feat(mail): wire Tipimail SMTP on prod (#3237) (#3238)

Author: Viczei

.kontinuous/env/preprod/templates/mail.configmap.yaml

@@ -3,7 +3,10 @@ apiVersion: v1
 metadata:
   name: mail
 data:
-  MAIL_ENABLED: "false"
-  SMTP_HOST: ""
+  # Using MailDev as an in-cluster SMTP catcher until a Tipimail preprod
+  # sealed-secret is available. The UI is exposed at
+  # https://maildev-<global.host> via the maildev Ingress.
+  MAIL_ENABLED: "true"
+  SMTP_HOST: "maildev"
   SMTP_PORT: "1025"
   MAIL_FROM: "no-reply@egapro.preprod.fabrique.social.gouv.fr"

.kontinuous/env/preprod/templates/maildev.yaml

@@ -0,0 +1,94 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: maildev
+  namespace: {{ .Values.global.namespace }}
+  labels:
+    app: maildev
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: maildev
+  template:
+    metadata:
+      labels:
+        app: maildev
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+        - name: maildev
+          image: maildev/maildev:2.2.1
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - name: smtp
+              containerPort: 1025
+            - name: web
+              containerPort: 1080
+          readinessProbe:
+            httpGet:
+              path: /
+              port: web
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: tmp
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: maildev
+  namespace: {{ .Values.global.namespace }}
+spec:
+  selector:
+    app: maildev
+  ports:
+    - name: smtp
+      port: 1025
+      targetPort: smtp
+    - name: web
+      port: 1080
+      targetPort: web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: maildev
+  namespace: {{ .Values.global.namespace }}
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - maildev-{{ .Values.global.host }}
+      secretName: maildev-tls
+  rules:
+    - host: maildev-{{ .Values.global.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: maildev
+                port:
+                  name: web

.kontinuous/env/prod/templates/mail.configmap.yaml

@@ -3,7 +3,5 @@ apiVersion: v1
 metadata:
   name: mail
 data:
-  MAIL_ENABLED: "false"
-  SMTP_HOST: ""
-  SMTP_PORT: "1025"
-  MAIL_FROM: "no-reply@egapro.travail.gouv.fr"
+  MAIL_ENABLED: "true"
+  MAIL_FROM: "EgaPro <index@travail.gouv.fr>"

.kontinuous/env/prod/templates/smtp-app.sealed-secret.yaml

@@ -0,0 +1,27 @@
+# Inherited as-is from the V1 prod setup (SocialGouv/egapro@master).
+# The MAILER_* keys are remapped to the V2 SMTP_* env var names in
+# .kontinuous/values.yaml. `MAILER_SEND_EMAILS` is a V1 legacy flag —
+# unused by the V2 app (sending is gated by MAIL_ENABLED in the `mail`
+# configmap). Kept in the sealed-secret for a no-op migration; can be
+# dropped once the prod credentials are re-sealed without it.
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/namespace-wide: 'true'
+  name: smtp-app
+  namespace: egapro
+spec:
+  encryptedData:
+    MAILER_SEND_EMAILS: AgCFRiBYt8dlFrNmu/9zB9bUiRWf589fyN438L2JmF9QfuwZyI8kdXPcYg5XCdo/WHA7dAPS3JaMzFFbxxOvd45qLRRcF7p9HzZjqIM7/3K2/pRbHxkxRSQBhi3X+aWq1OND4gLklPN2SDXNZjHIiaGkOiZJEQomDTTPpurJhLBmr91EDgqgspcPWDdFeDrA36pFkh6Q5hfeOka/Ew+vKc3O70t7++A/Qx9/HAFH+QWRhyahThMVr1hYGJUBSaW0azzot/fuFPkzvPntvRTmfS7W2Tcw531uu+j/irkXFTwws83Cfa/1Ykknd91KSbJBbjfl6XbHWFI7Rvja2YAj0NEV685xUDaDwkZBA+RydkJtKbSxnntVFw8tpiF06Pn7NNVKbjLMAVNoO80RLncj9S+FLvibZiSC5PCDa+QsmtBAokj0aUuVtIlHyax2Td+YOgX894eartj2Bo8oZH95pm7urK4yUnxbswMW5x064SrB9vNfBTDI+p3/QdNqBhIUiXEMt89ikiqSA7NaIcKXcn77PS2ySz7XhvA0qL4A3cs6jiWMSsCp0bTQ44vrwsbn+40UBTAplUrWHx4ZHrpBEd7KDbGcsJecmnZqZw3+TSaqyvY8lLz7JFDTACQ0UChtMxi5M4UARof/+s0Kc+75FwPCctoP2S4Nr6j6d7JVYiVJ7gy53Zjgd6xRIRy+RURL/lne
+    MAILER_SMTP_HOST: AgCJUjNoGmqadk9PMkjJWhhUXel/d/QckP+KNnsmh+HeMy8UkHuPGytxneGaxYzPSxBkPexKpvqiyUTzhV7539kHJU9Vw02Xb3UGPvjIA+XDrK4q84bem+yE8VacbYPBI5jAhLgP/UmTRje3qJhQj+L7LIfgHEoEBX1dI23e/d2IlE35MRLIAKl73kna6/W4kayi4Rv61Emsqnocn02yYU/W5N7Oj7nEouW9e3Xkqu6PyCuHs5Y5EmUf73WG0Nl926xu257YWk39JqtRzMtxaQow1u3E4jguyZtL6JdJeRrXllp04TH4uRr2fzAXtuYyiDPV+l5WoR0PhZiFclfgToD4raCymkCP9EMvFO2H4dBQ1ZFOOzYrj7hJINqUzxn5AmxNsemtApfE8Qr7P7mvhuWKvlD9WJ4bdGx8M218gz8PKeszut1AfnhzWoYA6nnacO/H5iYK/3/ieZk1g4oIUZPFhYGWWpHWaI4pD31lvRoSRo+X4CtDbQALSWNA7aW1czM96Uxr5tHw29ozJ6h1LeL6mQSqWJJ54/TISHwUNawsAONrjrC1QM7H09MVYrZKQ4/w22+Zg59pa/YdmP85Jgz+tulM6gzX/jRjVbT4ncjo5vBLQKXFRjsSgT0+xMxHkpDMJx4ZieIRPiKbCOQC2jjsPAsrbtRuw2gXqRndU3hM8xKSoEyuUc2u82ro5Z++PQEXHUyuue6NoFS+/K+UqpZ8Qw==
+    MAILER_SMTP_LOGIN: AgA1f6wwAt2o8Qa45WkfhB+7vWXYXZUqeYQufKaV+QN6sM3QbJoEabzzVOrtU8c7ZmqkeXvIaE397/1vB0tcOopbWDUtSaq+XSSrun3D9xXuRoJd0qOmm33WUh+8dpf/j925segebThXKj21/O3X21VTrGlLbbMVrZTEzKjFh4svelZStsf8C8/4cjOhoU9lVevhv4HbnQvb8BRqnVzLXbFYkO/HVnQp6CgqkwwXcyvZxQoHc6eWiIgcKgvIGxoxe9vsqZuqmXE715MFJD76j2KduU2DqXYV2FzeNB5LCVlg2RUkIQsqsGEhONf4P3xoWZUscD0u19x6ImEoG89qxeEfvgeHPwnyzXw7uEKBvSOekYT6ZkDIMjNFk3QgHr/Ow05zjpbXUaZmYyr2boE9ajiU9FwwQJDaAN4jrrBji/t/tHR1FV3TDFsmiVqrim/xo89ZmW05kiHKqfF2W1rxX1lrQINu3RmcSODeHKqqKQ0I6CM+MWE7cRyTr9lv1qy4aUXXXoCdo/gGqsv370IycrD0wL57OXIehcNm9/Oi/DxkT30mnb0yAHpWes5AEmOgybpPisej5N3Rlys2X3fNZ/Q7WRyumYCtsCZe2mgbno1hPUBL6uixPbbnFJOY6XQkRXnR9ki9Cnv1vLZ0Bu7BI9iqqwwUZXdUnbluvzgW+kh+cvlyHnNe2lkqblma6ZYjqpjGU+RlJiyJ3o5t7rJAJMpecLDTpq5yYoDljkJ5Y1LpeQ==
+    MAILER_SMTP_PASSWORD: AgBIGjkxoeUK2UgIiyYYC1AZYjbDy8TkFg6p4ddDhhEX+eeh07stFygp0LNjRmoGco3WPElGvyoo5zt3jTyg7SxunsMRtYt0ewc5CmKfTenkOoAlcBW2o3d3WgIe3fERuwYFtjU3WUFJ9y1S1vRnxI/rGjunDEe+L7DHo6n4Rco+H3m22+h9HgxfXSG+TrMz8r/LJaLUOATpVptlSAlo1+nixvxIGE5EXeKYgn5D3nGeh6tzJ24LbGK3QSRWFSTw/qcsz+L2nFP1LXSboAiwqEWNfAndwYg3nwABO2J1TArLoqhzBBgIaHdkLXh9g9s5DLuYn0AxcQLi95CIdYvupa4XFrsrVI0J7OWCoMH9P8IdQJbRLBhbH/ULyuESLD4LfNwzcE3r9o9hDdM72/e2uROqFJ4ScCCkllTcqwTbSPu5xjKNUIdEVYp25BAi0dk84uc1Wm+lb61OWp6e6dLSYMuz8cOF9HZlVaVjm1WMujZQ0wE14wzipXAs54hXjz26BTe6P6Xn5JTURcg7ddMIQXngeoY8vrnleQbfgrsOzyvaZv/pjS9940MTR5isR9mAx0AC/iAVFlWBeXtljQ9eJ/vjb1rVfo+w0rDpywUP++Z2ubm6i70vdlk2Giea/ArKxTYVJC3FbRgK2pMPWGYezC87rZdL5Gl7W2s0WKWd7mB7ha8X/PcIu/xDqA40MAwnyKYjgouR2n3KcFvoxgNVsouoG9o6Rx0jNdLC6j06Yb7Uxg==
+    MAILER_SMTP_PORT: AgBEz7m4f8/Q4stmQ8xbA0+dEUGaPqMuybL0OZDEJC7AOXbhbGqGUi/MGA8O1ZM7eg57R+BFbcjIj5QAJ0g4wvIR2IgKxw4UShp4/INYUPPXCu6Wnz29IsniyZQ8UZhqPV7IbxxmgdhNCEh3k5Hu0IYmA+NI/CiN55w3QWiUBgk3/u4hi+s0drMvYTr+ZlC5qiJ+vveDYJNcVIFOgbIBuaDjoqvnhelppAb/rfwGPoEOONcFLbWsKrSTw5E1Q7eVnJBNUazK9ev9j4M4au9MfWGfUcMUza6V8DJuPmgOfyEpk/81IbIuk36rPsikouwpqyA2uDl0K+MxTryiI//YMzJMJQYjEkuKdYSPtNzhKxrKURdTt4x7g5jjKEyudAbFBXEAtvxrmEikWbI6uCM2lqFA6Xhoykyt4PBbG6VjYZLf3mz+tPjr7FsAh2ELxqBq75PPwZLLyQcjqmvoq2YDQ7+e99YJ5S9VjOOrvU698c8cbxWMkcVr/cuaNynsgjoK6Mf1P5R/5GW0sk7fQmbzQDZFpIqH5f9TS8Q4trjEVyI81SaJd4yOHRtlTNivPdqpDppuZFyO3s5Y5l0V/00wkCdcOR6Xm6hsDbsijloMnY+xcswL+eZFJDRv5sKMp7WBjnUlw1KGcusv4SzvevYvxbYWArWEoOjIsjT5DWu46uittCg4+GT+Qc82rz3Xje439SR4LH4=
+    MAILER_SMTP_SSL: AgBP4tbeiU7J4+exn1vup8r4wa5/6DXJN/sOgXIB6V5bVPlGCdNKBlILJAgR5ECRVLClB11Bqg+VPopkpX7VApd3ap5OwmXyyIodvsNoqTZ3p+OQlMsZhXoXIB29s4RdIwYcTil9jaEN3oKiYXRjWmcevO3rtuqUsy/maB74/tA1hAUarJ2brJDB8P/iqNIARk9EDLjWvU1pfiKiXG9FD1gUqeedvErcmCM8jdHndlk78wws7uwCT/w2fAItMEuWcbw97ULW+hAl1A92b6HwDIJdOpHBoC59msJvlAIc7k11siQ9gCpPljZyJRCKxi32+fkFvxV/kgCtrPKQbYhYjDdLNqrljUPXhXG9S9/z4EqCIn2Bx1Qu6jsBfRSfN0b1RID/SdTqaCyDhu/WSjb5xN5Fj4C9sRHSeO4TMzcKLBTAmYJ1J3Ajquu1zzjzkApEMon6nSoYvISP4Qs9alH0FyqTYttObQ02A8vV6dzOrhoaSfKvbeCRb4dXXZrD6BY8me5uaHfAimIjzGq8U5psYRUpZxiyfIJnmH97XMYPS3I7BHU5P7EpqpQmrpX6QlWzNcZ6fRKA4qM2fU1LagNWO+AZOEfGzCKzvJoMWDS4A+bT1IJvMOymF8BdFWhawLdLZK0gXnhhXozjKr/17cQeVzgV4GUNrv4rUFusTEWOdotLRbRC/QqToduND7PDJJgAYEZP
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/namespace-wide: 'true'
+      name: smtp-app
+    type: Opaque

.kontinuous/values.yaml

@@ -81,6 +81,47 @@ app:
         secretKeyRef:
           name: "{{ .Values.global.pgSecretName }}"
           key: PGSSLMODE
+    # SMTP (Tipimail in prod, MailDev on dev/preprod). The smtp-app
+    # sealed-secret is kept as-is from the V1 prod setup, with MAILER_*
+    # keys. We remap to the V2 SMTP_* names expected by src/env.js.
+    #
+    # Kubernetes precedence: `env` runs AFTER `envFrom`, so an `env` entry
+    # would normally override a same-named envFrom value. But with
+    # `optional: true` on a missing secret/key, the env entry is silently
+    # dropped and the envFrom value is preserved. That is exactly the
+    # fallback we rely on for dev/preprod review apps (no smtp-app
+    # secret) where SMTP_HOST, SMTP_PORT, etc. come from the `mail`
+    # configmap pointing at the in-cluster MailDev service.
+    - name: SMTP_HOST
+      valueFrom:
+        secretKeyRef:
+          name: smtp-app
+          key: MAILER_SMTP_HOST
+          optional: true
+    - name: SMTP_PORT
+      valueFrom:
+        secretKeyRef:
+          name: smtp-app
+          key: MAILER_SMTP_PORT
+          optional: true
+    - name: SMTP_USER
+      valueFrom:
+        secretKeyRef:
+          name: smtp-app
+          key: MAILER_SMTP_LOGIN
+          optional: true
+    - name: SMTP_PASS
+      valueFrom:
+        secretKeyRef:
+          name: smtp-app
+          key: MAILER_SMTP_PASSWORD
+          optional: true
+    - name: SMTP_SECURE
+      valueFrom:
+        secretKeyRef:
+          name: smtp-app
+          key: MAILER_SMTP_SSL
+          optional: true
   vars:
     NEXTAUTH_URL: "https://{{ .Values.global.host }}/api/auth"
     NEXT_PUBLIC_EGAPRO_ENV: "{{ .Values.global.env }}"

packages/app/src/env.js

@@ -88,6 +88,10 @@ export const env = createEnv({
 		SMTP_PORT: z.coerce.number().int().positive().default(1025),
 		SMTP_USER: z.string().optional(),
 		SMTP_PASS: z.string().optional(),
+		SMTP_SECURE: z
+			.string()
+			.default("false")
+			.transform((v) => v.toLowerCase() === "true"),
 		MAIL_FROM: z.string().default("no-reply@egapro.local"),
 		// Valkey cache URL — optional. When absent, the custom
 		// cache handler (cache-handler.cjs) gracefully degrades to no-op.
@@ -150,6 +154,7 @@ export const env = createEnv({
 		SMTP_PORT: process.env.SMTP_PORT,
 		SMTP_USER: process.env.SMTP_USER,
 		SMTP_PASS: process.env.SMTP_PASS,
+		SMTP_SECURE: process.env.SMTP_SECURE,
 		MAIL_FROM: process.env.MAIL_FROM,
 		VALKEY_URL: process.env.VALKEY_URL,
 		NEXT_PUBLIC_EGAPRO_ENV: process.env.NEXT_PUBLIC_EGAPRO_ENV,

packages/app/src/modules/mail/transporter.ts

@@ -15,7 +15,7 @@ export function getTransporter(): Transporter {
 	cachedTransporter = nodemailer.createTransport({
 		host: env.SMTP_HOST,
 		port: env.SMTP_PORT,
-		secure: false,
+		secure: env.SMTP_SECURE,
 		auth,
 	});