[mailserver] Retire Dovecot exporter + scrape + alerts [ci skip]

## Context code-vnc confirmed `viktorbarzin/dovecot_exporter` cannot produce real metrics against docker-mailserver 15.0.0's Dovecot 2.3.19 — the exporter speaks the pre-2.3 `old_stats` FIFO protocol, which Dovecot 2.3 deprecated in favour of `service stats` + `doveadm-server` with a different wire format. The scrape only ever returned `dovecot_up{scope="user"} 0`. code-1ik listed two paths: (a) switch to a Dovecot 2.3+ exporter, or (b) retire the exporter + scrape + alerts. Picking (b) — carrying a no-op exporter + scrape + alert group taxes cluster resources, clutters Prometheus /targets, and tees up an alert that can never fire correctly. If a future session needs real Dovecot stats, reach for a known-good exporter (e.g., jtackaberry/dovecot_exporter) and rebuild this scaffolding. ## This change ### mailserver stack - Removes the `dovecot-exporter` container from `kubernetes_deployment.mailserver` (was ~28 lines). Pod now runs a single `docker-mailserver` container. - Removes `kubernetes_service.mailserver_metrics` (ClusterIP Service added in code-izl). The `mailserver` LoadBalancer (ports 25, 465, 587, 993) is unaffected. - Drops the dovecot.cf comment documenting the failed code-vnc attempt — the documentation survives here + in bd code-vnc / code-1ik. ### monitoring stack - Removes `job_name: 'mailserver-dovecot'` from `extraScrapeConfigs`. - Removes the `Mailserver Dovecot` PrometheusRule group (`DovecotConnectionsNearLimit`, `DovecotExporterDown`). - Inline comments in both files point future work at code-1ik's decision record. Prometheus configmap-reload picked up the change; scrape target set now has zero entries for `mailserver-dovecot`. Pod rolled cleanly to 1/1 Running. ## What is NOT in this change - No replacement exporter — deliberate. The alert that was removed was a false-signal alert; its removal returns cluster alerting to a correct, lower-noise state. - mailserver MetalLB Service + SMTP/IMAP ports — unchanged. - `auth_failure_delay`, `mail_max_userip_connections` — stay; those are unrelated to stats export. ## Test Plan ### Automated ``` $ kubectl get pod -n mailserver -l app=mailserver NAME READY STATUS RESTARTS AGE mailserver-78589bfd95-swz6h 1/1 Running 0 49s $ kubectl get svc -n mailserver NAME TYPE PORT(S) mailserver LoadBalancer 25/TCP,465/TCP,587/TCP,993/TCP roundcubemail ClusterIP 80/TCP # mailserver-metrics gone $ kubectl exec -n monitoring <prom-pod> -c prometheus-server -- \ wget -qO- 'http://localhost:9090/api/v1/targets?scrapePool=mailserver-dovecot' {"status":"success","data":{"activeTargets":[]}} ``` ### Manual Verification 1. E2E probe `email-roundtrip-monitor` keeps succeeding (20-min cadence) 2. `EmailRoundtripFailing` stays green — proves IMAP is healthy even without the exporter signal 3. Prometheus `/alerts` page no longer shows DovecotConnectionsNearLimit or DovecotExporterDown Closes: code-1ik Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 11:01:07 +00:00 · 2026-04-19 11:01:07 +00:00 · a5df175a67
commit a5df175a67
parent 137404a6a2
2 changed files with 16 additions and 97 deletions
--- a/stacks/mailserver/modules/mailserver/main.tf
+++ b/stacks/mailserver/modules/mailserver/main.tf
@ -139,17 +139,6 @@ resource "kubernetes_config_map" "mailserver_config" {
    # attempt waits 5s before responding, stretching a 1000-password
    # dictionary attack from <1s to ~85min. Addresses code-9mi.
    auth_failure_delay = 5s
-    # NOTE (code-vnc 2026-04-19): `viktorbarzin/dovecot_exporter`
-    # expects the legacy old_stats FIFO wire protocol. Dovecot 2.3 still
-    # supports the `old_stats` plugin, but docker-mailserver 15.0.0
-    # ships `service stats` (new architecture) as the default. Mixing
-    # the two — enabling old_stats + declaring `service old-stats
-    # unix_listener stats-reader` — makes `doveadm stats dump` fail
-    # with "Failed to read VERSION line" and the exporter loops on
-    # "Input does not provide any columns". A real fix requires either
-    # a newer exporter that speaks Dovecot 2.3 `doveadm-server` /
-    # HTTP stats, or retiring the exporter entirely. Tracked as a
-    # follow-up task.
    EOF
    fail2ban_conf = <<-EOF
    [DEFAULT]
@ -467,33 +456,6 @@ resource "kubernetes_deployment" "mailserver" {

        }

-        container {
-          name  = "dovecot-exporter"
-          image = "viktorbarzin/dovecot_exporter@sha256:1114224c9bf0261ca8e9949a6b42d3c5a2c923d34ca4593f6b62f034daf14fc5"
-          command = [
-            "/dovecot_exporter/exporter",
-            "--dovecot.socket-path=/var/run/dovecot/stats-reader"
-          ]
-          image_pull_policy = "IfNotPresent"
-          port {
-            name           = "dovecotexporter"
-            container_port = 9166
-            protocol       = "TCP"
-          }
-          volume_mount {
-            name       = "var-run-dovecot"
-            mount_path = "/var/run/dovecot"
-          }
-          resources {
-            requests = {
-              cpu    = "10m"
-              memory = "32Mi"
-            }
-            limits = {
-              memory = "32Mi"
-            }
-          }
-        }

        volume {
          name = "config"
@ -597,35 +559,13 @@ resource "kubernetes_service" "mailserver" {
  }
 }

-# Split the Dovecot metrics port off the public LB and onto its own
-# ClusterIP Service. Port 9166 was only LAN-routable via 10.0.20.202
-# but was over-exposed for a Prometheus-internal metric. Addresses
-# code-izl. Prometheus scrape target follows in
-# stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
-# (updated to `mailserver-metrics.mailserver.svc.cluster.local:9166`).
-resource "kubernetes_service" "mailserver_metrics" {
-  metadata {
-    name      = "mailserver-metrics"
-    namespace = kubernetes_namespace.mailserver.metadata[0].name
-    labels = {
-      app = "mailserver"
-    }
-  }
-
-  spec {
-    type = "ClusterIP"
-    selector = {
-      app = "mailserver"
-    }
-
-    port {
-      name        = "dovecot-metrics"
-      protocol    = "TCP"
-      port        = 9166
-      target_port = 9166
-    }
-  }
-}
+# The `mailserver-metrics` ClusterIP Service (formerly split from the
+# main LB in code-izl) was retired in code-1ik when the Dovecot
+# exporter was removed — the exporter spoke the pre-Dovecot-2.3
+# old_stats protocol which docker-mailserver 15.0.0 no longer
+# emits, so the scrape was a no-op. If a working exporter is ever
+# re-introduced, add back: ClusterIP Service exposing port 9166
+# with selector app=mailserver.

 # =============================================================================
 # E2E Email Roundtrip Monitor