diff --git a/charts/mailu/Chart.yaml b/charts/mailu/Chart.yaml index 49851351..0e5f0943 100644 --- a/charts/mailu/Chart.yaml +++ b/charts/mailu/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 # renovate: datasource=github-releases depName=Mailu/mailu appVersion: 2024.06.45 -version: 2.6.1 +version: 2.6.2 name: mailu description: This chart installs the Mailu mail system on Kubernetes home: https://mailu.io diff --git a/charts/mailu/README.md b/charts/mailu/README.md index 442620be..9c515091 100644 --- a/charts/mailu/README.md +++ b/charts/mailu/README.md @@ -297,16 +297,7 @@ helm uninstall mailu --namespace=mailu-mailserver | `ingress.secrets` | Custom TLS certificates as secrets | `[]` | | `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | | `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` | -| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` | | `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` | -| `ingress.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` | -| `ingress.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` | -| `ingress.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` | -| `ingress.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` | -| `ingress.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` | -| `ingress.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` | -| `ingress.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` | -| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` | ### Proxy auth configuration @@ -348,6 +339,16 @@ helm uninstall mailu --namespace=mailu-mailserver | `front.externalService.nodePorts.smtps` | NodePort to use for SMTP (TLS) (defaults to 465/tcp) | `465` | | `front.externalService.nodePorts.submission` | NodePort to use for Submission (defaults to 587/tcp) | `587` | | `front.externalService.nodePorts.manageSieve` | NodePort to use for ManageSieve (defaults to 4190/tcp) | `4190` | +| `proxyProtocol.enabled` | Enable PROXY protocol support in the `front` pod | `false` | +| `proxyProtocol.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` | +| `proxyProtocol.ports.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` | +| `proxyProtocol.ports.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` | +| `proxyProtocol.ports.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` | +| `proxyProtocol.ports.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` | +| `proxyProtocol.ports.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` | +| `proxyProtocol.ports.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` | +| `proxyProtocol.ports.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` | +| `proxyProtocol.ports.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` | | `front.kind` | Kind of resource to create for the front (`Deployment` or `DaemonSet`) | `Deployment` | | `front.replicaCount` | Number of front replicas to deploy (only for `Deployment` kind) | `1` | | `front.resources.limits` | The resources limits for the container | `{}` | diff --git a/charts/mailu/templates/_services.tpl b/charts/mailu/templates/_services.tpl index 5c5d1600..ee308ad6 100644 --- a/charts/mailu/templates/_services.tpl +++ b/charts/mailu/templates/_services.tpl @@ -175,6 +175,7 @@ Service fqdn (within cluster) can be retrieved with `mailu.SERVICE.serviceFqdn` {{- if .Values.ingress.enabled -}} {{- $enabledPorts = append $enabledPorts "80" -}} {{- $enabledPorts = append $enabledPorts "443" -}} + {{- $enabledPorts = append $enabledPorts "4190" -}} {{- end -}} {{- if .Values.front.hostPort.enabled -}} @@ -216,42 +217,37 @@ Service fqdn (within cluster) can be retrieved with `mailu.SERVICE.serviceFqdn` {{- define "mailu.proxyProtocolPorts" -}} {{- $proxyProtocolPorts := list -}} -{{- if .Values.front.externalService.enabled -}} - {{- if and .Values.front.externalService.ports.pop3 .Values.ingress.proxyProtocol.pop3 -}} +{{- if .Values.front.proxyProtocol.enabled -}} + {{- if .Values.front.proxyProtocol.ports.pop3 -}} {{- $proxyProtocolPorts = append $proxyProtocolPorts "110" -}} {{- end -}} - {{- if and .Values.front.externalService.ports.pop3s .Values.ingress.proxyProtocol.pop3s -}} + {{- if .Values.front.proxyProtocol.ports.pop3s -}} {{- $proxyProtocolPorts = append $proxyProtocolPorts "995" -}} {{- end -}} - {{- if and .Values.front.externalService.ports.imap .Values.ingress.proxyProtocol.imap -}} + {{- if .Values.front.proxyProtocol.ports.imap -}} {{- $proxyProtocolPorts = append $proxyProtocolPorts "143" -}} {{- end -}} - {{- if and .Values.front.externalService.ports.imaps .Values.ingress.proxyProtocol.imaps -}} + {{- if .Values.front.proxyProtocol.ports.imaps -}} {{- $proxyProtocolPorts = append $proxyProtocolPorts "993" -}} {{- end -}} - {{- if and .Values.front.externalService.ports.smtp .Values.ingress.proxyProtocol.smtp -}} + {{- if .Values.front.proxyProtocol.ports.smtp -}} {{- $proxyProtocolPorts = append $proxyProtocolPorts "25" -}} {{- end -}} - {{- if and .Values.front.externalService.ports.smtps .Values.ingress.proxyProtocol.smtps -}} + {{- if .Values.front.proxyProtocol.ports.smtps -}} {{- $proxyProtocolPorts = append $proxyProtocolPorts "465" -}} {{- end -}} - {{- if and .Values.front.externalService.ports.submission .Values.ingress.proxyProtocol.submission -}} + {{- if .Values.front.proxyProtocol.ports.submission -}} {{- $proxyProtocolPorts = append $proxyProtocolPorts "587" -}} {{- end -}} - {{- if and .Values.front.externalService.ports.manageSieve .Values.ingress.proxyProtocol.manageSieve -}} + {{- if .Values.front.proxyProtocol.ports.manageSieve -}} {{- $proxyProtocolPorts = append $proxyProtocolPorts "4190" -}} {{- end -}} {{- end -}} {{- $proxyProtocolPortsString := join "," $proxyProtocolPorts -}} -{{/* if any ports are enabled and .ingress.realIpFrom is empty, fail */}} -{{- if and (gt (len $proxyProtocolPorts) 0) (not .Values.ingress.realIpFrom) -}} - {{- fail "PROXY protocol is enabled for some ports, but ingress.realIpFrom is not set" -}} -{{- end -}} - -{{/* if any ports are enabled and .ingress.realIpHeader is set, fail */}} -{{- if and (gt (len $proxyProtocolPorts) 0) .Values.ingress.realIpHeader -}} - {{- fail "PROXY protocol is enabled for some ports, but ingress.realIpHeader is set" -}} +{{/* if any ports are enabled and front.proxyProtocol.realIpFrom is empty, fail */}} +{{- if and (gt (len $proxyProtocolPorts) 0) (not .Values.front.proxyProtocol.realIpFrom) -}} + {{- fail "PROXY protocol is enabled for some ports, but front.proxyProtocol.realIpFrom is not set" -}} {{- end -}} {{- printf "%s" $proxyProtocolPortsString -}} diff --git a/charts/mailu/templates/envvars-configmap.yaml b/charts/mailu/templates/envvars-configmap.yaml index c2370da9..03525d1f 100644 --- a/charts/mailu/templates/envvars-configmap.yaml +++ b/charts/mailu/templates/envvars-configmap.yaml @@ -128,7 +128,7 @@ data: PROXY_AUTH_WHITELIST: {{ . | quote }} {{- end }} RATELIMIT_STORAGE_URL: {{ printf "redis://%s:%s/%s" (include "mailu.redis.serviceFqdn" .) (include "mailu.redis.port" .) (include "mailu.redis.db.rateLimit" .) }} - {{- with .Values.ingress.realIpFrom }} + {{- with .Values.front.proxyProtocol.realIpFrom }} REAL_IP_FROM: {{ . | quote }} {{- end }} {{- with .Values.ingress.realIpHeader }} @@ -201,7 +201,7 @@ data: REDIS_ADDRESS: {{ include "mailu.redis.serviceFqdn" . }} SMTP_ADDRESS: {{ include "mailu.postfix.serviceFqdn" . }} -{{- if .Values.front.externalService.enabled }} +{{- if .Values.front.proxyProtocol.enabled }} PROXY_PROTOCOL: {{ include "mailu.proxyProtocolPorts" . | quote }} {{- end }} diff --git a/charts/mailu/values.yaml b/charts/mailu/values.yaml index ddcdee9f..6d2a0d8f 100644 --- a/charts/mailu/values.yaml +++ b/charts/mailu/values.yaml @@ -655,31 +655,13 @@ ingress: ## @param ingress.realIpHeader Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod realIpHeader: X-Forwarded-For - ## @param ingress.realIpFrom Sets the value of `REAL_IP_FROM` environment variable in the `front` pod - realIpFrom: "" + ## @param ingress.tlsFlavorOverride Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod ## This is normally auto-detected, only change it if you know what you are doing. tlsFlavorOverride: "" - ## @param ingress.proxyProtocol.pop3 Enable PROXY protocol for POP3 (110/tcp) - ## @param ingress.proxyProtocol.pop3s Enable PROXY protocol for POP3S (995/tcp) - ## @param ingress.proxyProtocol.imap Enable PROXY protocol for IMAP (143/tcp) - ## @param ingress.proxyProtocol.imaps Enable PROXY protocol for IMAPS (993/tcp) - ## @param ingress.proxyProtocol.smtp Enable PROXY protocol for SMTP (25/tcp) - ## @param ingress.proxyProtocol.smtps Enable PROXY protocol for SMTPS (465/tcp) - ## @param ingress.proxyProtocol.submission Enable PROXY protocol for Submission (587/tcp) - ## @param ingress.proxyProtocol.manageSieve Enable PROXY protocol for ManageSieve (4190/tcp) - ## Enabling any of these requires to have ingress.realIpFrom set - proxyProtocol: - pop3: false - pop3s: false - imap: false - imaps: false - smtp: false - smtps: false - submission: false - manageSieve: false + ## @section Proxy auth configuration ## ref: https://mailu.io/master/configuration.html#header-authentication-using-an-external-proxy @@ -768,6 +750,41 @@ front: submission: 587 manageSieve: 4190 + ## @section ProxyProtocol configuration + ## If the front service is sitting behind a load balancer that supports + ## PROXY protocol (e.g. HAPROXY, AWS ELB/ALB), you can enable it here. + ## This will make Mailu aware of the original client IP address. + ## ref: https://mailu.io/master/configuration.html#proxy-protocol + proxyProtocol: + ## @param front.proxyProtocol.enabled Enable PROXY protocol support in the `front` pod + enabled: false + + ## @param front.proxyProtocol.realIpFrom Sets the value of `REAL_IP_FROM` environment variable in the `front` pod + ## This should be set to the CIDR(s) of the load balancer(s) in front of Mailu + ## or pod that forwards traffic to Mailu supporting PROXY protocol. + ## For example, if using an Ingress controller, this should be set to the + ## pod CIDR of the cluster. + realIpFrom: "10.42.0.0/16" + + ## @param front.proxyProtocol.ports.pop3 Enable PROXY protocol for POP3 (110/tcp) + ## @param front.proxyProtocol.ports.pop3s Enable PROXY protocol for POP3S (995/tcp) + ## @param front.proxyProtocol.ports.imap Enable PROXY protocol for IMAP (143/tcp) + ## @param front.proxyProtocol.ports.imaps Enable PROXY protocol for IMAPS (993/tcp) + ## @param front.proxyProtocol.ports.smtp Enable PROXY protocol for SMTP (25/tcp) + ## @param front.proxyProtocol.ports.smtps Enable PROXY protocol for SMTPS (465/tcp) + ## @param front.proxyProtocol.ports.submission Enable PROXY protocol for Submission (587/tcp) + ## @param front.proxyProtocol.ports.manageSieve Enable PROXY protocol for ManageSieve (4190/tcp) + ## Enabling any of these requires to have ingress.realIpFrom set + ports: + pop3: false + pop3s: false + imap: false + imaps: false + smtp: false + smtps: false + submission: false + manageSieve: false + ## @param front.kind Kind of resource to create for the front (`Deployment` or `DaemonSet`) kind: Deployment