Skip to content

Improvements with hostPort and Proxy Protocol #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Improvements with hostPort and Proxy Protocol #421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
5652524
Update deployment.yaml
mreho Jul 14, 2025
43d0cb8
Update _services.tpl
mreho Jul 14, 2025
e0d9814
Update README.md
mreho Jul 14, 2025
2c493e0
Update values.yaml
mreho Jul 14, 2025
6b197cf
Update values.yaml
mreho Jul 14, 2025
d3ab362
Update README.md
mreho Jul 14, 2025
a0ba739
Update _services.tpl
mreho Jul 14, 2025
a2493ba
Update check_env_vars.py
mreho Jul 14, 2025
8ce1a4c
Update _helpers.tpl
mreho Jul 14, 2025
9095043
Update values.yaml
mreho Jul 14, 2025
97a185e
Update README.md
mreho Jul 14, 2025
a6a979c
Update envvars-configmap.yaml
mreho Jul 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 15 additions & 15 deletions charts/mailu/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,17 +283,6 @@ Check that the deployed pods are all running.
| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `ingress.secrets` | Custom TLS certificates as secrets | `[]` |
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
| `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` |
| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` |
| `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` |
| `ingress.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` |
| `ingress.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` |
| `ingress.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` |
| `ingress.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` |
| `ingress.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` |
| `ingress.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` |
| `ingress.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` |
| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` |

### Proxy auth configuration

Expand All @@ -312,6 +301,17 @@ Check that the deployed pods are all running.
| `front.image.tag` | Pod image tag (defaults to mailuVersion if set, otherwise Chart.AppVersion) | `""` |
| `front.image.pullPolicy` | Pod image pull policy | `IfNotPresent` |
| `front.hostPort.enabled` | Expose front mail ports via hostPort | `true` |
| `front.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `""` |
| `front.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` |
| `front.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` |
| `front.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` |
| `front.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` |
| `front.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` |
| `front.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` |
| `front.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` |
| `front.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` |
| `front.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` |
| `front.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` |
| `front.externalService.enabled` | Expose front mail ports via external service (ClusterIP or LoadBalancer) | `false` |
| `front.externalService.type` | Service type (ClusterIP or LoadBalancer) | `ClusterIP` |
| `front.externalService.externalTrafficPolicy` | Service externalTrafficPolicy (Cluster or Local) | `Local` |
Expand Down Expand Up @@ -1073,7 +1073,7 @@ The default ingress is handled externally. In some situations, this is problemat
on the same address as the exposed ports. Kubernetes services cannot provide such capabilities without vendor-specific annotations.

By setting `ingress.enabled` to false, the internal NGINX instance provided by `front` will configure TLS according to
`ingress.tlsFlavorOverride` and redirect `http` scheme connections to `https`.
`front.tlsFlavorOverride` and redirect `http` scheme connections to `https`.

CAUTION: This configuration exposes `/admin` to all clients with access to the web UI.

Expand Down Expand Up @@ -1213,8 +1213,8 @@ The table below lists the environment variables that will be passed to the pods
| `RATELIMIT_STORAGE_URL` | - | Managed by Helm chart | `` | |
| `RECAPTCHA_PRIVATE_KEY` | - | | `` | `` |
| `RECAPTCHA_PUBLIC_KEY` | - | | `` | `` |
| `REAL_IP_FROM` | `ingress.realIpFrom` | | `` | `0.0.0.0/0` |
| `REAL_IP_HEADER` | `ingress.realIpHeader` | | `` | `X-Forwarded-For` |
| `REAL_IP_FROM` | `front.realIpFrom` | | `` | `0.0.0.0/0` |
| `REAL_IP_HEADER` | `front.realIpHeader` | | `` | `` |
| `RECIPIENT_DELIMITER` | `recipientDelimiter` | | `` | `+` |
| `REJECT_UNLISTED_RECIPIENT` | - | | `yes` | `yes` |
| `RELAYHOST` | `externalRealy.host` | | `` | `` |
Expand All @@ -1232,7 +1232,7 @@ The table below lists the environment variables that will be passed to the pods
| `SUBNET6` | `subnet6` | _warning: IPv6 support with Kubernetes is untested_ | `None` | `none` |
| `SUBNET` | `subnet` | | `192.168.203.0/24` | `10.42.0.0/16` |
| `TEMPLATES_AUTO_RELOAD` | - | | `True` | `True` |
| `TLS_FLAVOR` | `ingress.tlsFlavorOverride` | | `cert` | `cert` |
| `TLS_FLAVOR` | `front.tlsFlavorOverride` | | `cert` | `cert` |
| `TLS_PERMISSIVE` | - | | `True` | `True` |
| `TZ` | `timezone` | | `Etc/UTC` | `Etc/UTC` |
| `WEB_ADMIN` | `admin.uri` | | `/admin` | `/admin` |
Expand Down
8 changes: 4 additions & 4 deletions charts/mailu/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,8 @@ Get MailU domain name or throw an error if not set

{{/* Get the MailU TLS Flavor */}}
{{- define "mailu.tlsFlavor" -}}
{{- if .Values.ingress.tlsFlavorOverride -}}
{{- .Values.ingress.tlsFlavorOverride -}}
{{- if .Values.front.tlsFlavorOverride -}}
{{- .Values.front.tlsFlavorOverride -}}
{{- else -}}
{{- if .Values.ingress.tls -}}
{{- print "cert" -}}
Expand Down Expand Up @@ -137,8 +137,8 @@ Only "master" is allowed to be used as a version other than the semver notation.
{{- end -}}
{{- end -}}

{{- if .Values.ingress.tlsFlavor -}}
{{- $oldValues = append $oldValues "ingress.tlsFlavor" -}}
{{- if .Values.front.tlsFlavor -}}
{{- $oldValues = append $oldValues "front.tlsFlavor" -}}
{{- end -}}

{{- if .Values.ingress.externalIngress -}}
Expand Down
108 changes: 52 additions & 56 deletions charts/mailu/templates/_services.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,31 +177,29 @@ Service fqdn (within cluster) can be retrieved with `mailu.SERVICE.serviceFqdn`
{{- $enabledPorts = append $enabledPorts "443" -}}
{{- end -}}

{{- if .Values.front.externalService.enabled -}}
{{- if .Values.front.externalService.ports.pop3 -}}
{{- $enabledPorts = append $enabledPorts "110" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.pop3s -}}
{{- $enabledPorts = append $enabledPorts "995" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.imap -}}
{{- $enabledPorts = append $enabledPorts "143" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.imaps -}}
{{- $enabledPorts = append $enabledPorts "993" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.smtp -}}
{{- $enabledPorts = append $enabledPorts "25" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.smtps -}}
{{- $enabledPorts = append $enabledPorts "465" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.submission -}}
{{- $enabledPorts = append $enabledPorts "587" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.manageSieve -}}
{{- $enabledPorts = append $enabledPorts "4190" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.pop3 -}}
{{- $enabledPorts = append $enabledPorts "110" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.pop3s -}}
{{- $enabledPorts = append $enabledPorts "995" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.imap -}}
{{- $enabledPorts = append $enabledPorts "143" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.imaps -}}
{{- $enabledPorts = append $enabledPorts "993" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.smtp -}}
{{- $enabledPorts = append $enabledPorts "25" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.smtps -}}
{{- $enabledPorts = append $enabledPorts "465" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.submission -}}
{{- $enabledPorts = append $enabledPorts "587" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.manageSieve -}}
{{- $enabledPorts = append $enabledPorts "4190" -}}
{{- end -}}

{{- $enabledPortsString := join "," $enabledPorts -}}
Expand All @@ -212,42 +210,40 @@ Service fqdn (within cluster) can be retrieved with `mailu.SERVICE.serviceFqdn`
{{- define "mailu.proxyProtocolPorts" -}}
{{- $proxyProtocolPorts := list -}}

{{- if .Values.front.externalService.enabled -}}
{{- if and .Values.front.externalService.ports.pop3 .Values.ingress.proxyProtocol.pop3 -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "110" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.pop3s .Values.ingress.proxyProtocol.pop3s -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "995" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.imap .Values.ingress.proxyProtocol.imap -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "143" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.imaps .Values.ingress.proxyProtocol.imaps -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "993" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.smtp .Values.ingress.proxyProtocol.smtp -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "25" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.smtps .Values.ingress.proxyProtocol.smtps -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "465" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.submission .Values.ingress.proxyProtocol.submission -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "587" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.manageSieve .Values.ingress.proxyProtocol.manageSieve -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "4190" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.pop3 .Values.front.proxyProtocol.pop3 -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "110" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.pop3s .Values.front.proxyProtocol.pop3s -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "995" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.imap .Values.front.proxyProtocol.imap -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "143" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.imaps .Values.front.proxyProtocol.imaps -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "993" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.smtp .Values.front.proxyProtocol.smtp -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "25" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.smtps .Values.front.proxyProtocol.smtps -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "465" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.submission .Values.front.proxyProtocol.submission -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "587" -}}
{{- end -}}
{{- if and .Values.front.externalService.ports.manageSieve .Values.front.proxyProtocol.manageSieve -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "4190" -}}
{{- end -}}

{{- $proxyProtocolPortsString := join "," $proxyProtocolPorts -}}
{{/* if any ports are enabled and .ingress.realIpFrom is empty, fail */}}
{{- if and (gt (len $proxyProtocolPorts) 0) (not .Values.ingress.realIpFrom) -}}
{{- fail "PROXY protocol is enabled for some ports, but ingress.realIpFrom is not set" -}}
{{/* if any ports are enabled and .front.realIpFrom is empty, fail */}}
{{- if and (gt (len $proxyProtocolPorts) 0) (not .Values.front.realIpFrom) -}}
{{- fail "PROXY protocol is enabled for some ports, but front.realIpFrom is not set" -}}
{{- end -}}

{{/* if any ports are enabled and .ingress.realIpHeader is set, fail */}}
{{- if and (gt (len $proxyProtocolPorts) 0) .Values.ingress.realIpHeader -}}
{{- fail "PROXY protocol is enabled for some ports, but ingress.realIpHeader is set" -}}
{{/* if any ports are enabled and .front.realIpHeader is set, fail */}}
{{- if and (gt (len $proxyProtocolPorts) 0) .Values.front.realIpHeader -}}
{{- fail "PROXY protocol is enabled for some ports, but front.realIpHeader is set" -}}
{{- end -}}

{{- printf "%s" $proxyProtocolPortsString -}}
Expand Down
4 changes: 2 additions & 2 deletions charts/mailu/templates/envvars-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ data:
PROXY_AUTH_WHITELIST: {{ .Values.proxyAuth.whitelist | quote }}
PROXY_PROTOCOL: {{ include "mailu.proxyProtocolPorts" . | quote }}
RATELIMIT_STORAGE_URL: {{ printf "redis://%s:%s/%s" (include "mailu.redis.serviceFqdn" .) (include "mailu.redis.port" .) (include "mailu.redis.db.rateLimit" .) }}
REAL_IP_FROM: {{ .Values.ingress.realIpFrom | quote }}
REAL_IP_HEADER: {{ .Values.ingress.realIpHeader | quote }}
REAL_IP_FROM: {{ .Values.front.realIpFrom | quote }}
REAL_IP_HEADER: {{ .Values.front.realIpHeader | quote }}
RECAPTCHA_PRIVATE_KEY: ""
RECAPTCHA_PUBLIC_KEY: ""
RECIPIENT_DELIMITER: {{ .Values.recipientDelimiter | quote }}
Expand Down
Loading