kube/wildduck/webmail.yaml

---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
  name: webmail
spec:
  displayName: Wildduck Webmail
  uri: 'https://webmail.k-space.ee'
  allowedGroups: # duplicated by wildduck-operator StatefulSet
    - k-space:floor
    - k-space:friends
    - k-space:mailservice # wildduck-only, for info@k-space.ee et. al.
  headerMapping:
    user: Remote-Username
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: webmail-config
  namespace: wildduck
data:
  www.toml: |-
    [service]
    identities=1
    allowIdentityEdit=false
    allowJoin=false
    domains=["k-space.ee"]
    allowSendFromOtherDomains=false
    [service.sso.http]
    enabled = true
    header = "Remote-Username"
    logoutRedirect = "https://auth.k-space.ee/" #TODO: host is not templated
    [u2f]
    enabled=false
    [log]
    level="info"
    [setup.imap]
    hostname="mail.k-space.ee"
    secure=true
    port=993
    [setup.pop3]
    hostname="mail.k-space.ee"
    secure=true
    port=995
    [setup.smtp]
    hostname="mail.k-space.ee"
    secure=true
    port=465
    [api]
    url="http://wildduck-api:8080"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: webmail
  namespace: wildduck
spec:
  revisionHistoryLimit: 0
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: webmail
  template:
    metadata:
      labels:
        app.kubernetes.io/name: webmail
    spec:
      containers:
        - name: webmail
          image: mirror.gcr.io/nodemailer/wildduck-webmail:latest
          command:
            - node
            - server.js
            - --config=/etc/wildduck/www.toml
          resources:
            limits:
              cpu: 500m
              memory: 100Mi
            requests:
              cpu: 1m
              memory: 50Mi
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 65534
          volumeMounts:
            - name: webmail-config
              mountPath: /etc/wildduck
              readOnly: true
          env:
            - name: APPCONF_api_accessToken
              valueFrom:
                secretKeyRef:
                  name: wildduck
                  key: WILDDUCK_API_TOKEN
            - name: APPCONF_dbs_redis
              valueFrom:
                secretKeyRef:
                  name: session-storage
                  key: REDIS_WEBMAIL_URI
      volumes:
        - name: webmail-config
          projected:
            sources:
              - configMap:
                  name: webmail-config
---
apiVersion: v1
kind: Service
metadata:
  name: webmail
  namespace: wildduck
spec:
  selector:
    app.kubernetes.io/name: webmail
  ports:
    - protocol: TCP
      port: 80
      targetPort: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: webmail
  namespace: wildduck
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.middlewares: wildduck-webmail@kubernetescrd,wildduck-webmail-redirect@kubernetescrd
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
  rules:
    - host: webmail.k-space.ee
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: webmail
                port:
                  number: 80
  tls:
    - hosts:
        - "*.k-space.ee"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: webmail-redirect
spec:
  redirectRegex:
    regex: ^https://webmail.k-space.ee/$
    replacement: https://webmail.k-space.ee/webmail/
    permanent: false