Skip to content

Commit

Permalink
feat: several fixes for Mailu 2024.06 support (#354)
Browse files Browse the repository at this point in the history 
* feat: several fixes for Mailu 2024.06 support

Signed-off-by: fastlorenzo <[email protected]>

* fix: exposing manageSieve port in front-external

Signed-off-by: fastlorenzo <[email protected]>

* fix: fixed network policy to allow manageSieve port

Signed-off-by: fastlorenzo <[email protected]>

---------

Signed-off-by: fastlorenzo <[email protected]>
  • Loading branch information
@fastlorenzo
fastlorenzo authored Jun 27, 2024
1 parent 5260596 commit 3fa16db
Show file tree
Hide file tree
Showing 10 changed files with 187 additions and 50 deletions.
62 changes: 36 additions & 26 deletions mailu/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@ Check that the deployed pods are all running.
| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` |
| `credentialRounds` | Number of rounds to use for password hashing | `12` |
| `sessionCookieSecure` | Controls the secure flag on the cookies of the administrative interface. | `true` |
| `authRequireTokens` | Require tokens for authentication | `false` |
| `sessionTimeout` | Maximum amount of time in seconds between requests before a session is invalidated | `3600` |
| `permanentSessionLifetime` | Maximum amount of time in seconds a session can be kept alive for if it hasn’t timed-out | `2592000` |
| `letsencryptShortchain` | Controls whether we send the ISRG Root X1 certificate in TLS handshakes. | `false` |
Expand Down Expand Up @@ -261,25 +262,33 @@ Check that the deployed pods are all running.

### Ingress settings

| Name | Description | Value |
| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `ingress.enabled` | Enable external ingress | `true` |
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
| `ingress.path` | Default path for the ingress record | `/` |
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
| `ingress.tls` | Enable TLS configuration for the hosts defined at `hostnames` parameter | `true` |
| `ingress.existingSecret` | Name of an existing Secret containing the TLS certificates for the Ingress | `""` |
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `ingress.secrets` | Custom TLS certificates as secrets | `[]` |
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
| `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` |
| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` |
| `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` |
| Name | Description | Value |
| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `ingress.enabled` | Enable external ingress | `true` |
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
| `ingress.path` | Default path for the ingress record | `/` |
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
| `ingress.tls` | Enable TLS configuration for the hosts defined at `hostnames` parameter | `true` |
| `ingress.existingSecret` | Name of an existing Secret containing the TLS certificates for the Ingress | `""` |
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `ingress.secrets` | Custom TLS certificates as secrets | `[]` |
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
| `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` |
| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` |
| `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` |
| `ingress.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` |
| `ingress.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` |
| `ingress.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` |
| `ingress.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` |
| `ingress.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` |
| `ingress.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` |
| `ingress.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` |
| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` |

### Proxy auth configuration

Expand All @@ -303,13 +312,14 @@ Check that the deployed pods are all running.
| `front.externalService.externalTrafficPolicy` | Service externalTrafficPolicy (Cluster or Local) | `Local` |
| `front.externalService.loadBalancerIP` | Service loadBalancerIP | `""` |
| `front.externalService.annotations` | Service annotations | `{}` |
| `front.externalService.ports.pop3` | Expose POP3 port | `false` |
| `front.externalService.ports.pop3s` | Expose POP3 port (TLS) | `true` |
| `front.externalService.ports.imap` | Expose IMAP port | `false` |
| `front.externalService.ports.imaps` | Expose IMAP port (TLS) | `true` |
| `front.externalService.ports.smtp` | Expose SMTP port | `true` |
| `front.externalService.ports.smtps` | Expose SMTP port (TLS) | `true` |
| `front.externalService.ports.submission` | Expose Submission port | `true` |
| `front.externalService.ports.pop3` | Expose POP3 port - 110/tcp | `false` |
| `front.externalService.ports.pop3s` | Expose POP3 port (TLS) - 995/tcp | `true` |
| `front.externalService.ports.imap` | Expose IMAP port - 143/tcp | `false` |
| `front.externalService.ports.imaps` | Expose IMAP port (TLS) - 993/tcp | `true` |
| `front.externalService.ports.smtp` | Expose SMTP port - 25/tcp | `true` |
| `front.externalService.ports.smtps` | Expose SMTP port (TLS) - 465/tcp | `true` |
| `front.externalService.ports.submission` | Expose Submission port - 587/tcp | `false` |
| `front.externalService.ports.manageSieve` | Expose ManageSieve port - 4190/tcp | `true` |
| `front.kind` | Kind of resource to create for the front (`Deployment` or `DaemonSet`) | `Deployment` |
| `front.replicaCount` | Number of front replicas to deploy (only for `Deployment` kind) | `1` |
| `front.resources.limits` | The resources limits for the container | `{}` |
Expand Down
2 changes: 2 additions & 0 deletions mailu/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,6 @@ After you created an initial admin login (see docs), you can login to the admin

!!! Please make sure you read and understand the warning about open relays in the README.md !!!

If you're upgrading from Mailu < 2024.06, please read this: https://mailu.io/2024.06/releases.html#after-upgrading

{{ include "mailu.validateValues" . }}
86 changes: 86 additions & 0 deletions mailu/templates/_services.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,3 +156,89 @@ Service fqdn (within cluster) can be retrieved with `mailu.SERVICE.serviceFqdn`
{{- define "mailu.oletools.serviceFqdn" -}}
{{- printf "%s.%s.svc.%s" (include "mailu.oletools.serviceName" . ) (include "common.names.namespace" . ) (include "mailu.clusterDomain" . ) -}}
{{- end -}}


{{/* Combine the enabled ports that should be exposed into a comma-separated string */}}
{{- define "mailu.enabledPorts" -}}
{{- $enabledPorts := list -}}

{{- if .Values.ingress.enabled -}}
{{- $enabledPorts = append $enabledPorts "80" -}}
{{- $enabledPorts = append $enabledPorts "443" -}}
{{- end -}}

{{- if .Values.front.externalService.enabled -}}
{{- if .Values.front.externalService.ports.pop3 -}}
{{- $enabledPorts = append $enabledPorts "110" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.pop3s -}}
{{- $enabledPorts = append $enabledPorts "995" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.imap -}}
{{- $enabledPorts = append $enabledPorts "143" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.imaps -}}
{{- $enabledPorts = append $enabledPorts "993" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.smtp -}}
{{- $enabledPorts = append $enabledPorts "25" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.smtps -}}
{{- $enabledPorts = append $enabledPorts "465" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.submission -}}
{{- $enabledPorts = append $enabledPorts "587" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.manageSieve -}}
{{- $enabledPorts = append $enabledPorts "4190" -}}
{{- end -}}
{{- end -}}

{{- $enabledPortsString := join "," $enabledPorts -}}
{{- printf "%s" $enabledPortsString -}}
{{- end -}}

{{/* Combine the ports for which PROXY protocol should be enabled into a comma-separated string */}}
{{- define "mailu.proxyProtocolPorts" -}}
{{- $proxyProtocolPorts := list -}}

{{- if .Values.front.externalService.enabled -}}
{{- if .Values.front.externalService.ports.pop3 -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "110" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.pop3s -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "995" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.imap -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "143" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.imaps -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "993" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.smtp -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "25" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.smtps -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "465" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.submission -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "587" -}}
{{- end -}}
{{- if .Values.front.externalService.ports.manageSieve -}}
{{- $proxyProtocolPorts = append $proxyProtocolPorts "4190" -}}
{{- end -}}
{{- end -}}

{{- $proxyProtocolPortsString := join "," $proxyProtocolPorts -}}
{{/* if any ports are enabled and .front.realIpFrom is empty, fail */}}
{{- if and (gt (len $proxyProtocolPorts) 0) (not .Values.front.realIpFrom) -}}
{{- fail "PROXY protocol is enabled for some ports, but front.realIpFrom is not set" -}}
{{- end -}}

{{/* if any ports are enabled and .front.realIpHeader is set, fail */}}
{{- if and (gt (len $proxyProtocolPorts) 0) .Values.front.realIpHeader -}}
{{- fail "PROXY protocol is enabled for some ports, but front.realIpHeader is set" -}}
{{- end -}}

{{- printf "%s" $proxyProtocolPortsString -}}
{{- end -}}
2 changes: 2 additions & 0 deletions mailu/templates/envvars-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ data:
AUTH_RATELIMIT_IP_V6_MASK: {{ .Values.limits.authRatelimit.ipv6Mask | quote }}
AUTH_RATELIMIT_IP: {{ .Values.limits.authRatelimit.ip | quote }}
AUTH_RATELIMIT_USER: {{ .Values.limits.authRatelimit.user | quote }}
AUTH_REQUIRE_TOKENS: {{ .Values.authRequireTokens | quote }}
BABEL_DEFAULT_LOCALE: "en"
BABEL_DEFAULT_TIMEZONE: "UTC"
BOOTSTRAP_SERVE_LOCAL: "true"
Expand Down Expand Up @@ -63,6 +64,7 @@ data:
MESSAGE_SIZE_LIMIT: "{{ mul .Values.limits.messageSizeLimitInMegabytes (mul 1024 1024) }}"
OUTBOUND_TLS_LEVEL: {{ .Values.tls.outboundLevel | quote }}
PERMANENT_SESSION_LIFETIME: {{ .Values.permanentSessionLifetime | int64 | quote }}
PORTS: {{ include "mailu.enabledPorts" . }}
POSTMASTER: {{ .Values.postmaster | quote }}
PROXY_AUTH_CREATE: {{ .Values.proxyAuth.create | quote }}
PROXY_AUTH_HEADER: {{ .Values.proxyAuth.header | quote }}
Expand Down
Loading

0 comments on commit 3fa16db

Please sign in to comment.