mirror of
https://github.com/bokysan/docker-postfix.git
synced 2024-09-20 06:46:10 +08:00
New: Add support for Ubuntu builds and TLS certs on Helm
This commit is contained in:
parent
4775796967
commit
0c12027622
12
.github/workflows/master.yml
vendored
12
.github/workflows/master.yml
vendored
|
@ -38,9 +38,15 @@ jobs:
|
||||||
./integration-tests.sh
|
./integration-tests.sh
|
||||||
- name: Run HELM chart tests
|
- name: Run HELM chart tests
|
||||||
run: ./helm/tests.sh
|
run: ./helm/tests.sh
|
||||||
- name: Build master
|
- name: Build Alpine master
|
||||||
env:
|
env:
|
||||||
DOCKER_USERNAME: 'boky'
|
DOCKER_USERNAME: 'boky'
|
||||||
DOCKER_PASSWORD: '${{ secrets.DOCKER_ACCESS_TOKEN }}'
|
DOCKER_PASSWORD: '${{ secrets.DOCKER_ACCESS_TOKEN }}'
|
||||||
PLATFORMS: "linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le"
|
PLATFORMS: "linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x"
|
||||||
run: ./build.sh -t boky/postfix --push
|
run: ./build.sh -t boky/postfix:latest --push
|
||||||
|
- name: Build Ubuntu master
|
||||||
|
env:
|
||||||
|
DOCKER_USERNAME: 'boky'
|
||||||
|
DOCKER_PASSWORD: '${{ secrets.DOCKER_ACCESS_TOKEN }}'
|
||||||
|
PLATFORMS: "linux/386,linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x"
|
||||||
|
run: ./build.sh -t boky/postfix:ubuntu-latest --push
|
||||||
|
|
10
.github/workflows/tags.yml
vendored
10
.github/workflows/tags.yml
vendored
|
@ -29,12 +29,18 @@ jobs:
|
||||||
uses: crazy-max/ghaction-docker-buildx@v1
|
uses: crazy-max/ghaction-docker-buildx@v1
|
||||||
with:
|
with:
|
||||||
buildx-version: latest
|
buildx-version: latest
|
||||||
- name: Build branch / tag
|
- name: Build Alpine tag
|
||||||
env:
|
env:
|
||||||
DOCKER_USERNAME: 'boky'
|
DOCKER_USERNAME: 'boky'
|
||||||
DOCKER_PASSWORD: '${{ secrets.DOCKER_ACCESS_TOKEN }}'
|
DOCKER_PASSWORD: '${{ secrets.DOCKER_ACCESS_TOKEN }}'
|
||||||
PLATFORMS: "linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le"
|
PLATFORMS: "linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x"
|
||||||
run: ./build.sh -t boky/postfix:$RELEASE_VERSION --push
|
run: ./build.sh -t boky/postfix:$RELEASE_VERSION --push
|
||||||
|
- name: Build Ubuntu tag
|
||||||
|
env:
|
||||||
|
DOCKER_USERNAME: 'boky'
|
||||||
|
DOCKER_PASSWORD: '${{ secrets.DOCKER_ACCESS_TOKEN }}'
|
||||||
|
PLATFORMS: "linux/386,linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x"
|
||||||
|
run: ./build.sh -t boky/postfix:ubuntu-$RELEASE_VERSION --push
|
||||||
- name: Copy `README.md` and `LICENCE` into the helm chart
|
- name: Copy `README.md` and `LICENCE` into the helm chart
|
||||||
id: readme_and_licence
|
id: readme_and_licence
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
42
Dockerfile
42
Dockerfile
|
@ -1,12 +1,23 @@
|
||||||
ARG ALPINE_VERSION=latest
|
ARG BASE_IMAGE=alpine:latest
|
||||||
FROM alpine:${ALPINE_VERSION} as build
|
# ARG BASE_IMAGE=ubuntu:focal
|
||||||
|
# ============================ BUILD SASL XOAUTH2 ============================
|
||||||
|
FROM ${BASE_IMAGE} as build
|
||||||
|
|
||||||
ARG SASL_XOAUTH2_REPO_URL=https://github.com/tarickb/sasl-xoauth2.git
|
ARG SASL_XOAUTH2_REPO_URL=https://github.com/tarickb/sasl-xoauth2.git
|
||||||
ARG SASL_XOAUTH2_GIT_REF=release-0.10
|
ARG SASL_XOAUTH2_GIT_REF=release-0.10
|
||||||
|
|
||||||
RUN true && \
|
RUN true && \
|
||||||
apk add --no-cache --upgrade git && \
|
if [ -f /etc/alpine-release ]; then \
|
||||||
apk add --no-cache --upgrade cmake clang make gcc g++ libc-dev pkgconfig curl-dev jsoncpp-dev cyrus-sasl-dev && \
|
apk add --no-cache --upgrade git && \
|
||||||
|
apk add --no-cache --upgrade cmake clang make gcc g++ libc-dev pkgconfig curl-dev jsoncpp-dev cyrus-sasl-dev; \
|
||||||
|
else \
|
||||||
|
export DEBIAN_FRONTEND=noninteractive && \
|
||||||
|
echo "Europe/Berlin" > /etc/timezone && \
|
||||||
|
apt-get update -y -q && \
|
||||||
|
apt-get install -y git build-essential cmake pkg-config libcurl4-nss-dev libjsoncpp-dev libsasl2-dev; \
|
||||||
|
fi
|
||||||
|
|
||||||
|
RUN true && \
|
||||||
git clone --depth 1 --branch ${SASL_XOAUTH2_GIT_REF} ${SASL_XOAUTH2_REPO_URL} /sasl-xoauth2 && \
|
git clone --depth 1 --branch ${SASL_XOAUTH2_GIT_REF} ${SASL_XOAUTH2_REPO_URL} /sasl-xoauth2 && \
|
||||||
cd /sasl-xoauth2 && \
|
cd /sasl-xoauth2 && \
|
||||||
mkdir build && \
|
mkdir build && \
|
||||||
|
@ -14,18 +25,29 @@ RUN true && \
|
||||||
cmake -DCMAKE_INSTALL_PREFIX=/ .. && \
|
cmake -DCMAKE_INSTALL_PREFIX=/ .. && \
|
||||||
make
|
make
|
||||||
|
|
||||||
FROM alpine:${ALPINE_VERSION}
|
# ============================ BUILD SASL XOAUTH2 ============================
|
||||||
|
FROM ${BASE_IMAGE}
|
||||||
LABEL maintaner="Bojan Cekrlic - https://github.com/bokysan/docker-postfix/"
|
LABEL maintaner="Bojan Cekrlic - https://github.com/bokysan/docker-postfix/"
|
||||||
|
|
||||||
# Install supervisor, postfix
|
# Install supervisor, postfix
|
||||||
# Install postfix first to get the first account (101)
|
# Install postfix first to get the first account (101)
|
||||||
# Install opendkim second to get the second account (102)
|
# Install opendkim second to get the second account (102)
|
||||||
RUN true && \
|
RUN true && \
|
||||||
apk add --no-cache --upgrade cyrus-sasl cyrus-sasl-static cyrus-sasl-digestmd5 cyrus-sasl-crammd5 cyrus-sasl-login cyrus-sasl-ntlm && \
|
if [ -f /etc/alpine-release ]; then \
|
||||||
apk add --no-cache postfix && \
|
apk add --no-cache --upgrade cyrus-sasl cyrus-sasl-static cyrus-sasl-digestmd5 cyrus-sasl-crammd5 cyrus-sasl-login cyrus-sasl-ntlm && \
|
||||||
apk add --no-cache opendkim && \
|
apk add --no-cache postfix && \
|
||||||
apk add --no-cache --upgrade ca-certificates tzdata supervisor rsyslog musl musl-utils bash opendkim-utils libcurl jsoncpp lmdb && \
|
apk add --no-cache opendkim && \
|
||||||
(rm "/tmp/"* 2>/dev/null || true) && (rm -rf /var/cache/apk/* 2>/dev/null || true) && \
|
apk add --no-cache --upgrade ca-certificates tzdata supervisor rsyslog musl musl-utils bash opendkim-utils libcurl jsoncpp lmdb && \
|
||||||
|
(rm "/tmp/"* 2>/dev/null || true) && (rm -rf /var/cache/apk/* 2>/dev/null || true); \
|
||||||
|
else \
|
||||||
|
export DEBIAN_FRONTEND=noninteractive && \
|
||||||
|
echo "Europe/Berlin" > /etc/timezone && \
|
||||||
|
apt-get update -y -q && \
|
||||||
|
apt-get install -y libsasl2-modules && \
|
||||||
|
apt-get install -y postfix && \
|
||||||
|
apt-get install -y opendkim && \
|
||||||
|
apt-get install -y ca-certificates tzdata supervisor rsyslog bash opendkim-tools curl libcurl4 libjsoncpp1 postfix-lmdb netcat; \
|
||||||
|
fi && \
|
||||||
cp -r /etc/postfix /etc/postfix.template
|
cp -r /etc/postfix /etc/postfix.template
|
||||||
|
|
||||||
# Copy SASL-XOAUTH2 plugin
|
# Copy SASL-XOAUTH2 plugin
|
||||||
|
|
|
@ -12,5 +12,5 @@ docker login
|
||||||
# build, tag, and push alpine versions supplied as script arguments
|
# build, tag, and push alpine versions supplied as script arguments
|
||||||
base_repo=boky/postfix
|
base_repo=boky/postfix
|
||||||
for alpine_version in "$@"; do
|
for alpine_version in "$@"; do
|
||||||
$(dirname $0)/build.sh -t "$base_repo" --build-arg=ALPINE_VERSION="$alpine_version"
|
$(dirname $0)/build.sh -t "$base_repo" --build-arg=BASE_IMAGE="alpine:$alpine_version"
|
||||||
done
|
done
|
||||||
|
|
|
@ -75,3 +75,4 @@ checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . |
|
||||||
# Uses: https://github.com/stakater/Reloader
|
# Uses: https://github.com/stakater/Reloader
|
||||||
configmap.reloader.stakater.com/reload: "{{ include "mail.fullname" . }}"
|
configmap.reloader.stakater.com/reload: "{{ include "mail.fullname" . }}"
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
|
|
@ -16,3 +16,10 @@ data:
|
||||||
{{- range $key, $value := .Values.config.opendkim }}
|
{{- range $key, $value := .Values.config.opendkim }}
|
||||||
OPENDKIM_{{ $key }}: {{ $value | quote }}
|
OPENDKIM_{{ $key }}: {{ $value | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if .Values.certs.create }}
|
||||||
|
_enable_tls.sh: |
|
||||||
|
do_postconf -e 'smtp_use_tls=yes'
|
||||||
|
do_postconf -e 'smtp_tls_note_starttls_offer=yes'
|
||||||
|
do_postconf -e 'smtpd_tls_cert_file=/var/run/certs/tls.crt'
|
||||||
|
do_postconf -e 'smtpd_tls_key_file=/var/run/certs/tls.key'
|
||||||
|
{{- end }}
|
||||||
|
|
22
helm/mail/templates/secret-cert.yaml
Normal file
22
helm/mail/templates/secret-cert.yaml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{{- if .Values.certs.create -}}
|
||||||
|
{{/* Generate certificates for mail server */}}
|
||||||
|
{{- $chart := "mail" -}}
|
||||||
|
{{- $fullName := include (print $chart ".fullname") . -}}
|
||||||
|
{{- $labels := include (print $chart ".labels") . -}}
|
||||||
|
{{- $altNames := list ( printf "%s.%s" $fullName .Release.Namespace ) ( printf "%s.%s.svc" $fullName .Release.Namespace ) ( printf "%s.%s.svc.cluster.local" $fullName .Release.Namespace ) -}}
|
||||||
|
{{- $ca := genCA "mail-ca" 365 -}}
|
||||||
|
{{- $cert := genSignedCert ( include "mail.name" . ) nil $altNames 365 $ca -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
type: kubernetes.io/tls
|
||||||
|
metadata:
|
||||||
|
name: {{ $fullName }}-certs
|
||||||
|
labels:
|
||||||
|
{{- $labels | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
"helm.sh/hook": "pre-install"
|
||||||
|
"helm.sh/hook-delete-policy": "before-hook-creation"
|
||||||
|
data:
|
||||||
|
tls.crt: {{ $cert.Cert | b64enc }}
|
||||||
|
tls.key: {{ $cert.Key | b64enc }}
|
||||||
|
{{- end }}
|
|
@ -80,6 +80,15 @@ spec:
|
||||||
name: private
|
name: private
|
||||||
- mountPath: /var/spool/postfix/public
|
- mountPath: /var/spool/postfix/public
|
||||||
name: private
|
name: private
|
||||||
|
{{- if .Values.certs.create }}
|
||||||
|
- name: certs
|
||||||
|
mountPath: /var/run/certs
|
||||||
|
readOnly: true
|
||||||
|
- name: certs-init
|
||||||
|
mountPath: /docker-init.db/_enable_tls.sh
|
||||||
|
readOnly: true
|
||||||
|
subPath: _enable_tls.sh
|
||||||
|
{{- end }}
|
||||||
{{- if .Values.extraVolumeMounts }}{{- toYaml .Values.extraVolumeMounts | nindent 12 }}{{ end }}
|
{{- if .Values.extraVolumeMounts }}{{- toYaml .Values.extraVolumeMounts | nindent 12 }}{{ end }}
|
||||||
resources: {{ toYaml .Values.resources | nindent 12 }}
|
resources: {{ toYaml .Values.resources | nindent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
|
@ -88,6 +97,14 @@ spec:
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: private
|
- name: private
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- if .Values.certs.create }}
|
||||||
|
- name: certs-init
|
||||||
|
secret:
|
||||||
|
configMapName: {{ $fullName }}
|
||||||
|
- name: certs
|
||||||
|
secret:
|
||||||
|
secretName: {{ $fullName }}-certs
|
||||||
|
{{- end }}
|
||||||
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
|
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
|
||||||
- name: {{ $fullName }}
|
- name: {{ $fullName }}
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
|
|
|
@ -68,10 +68,15 @@ container:
|
||||||
postfix:
|
postfix:
|
||||||
securityContext: {}
|
securityContext: {}
|
||||||
|
|
||||||
|
# Auto-generate certificates for the server and mount them into Postfix volume
|
||||||
|
certs:
|
||||||
|
create: true
|
||||||
|
|
||||||
# Define data which should be stored in a Secret
|
# Define data which should be stored in a Secret
|
||||||
# (and shared with the pod as environment variables)
|
# (and shared with the pod as environment variables)
|
||||||
# secret:
|
# secret:
|
||||||
# hello: world
|
# hello: world
|
||||||
|
secret: {}
|
||||||
|
|
||||||
config:
|
config:
|
||||||
general: {}
|
general: {}
|
||||||
|
@ -123,7 +128,9 @@ livenessProbe:
|
||||||
command:
|
command:
|
||||||
- sh
|
- sh
|
||||||
- -c
|
- -c
|
||||||
- 'ps axf | fgrep -v grep | fgrep -q "{supervisord}" && ps axf | fgrep -v grep | fgrep -q "/usr/libexec/postfix/master"'
|
- >-
|
||||||
|
ps axf | fgrep -v grep | egrep -q '\{supervisord\}|/usr/bin/supervisord' &&
|
||||||
|
ps axf | fgrep -v grep | egrep -q '(/usr/lib/postfix/sbin/|/usr/libexec/postfix/)master'
|
||||||
startupProbe:
|
startupProbe:
|
||||||
initialDelaySeconds: 5
|
initialDelaySeconds: 5
|
||||||
periodSeconds: 5
|
periodSeconds: 5
|
||||||
|
@ -132,4 +139,7 @@ startupProbe:
|
||||||
command:
|
command:
|
||||||
- sh
|
- sh
|
||||||
- -c
|
- -c
|
||||||
- 'ps axf | fgrep -v grep | fgrep -q "{supervisord}" && ps axf | fgrep -v grep | fgrep -q "{postfix-script}" && ps axf | fgrep -v grep | fgrep -q "{opendkim.sh}"'
|
- >-
|
||||||
|
ps axf | fgrep -v grep | egrep -q '\{supervisord\}|/usr/bin/supervisord' &&
|
||||||
|
ps axf | fgrep -v grep | fgrep -q "postfix-script" &&
|
||||||
|
ps axf | fgrep -v grep | fgrep -q 'opendkim.sh'
|
||||||
|
|
2
helm/test_7_certs.yml
Normal file
2
helm/test_7_certs.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
certs:
|
||||||
|
create: true
|
|
@ -50,38 +50,55 @@ setup_conf() {
|
||||||
}
|
}
|
||||||
|
|
||||||
reown_folders() {
|
reown_folders() {
|
||||||
mkdir -p /var/spool/postfix/ && mkdir -p /var/spool/postfix/pid
|
mkdir -p /var/spool/postfix/pid /var/spool/postfix/dev
|
||||||
chown root: /var/spool/postfix/
|
chown root: /var/spool/postfix/
|
||||||
chown root: /var/spool/postfix/pid
|
chown root: /var/spool/postfix/pid
|
||||||
|
|
||||||
|
do_postconf -e "manpage_directory=/usr/share/man"
|
||||||
|
postfix -c /etc/postfix/ set-permissions || true
|
||||||
}
|
}
|
||||||
|
|
||||||
postfix_upgrade_conf() {
|
postfix_upgrade_conf() {
|
||||||
local maincf=/etc/postfix/main.cf
|
local maincf=/etc/postfix/main.cf
|
||||||
|
local line
|
||||||
local entry
|
local entry
|
||||||
local filename
|
local filename
|
||||||
|
local OLD_IFS
|
||||||
|
|
||||||
# Check for any references to the old "hash:" and "btree:" databases and replae them with "lmdb:"
|
# Check for any references to the old "hash:" and "btree:" databases and replae them with "lmdb:"
|
||||||
if cat "$maincf" | egrep -v "^#" | egrep -q "(hash|btree):"; then
|
if cat "$maincf" | egrep -v "^#" | egrep -q "(hash|btree):"; then
|
||||||
info "Detected old hash: and btree: references in the config file, which are not supported anymore. Upgrading to lmdb:"
|
warn "Detected old hash: and btree: references in the config file, which are not supported anymore. Upgrading to lmdb:"
|
||||||
sed -i -E 's/(hash|btree):/lmdb:/g' "$maincf"
|
sed -i -E 's/(hash|btree):/lmdb:/g' "$maincf"
|
||||||
|
OLD_IFS="$IFS"
|
||||||
|
IFS=$'\n'
|
||||||
# Recreate aliases
|
# Recreate aliases
|
||||||
for entry in $(cat "$maincf" | egrep -o "lmdb:[^,]+" | sort | uniq); do
|
for line in $(cat "$maincf" | egrep 'lmdb:[^,]+' | sort | uniq); do
|
||||||
filename="$(echo $entry | cut -d: -f2)"
|
entry="$(echo "$line" | egrep -o 'lmdb:[^,]+')"
|
||||||
|
filename="$(echo "$entry" | cut -d: -f2)"
|
||||||
if [[ -f "$filename" ]]; then
|
if [[ -f "$filename" ]]; then
|
||||||
debug "Creating new postmap for ${emphasis}$entry${reset}."
|
if echo "$line" | egrep -q '[ \t]*alias.*'; then
|
||||||
postmap $entry
|
debug "Creating new postalias for ${emphasis}$entry${reset}."
|
||||||
|
postalias $entry
|
||||||
|
else
|
||||||
|
debug "Creating new postmap for ${emphasis}$entry${reset}."
|
||||||
|
postmap $entry
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS="$OLD_IFS"
|
||||||
else
|
else
|
||||||
debug "No upgrade needed."
|
debug "No upgrade needed."
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
postfix_disable_utf8() {
|
postfix_disable_utf8() {
|
||||||
do_postconf -e smtputf8_enable=no
|
if [[ -f /etc/alpine-release ]]; then
|
||||||
|
do_postconf -e smtputf8_enable=no
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
postfix_create_aliases() {
|
postfix_create_aliases() {
|
||||||
|
touch /etc/postfix/aliases
|
||||||
postalias /etc/postfix/aliases
|
postalias /etc/postfix/aliases
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue