Added config templates and configured redis

2 years ago · 920972b6d9
5 changed files with 114 additions and 0 deletions
--- a/charts/rspamd/v0.1.0/Chart.lock
+++ b/charts/rspamd/v0.1.0/Chart.lock
@ -0,0 +1,6 @@
+dependencies:
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 17.0.1
+digest: sha256:971c7d3e44106de73552c8dee38509fd10b0ed4d08d308ed94e5249d1862e427
+generated: "2022-07-13T14:59:03.042613-03:00"
--- a/charts/rspamd/v0.1.0/Chart.yaml
+++ b/charts/rspamd/v0.1.0/Chart.yaml
@ -14,3 +14,9 @@ version: 0.1.0
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "3.2.0"
+
+# Dependencies
+dependencies:
+- name: redis
+  version: 17.0.1
+  repository: https://charts.bitnami.com/bitnami
--- a/charts/rspamd/v0.1.0/charts/redis-17.0.1.tgz
+++ b/charts/rspamd/v0.1.0/charts/redis-17.0.1.tgz
--- a/charts/rspamd/v0.1.0/templates/locald-configmap.yaml
+++ b/charts/rspamd/v0.1.0/templates/locald-configmap.yaml
@ -0,0 +1,52 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "rspamd.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "rspamd.labels" . | nindent 4 }}
+data:
+  ratelimit.conf: |-
+    rates {
+      # Limit for all mail per recipient (default rate 70 per day)
+      to = "{{ .Values.rspamd.rateLimits.to }}";
+      # Limit for all mail per one source ip (default rate 150 per day)
+      to_ip = "{{ .Values.rspamd.rateLimits.toIp }}";
+      # Limit for all mail per one source ip and from address (default rate 100 per day)
+      to_ip_from = "{{ .Values.rspamd.rateLimits.toIpFrom }}";
+      # Limit for all bounce mail (rate 2 per hour)
+      #bounce_to = "2 / 1h";
+      # Limit for bounce mail per one source ip (rate 1 per hour)
+      #bounce_to_ip = "1 / 1h";
+      # Limit for all mail per authenticated user (default rate 100 per day)
+      user = "{{ .Values.rspamd.rateLimits.user }}";
+    }
+    whitelisted_rcpts = "{{ .Values.rspamd.rateLimits.whitelisted.rcpts }}";
+    whitelisted_ip = "/etc/rspamd/local.d/ratelimit_whitelist.map";
+    max_rcpt = {{ .Values.rspamd.rateLimits.maxRcpt }};
+  ratelimit_whitelist.map: |-
+    {{- range .Values.rspamd.rateLimits.whitelisted.ips }}
+      {{ . }}
+    {{- end }}
+  redis.conf: |-
+    servers = "{{ printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" }}";
+    db = "3";
+    password = "{{ .Values.redis.auth.password }}";
+  worker-proxy.inc: |-
+    milter = {{ .Values.rspamd.workerProxy.milter }}; 
+    bind_socket = "*:11332"
+    timeout = {{ .Values.rspamd.workerProxy.timeout }};
+    upstream "local" {
+      default = yes; # Self-scan upstreams are always default
+      self_scan = yes; # Enable self-scan
+    }
+    count = {{ .Values.rspamd.workerProxy.count }}; # Spawn more processes in self-scan mode
+    max_retries = {{ .Values.rspamd.workerProxy.maxRetries }}; # How many times master is queried in case of failure
+    discard_on_reject = {{ .Values.rspamd.workerProxy.discardOnReject }}; # Discard message instead of rejection
+    quarantine_on_reject = {{ .Values.rspamd.workerProxy.quarantineOnReject }}; # Tell MTA to quarantine rejected messages
+    spam_header = "{{ .Values.rspamd.workerProxy.spamHeader }}"; # Use the specific spam header
+    reject_message = "{{ .Values.rspamd.workerProxy.rejectMessage }}"; # Use custom rejection message
+  worker-normal.inc: |-
+    # Disable worker-normal in Milter mode
+    worker "normal" {
+      enabled = false;
+    }
--- a/charts/rspamd/v0.1.0/values.yaml
+++ b/charts/rspamd/v0.1.0/values.yaml
@ -26,6 +26,33 @@ securityContext: {}

 rspamd:
  password: apassword
+  rateLimits:
+    # Limit for all mail per recipient (default rate 70 per day)
+    to: "70 / 1d"
+    # Limit for all mail per one source ip (default rate 150 per day)
+    toIp: "150 / 1d"
+    # Limit for all mail per one source ip and from address (default rate 100 per day)
+    toIpFrom: "100 / 1d"
+    # Limit for all mail per authenticated user (default rate 100 per day)
+    user: "100 / 1d"
+    maxRcpt: 50
+    whitelisted:
+      rcpts: "postmaster,mailer-daemon,<>"
+      ips:
+        - "127.0.0.1"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+        - "10.0.0.0/8"
+        - "[::1]/128"
+  workerProxy:
+    milter: "yes"
+    timeout: "120s"
+    count: 4 # Spawn more processes in self-scan mode
+    maxRetries: 5 # How many times master is queried in case of failure
+    discardOnReject: false # Discard message instead of rejection
+    quarantineOnReject: false # Tell MTA to quarantine rejected messages
+    spamHeader: "X-Spam" # Use the specific spam header
+    rejectMessage: "Spam message rejected" # Use custom rejection message

 service:
  type: ClusterIP
@ -69,3 +96,26 @@ nodeSelector: {}
 tolerations: []

 affinity: {}
+
+# Redis definitions
+redis:
+  image:
+    tag: 7.0.3-debian-11-r0
+    pullPolicy: IfNotPresent
+  architecture: standalone
+  auth:
+    enabled: true
+    password: agoodredispassword
+  master: 
+    persistence:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      size: 2Gi
+    resources:
+      requests:
+        cpu: 50m
+        memory: 150Mi
+      limits:
+        cpu: 800m
+        memory: 1Gi