323 task create helm subchart for clamav service

[Aravinda-HWK]

📌 Description

Adds a new Helm subchart for ClamAV so the Silver mail stack can run virus scanning as part of the Kubernetes deployment.

Closes #323

---

🔍 Changes Made

• Added a new ClamAV Helm subchart with Kubernetes manifests for the ClamAV daemon
• Exposed the ClamAV service on TCP port 3310 for rspamd integration
• Added persistent storage for ClamAV signature data
• Added startup and health check handling for ClamAV initialization
• Wired the subchart into the Silver umbrella chart with an enable/disable toggle
• Updated rspamd configuration to point to the new ClamAV service
• Added chart documentation and deployment notes

---

✅ Checklist (Email System)

• Core services tested (SMTP, IMAP, mail storage, end-to-end delivery)
• Security & compliance verified (auth via Thunder IDP, TLS, DKIM/SPF/DMARC, spam/virus filtering)
• Configuration & deployment checked (configs generated, Docker/Compose updated)
• Reliability confirmed (error handling, logging, monitoring)
• Documentation & usage notes updated (README, deployment, API)

---

🧪 Testing Instructions

1. Deploy the Silver chart with ClamAV enabled
2. Verify the ClamAV pod starts successfully
3. Check the service is reachable on port 3310
4. Confirm rspamd can connect to ClamAV and scan traffic

---

📷 Screenshots / Logs (if applicable)

---

⚠️ Notes for Reviewers

• This adds a new internal service for antivirus scanning
• ClamAV requires persistent storage for signature data
• rspamd now depends on the ClamAV service name configured by the umbrella chart
• Resource limits may need tuning depending on the target Kubernetes node size

[Aravinda-HWK]

@maneeshaxyz Can you have a look on this PR as well?

[gemini-code-assist]

Code Review

This pull request introduces new Helm subcharts for Redis, Unbound, ClamAV, and Rspamd to the silver umbrella chart. The review identified several security and configuration improvements, including the need to run containers as non-root users, the use of more restrictive file permissions, and the replacement of fragile string manipulation in Helm templates with more robust integer-based configurations.

[gemini-code-assist]

Running Unbound with privileged: true and as root is a significant security risk. Unbound should run as a non-privileged user. If it needs to bind to port 53, use the NET_BIND_SERVICE capability instead of full privileges.

  privileged: false
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
    add:
      - NET_BIND_SERVICE
  runAsUser: 100

[gemini-code-assist]

Setting directory permissions to 0777 is a security risk as it allows any user in the container to write to these paths. It is better to change the ownership of the directories to the specific user running the application (typically UID 100 for ClamAV) and use more restrictive permissions like 0770.

    - chmod -R 0770 /var/lib/clamav /var/log/clamav /var/run/clamav && chown -R 100:101 /var/lib/clamav /var/log/clamav /var/run/clamav

[gemini-code-assist]

Running the ClamAV pod as root (runAsUser: 0) is not recommended for security reasons. The official ClamAV image is designed to run as a non-root user (UID 100).

  runAsUser: 100
  runAsNonRoot: true

[gemini-code-assist]

It is better to define the timeout as a raw integer (seconds) to avoid fragile string manipulation in the Helm templates. The current replace logic in the StatefulSet will fail if the value is provided in minutes or as a raw integer.

  initCheckTimeout: 60

[gemini-code-assist]

The replace "s" "" logic is fragile. If the timeout is defined as an integer in values.yaml, this filter can be removed to simplify the template.

              timeout_sec={{ .Values.dependencies.initCheckTimeout }}

[gemini-code-assist]

Running the Unbound pod as root is not recommended. It should be configured to run as a non-root user for better security posture.

  runAsUser: 100
  runAsNonRoot: true