Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Fix Traefik TLS verification to front #390

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: Fix Traefik TLS verification to front #390

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 29 additions & 27 deletions mailu/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,33 +267,35 @@ Check that the deployed pods are all running.

### Ingress settings

| Name | Description | Value |
| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `ingress.enabled` | Enable external ingress | `true` |
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
| `ingress.path` | Default path for the ingress record | `/` |
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
| `ingress.tls` | Enable TLS configuration for the hosts defined at `hostnames` parameter | `true` |
| `ingress.existingSecret` | Name of an existing Secret containing the TLS certificates for the Ingress | `""` |
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `ingress.secrets` | Custom TLS certificates as secrets | `[]` |
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
| `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` |
| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` |
| `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` |
| `ingress.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` |
| `ingress.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` |
| `ingress.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` |
| `ingress.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` |
| `ingress.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` |
| `ingress.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` |
| `ingress.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` |
| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` |
| Name | Description | Value |
| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `ingress.enabled` | Enable external ingress | `true` |
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
| `ingress.path` | Default path for the ingress record | `/` |
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
| `ingress.tls` | Enable TLS configuration for the hosts defined at `hostnames` parameter | `true` |
| `ingress.existingSecret` | Name of an existing Secret containing the TLS certificates for the Ingress | `""` |
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `ingress.secrets` | Custom TLS certificates as secrets | `[]` |
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
| `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` |
| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` |
| `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` |
| `ingress.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` |
| `ingress.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` |
| `ingress.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` |
| `ingress.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` |
| `ingress.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` |
| `ingress.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` |
| `ingress.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` |
| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` |
| `ingress.type` | Ingress type (nginx or traefik) | `nginx` |
| `ingress.traefik.insecureSkipVerify` | Disable TLS verification for Traefik (between Traefik and the backend) | `true` |

### Proxy auth configuration

Expand Down
3 changes: 3 additions & 0 deletions mailu/templates/front/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ metadata:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if and (eq .Values.ingress.type "traefik") .Values.ingress.enabled .Values.ingress.traefik.insecureSkipVerify }}
Copy link

@DrPsychick DrPsychick Dec 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is needed instead on the mailu-front service. Although it's also documented for Ingress: https://doc.traefik.io/traefik-hub/api-gateway/reference/routing/kubernetes/http/services/ref-svc-annotations

Also, the https/443 port on the mailu-front deployment should be enabled again, otherwise traefik refuses to link the ingress as the pod does not expose https

traefik.ingress.kubernetes.io/servers-transport: {{ printf "%s-%s@kubernetescrd" (include "common.names.namespace" .) (include "mailu.fullname" .) | quote }}
{{- end }}
spec:
{{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
Expand Down
3 changes: 3 additions & 0 deletions mailu/templates/front/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,5 +53,8 @@ spec:
port: 14190
protocol: TCP
- name: https
{{- if and (eq .Values.ingress.type "traefik") .Values.ingress.enabled .Values.ingress.traefik.insecureSkipVerify }}
serversTransport: {{ include "mailu.fullname" . }}
{{- end }}
port: 443
protocol: TCP
11 changes: 11 additions & 0 deletions mailu/templates/front/traefik-serverstransport.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Only do this if .Values.ingress.type is traefik and .Values.ingress.enabled is true and .Values.ingress.traefik.insecureSkipVerify is true
{{- if and (eq .Values.ingress.type "traefik") .Values.ingress.enabled .Values.ingress.traefik.insecureSkipVerify }}
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: {{ include "mailu.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
spec:
insecureSkipVerify: true
{{- end }}
7 changes: 7 additions & 0 deletions mailu/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -639,6 +639,13 @@ ingress:
submission: false
manageSieve: false

## @param ingress.type Ingress type (nginx or traefik)
type: nginx

## @param ingress.traefik.insecureSkipVerify Disable TLS verification for Traefik (between Traefik and the backend)
traefik:
insecureSkipVerify: true

## @section Proxy auth configuration
## ref: https://mailu.io/master/configuration.html#header-authentication-using-an-external-proxy
proxyAuth:
Expand Down
Loading