2.9 KiB · text 5af55d9
# Example SMTP relay secret + non-secret config for the git_gud
# deployment.
#
# git_gud uses Swoosh's gen_smtp adapter when `SMTP_RELAY` is set on
# the pod — otherwise it falls back to `Swoosh.Adapters.Logger`, which
# writes the rendered email to the pod log at :info level. That's fine
# for development; for production you want a real relay so magic-link
# logins and email-change confirmations land in real inboxes.
#
# Copy this file to `smtp-secret.yml` (gitignored), drop in the real
# values, then `kubectl apply -f smtp-secret.yml`. The Deployment in
# app.yml will pick the values up via `envFrom: secretRef` after a
# `rollout restart`.
#
# Tested with: Postmark, Mailgun's SMTP endpoint, AWS SES, Fastmail.
# Just about anything that speaks SMTP submission works.
#
# Two pieces:
#
# * `smtp-creds` (Opaque Secret) — username + password
# * `smtp-config` (ConfigMap) — non-secret host/port/tls knobs
apiVersion: v1
kind: Secret
metadata:
name: smtp-creds
namespace: git-gud
type: Opaque
stringData:
# SMTP auth. Many providers use an API token or app password rather
# than the real account password — check your provider's docs.
SMTP_USERNAME: "REPLACE_ME"
SMTP_PASSWORD: "REPLACE_ME"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: smtp-config
namespace: git-gud
data:
# Host + port for the submission endpoint. Two common combos:
#
# Port 465 (implicit TLS — modern default for most managed relays):
# SMTP_PORT: "465"
# SMTP_SSL: "true"
# SMTP_TLS: "never"
#
# Port 587 (STARTTLS submission):
# SMTP_PORT: "587"
# SMTP_SSL: "false"
# SMTP_TLS: "if_available" # or :always to require STARTTLS
#
# Important: with `SMTP_SSL: "true"` (port 465) you MUST set
# `SMTP_TLS: "never"` — `always` triggers a second :ssl.connect
# over an already-TLS socket with gen_smtp's bare defaults, which
# fails options validation. 25 is plaintext and almost always
# blocked on the egress side.
SMTP_RELAY: "smtp.example.com"
SMTP_PORT: "465"
SMTP_SSL: "true"
SMTP_TLS: "never"
# SMTP AUTH knob. `always` will fail if the server doesn't advertise
# AUTH; `if_available` is the safe default for mixed setups.
SMTP_AUTH: "always"
# TLS cert verification:
# * `verify_peer` (default) validates the relay's cert chain.
# `SMTP_CACERTFILE` points at the system CA bundle; defaults to
# `/etc/ssl/certs/ca-certificates.crt` (debian-slim). Override
# if you ship the image on a different distro.
# * `verify_none` skips validation entirely — only for self-signed
# / private relays where you can't get the CA into the bundle.
SMTP_TLS_VERIFY: "verify_peer"
# SMTP_CACERTFILE: "/etc/ssl/certs/ca-certificates.crt"
# Optional From overrides. If unset the mailer defaults to
# "GitGud" <noreply@<PHX_HOST>>.
MAIL_FROM_NAME: "GitGud"
# MAIL_FROM_ADDRESS: "noreply@example.com"