}
imagePullSecrets:
- name: registry-pull-secret
{{- end }}
containers:
- name: postfix
image: {{ .Values.image.postfixImage }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.postfix.resources | nindent 10 }}
securityContext:
runAsNonRoot: false
# Postfix insists on running as root
runAsUser: 0
startupProbe:
exec:
command:
- /bin/sh
- -c
- test -e /run/saslauthd/mux && kill -0 $(cat /var/spool/postfix/pid/master.pid)
periodSeconds: 2
failureThreshold: 60
# When we authentication requests time auth saslauthd ends up in a zombie/defunct state, which we detect via grep
livenessProbe:
exec:
command:
- /bin/sh
- -c
- test -e /run/saslauthd/mux && kill -0 $(cat /var/spool/postfix/pid/master.pid) && grep -vq "(saslauthd) Z" /proc/$(cat /var/run/saslauthd/saslauthd.pid)/stat
periodSeconds: 10
env:
- name: APP_DOMAIN
value: "{{ template "kolab.emailDomain" . }}"
- name: APP_SERVICES_DOMAIN
value: "{{ .Values.kolab.servicesService }}"
- name: SERVICES_PORT
value: "80"
- name: DB_HOST
valueFrom:
secretKeyRef:
key: database-host
name: mariadb
- name: DB_USERNAME
valueFrom:
secretKeyRef:
key: kolab-database-user
name: mariadb
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
key: kolab-database-password
name: mariadb
- name: DB_DATABASE
valueFrom:
secretKeyRef:
key: kolab-database-name
name: mariadb
- name: SSL_CERTIFICATE
value: /etc/certs/tls.crt
- name: SSL_CERTIFICATE_KEY
value: /etc/certs/tls.key
- name: LMTP_DESTINATION
value: imap:11024
- name: AMAVIS_HOST
value: "127.0.0.1"
- name: MESSAGE_SIZE_LIMIT
value: "{{ .Values.postfix.messageSizeLimit }}"
- name: MYNETWORKS
{{- if .Values.postfix.mynetworks }}
value: "{{ .Values.postfix.mynetworks }}"
{{- else }}
value: "127.0.0.0/8"
{{- end }}
- name: WITH_CONTENTFILTER
value: '{{ .Values.kolab.withMailfilter }}'
- name: WITH_PROXY_PROTOCOL
value: '{{ .Values.postfix.withProxyProtocol }}'
{{- if .Values.postfix.blockOutgoingEmails }}
- name: BLOCK_OUTGOING_EMAILS
value: "true"
{{- end }}
{{- if .Values.postfix.holdIncomingEmails }}
- name: HOLD_INCOMING_EMAILS
value: "true"
{{- end }}
ports:
# SMTP
- containerPort: 10025
protocol: TCP
# Internal submission
- containerPort: 10587
protocol: TCP
# External
- containerPort: 11465
protocol: TCP
- containerPort: 11587
protocol: TCP
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/spool/postfix
name: postfix-spool
- mountPath: /var/lib/postfix
name: postfix-lib
- name: kolab-cert
readOnly: true
mountPath: /etc/certs
- name: amavis
image: {{ .Values.image.amavisImage }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.amavis.resources | nindent 10 }}
securityContext:
runAsNonRoot: false
# Amavis insists on running as root
runAsUser: 0
startupProbe:
exec:
command:
- /bin/sh
- -c
- test -e /var/run/amavisd/amavisd.pid
periodSeconds: 5
failureThreshold: 60
livenessProbe:
exec:
command:
- /bin/sh
- -c
# - test -e /var/run/amavisd/amavisd.pid && kill -0 $(cat /var/run/amavisd/amavisd.pid) && kill -0 $(cat /var/run/amavisd/clamd.pid)
- test -e /var/run/amavisd/amavisd.pid && kill -0 $(cat /var/run/amavisd/amavisd.pid)
periodSeconds: 10
envFrom:
- configMapRef:
name: kolab-config
env:
# Perl can't deal with a searchlist like we have on openshift in /etc/resolv.conf
# We can override it like this and make dns requests by sa-update work
- name: RES_SEARCHLIST
value: ""
- name: POSTFIX_HOST
value: "127.0.0.1"
- name: DKIM_IDENTIFIER
value: {{ .Values.amavis.dkim.identifier }}
- name: CLAMD
value: "{{ .Values.amavis.clamd.enabled }}"
- name: SPAM_DETECT_LEVEL
value: "{{ .Values.amavis.spam.detectLevel }}"
- name: SPAM_KILL_LEVEL
value: "{{ .Values.amavis.spam.killLevel }}"
- name: SPAM_KILL_ACTION
{{- if .Values.amavis.spam.forwardToInbox }}
value: "D_PASS"
{{- else }}
value: "D_DISCARD"
{{- end }}
- name: DB_HOST
valueFrom:
secretKeyRef:
key: database-host
name: mariadb
- name: DB_USERNAME
valueFrom:
secretKeyRef:
key: kolab-database-user
name: mariadb
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
key: kolab-database-password
name: mariadb
- name: DB_DATABASE
valueFrom:
secretKeyRef:
key: kolab-database-name
name: mariadb
- name: REDIS_HOST
value: "{{ .Values.redis.host }}"
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: database-password
name: redis
ports:
- containerPort: 13025
protocol: TCP
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/spool/amavisd
name: amavis-spool
- mountPath: /var/lib/spamassassin
name: spamassassin-lib
- mountPath: /var/lib/clamav
name: clamav-lib
- name: dkim-cert
mountPath: /var/dkim
- name: metricsexporter
image: {{ .Values.image.postfixImage }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ['sh', '-c', 'while true; do /postfix-scripts/collectmetrics.sh; sleep 20; done']
volumeMounts:
- mountPath: /var/spool/postfix
name: postfix-spool
- mountPath: /postfix-scripts
name: postfix-scripts
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
terminationGracePeriodSeconds: 30
---
apiVersion: v1
kind: ConfigMap
metadata:
name: postfix-scripts
data:
collectmetrics.sh: |
#!/bin/bash
HOST="postfix-metrics"
EPOCH=$(date +"%s")
METRICS=$(
cat <<EOF
kolab_mx_metrics_timestamp $EPOCH
# HELP kolab_mx_queue_length Queue length
# TYPE kolab_mx_queue_length gauge
EOF
)
queues="active bounce corrupt deferred flush hold incoming maildrop"
spool_dir=/var/spool/postfix
for queue in ${queues}; do
test -d ${spool_dir}/${queue} || continue
COUNT=$(find "${spool_dir}/${queue}" -type f -print | wc -l)
# TODO once we have more than one instance, we should seaprate accordingly
METRICS+=$(
cat <<EOF
kolab_mx_queue_length{host="$HOST", queue="$queue", instance="postfix"} $COUNT
EOF
)
done
echo "$METRICS"
echo "$METRICS" | curl -k --data-binary @- http://pushgateway:9091/metrics/job/postfixmetrics/host/$HOST
{{- end }}
diff --git a/helm/templates/postfix-pvc.yaml b/helm/templates/postfix-pvc.yaml
index 9f88ad4..e05bb46 100644
--- a/helm/templates/postfix-pvc.yaml
+++ b/helm/templates/postfix-pvc.yaml
@@ -1,11 +1,11 @@
-{{- if .Values.postfix.enabled }}
+{{- if and .Values.postfix.enabled (not .Values.postfix.replicas) }}
{{- include "kolab.pvc" .Values.postfix.volumes.spool }}
---
{{- include "kolab.pvc" .Values.postfix.volumes.lib }}
---
{{- include "kolab.pvc" .Values.amavis.volumes.spool }}
---
{{- include "kolab.pvc" .Values.amavis.volumes.spamassassinLib }}
---
{{- include "kolab.pvc" .Values.amavis.volumes.clamavLib }}
{{- end }}

File Metadata

Mime Type
text/x-diff
Expires
Sat, Apr 4, 3:25 AM (1 d, 16 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
18822407
Default Alt Text
(15 KB)

Event Timeline