Skip to content

Commit 0180d9e

Browse files
fastlorenzofastlorenzo
committed
fix: Fix Traefik TLS verification to front
Signed-off-by: fastlorenzo <git@bernardi.be>
1 parent 98da259 commit 0180d9e

5 files changed

Lines changed: 53 additions & 27 deletions

File tree

mailu/README.md

Lines changed: 29 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -267,33 +267,35 @@ Check that the deployed pods are all running.
267267

268268
### Ingress settings
269269

270-
| Name | Description | Value |
271-
| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
272-
| `ingress.enabled` | Enable external ingress | `true` |
273-
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
274-
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
275-
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
276-
| `ingress.path` | Default path for the ingress record | `/` |
277-
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
278-
| `ingress.tls` | Enable TLS configuration for the hosts defined at `hostnames` parameter | `true` |
279-
| `ingress.existingSecret` | Name of an existing Secret containing the TLS certificates for the Ingress | `""` |
280-
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
281-
| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
282-
| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
283-
| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
284-
| `ingress.secrets` | Custom TLS certificates as secrets | `[]` |
285-
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
286-
| `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` |
287-
| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` |
288-
| `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` |
289-
| `ingress.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` |
290-
| `ingress.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` |
291-
| `ingress.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` |
292-
| `ingress.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` |
293-
| `ingress.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` |
294-
| `ingress.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` |
295-
| `ingress.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` |
296-
| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` |
270+
| Name | Description | Value |
271+
| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
272+
| `ingress.enabled` | Enable external ingress | `true` |
273+
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
274+
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
275+
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
276+
| `ingress.path` | Default path for the ingress record | `/` |
277+
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
278+
| `ingress.tls` | Enable TLS configuration for the hosts defined at `hostnames` parameter | `true` |
279+
| `ingress.existingSecret` | Name of an existing Secret containing the TLS certificates for the Ingress | `""` |
280+
| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
281+
| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
282+
| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
283+
| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
284+
| `ingress.secrets` | Custom TLS certificates as secrets | `[]` |
285+
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
286+
| `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` |
287+
| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` |
288+
| `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` |
289+
| `ingress.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` |
290+
| `ingress.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` |
291+
| `ingress.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` |
292+
| `ingress.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` |
293+
| `ingress.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` |
294+
| `ingress.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` |
295+
| `ingress.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` |
296+
| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` |
297+
| `ingress.type` | Ingress type (nginx or traefik) | `nginx` |
298+
| `ingress.traefik.insecureSkipVerify` | Disable TLS verification for Traefik (between Traefik and the backend) | `true` |
297299

298300
### Proxy auth configuration
299301

mailu/templates/front/ingress.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,9 @@ metadata:
1818
{{- if .Values.commonAnnotations }}
1919
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
2020
{{- end }}
21+
{{- if and (eq .Values.ingress.type "traefik") .Values.ingress.enabled .Values.ingress.traefik.insecureSkipVerify }}
22+
traefik.ingress.kubernetes.io/servers-transport: {{ printf "%s-%s@kubernetescrd" (include "common.names.namespace" .) (include "mailu.fullname" .) | quote }}
23+
{{- end }}
2124
spec:
2225
{{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
2326
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}

mailu/templates/front/service.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,5 +53,8 @@ spec:
5353
port: 14190
5454
protocol: TCP
5555
- name: https
56+
{{- if and (eq .Values.ingress.type "traefik") .Values.ingress.enabled .Values.ingress.traefik.insecureSkipVerify }}
57+
serversTransport: {{ include "mailu.fullname" . }}
58+
{{- end }}
5659
port: 443
5760
protocol: TCP

mailu/templates/front/traefik-serverstransport.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Only do this if .Values.ingress.type is traefik and .Values.ingress.enabled is true and .Values.ingress.traefik.insecureSkipVerify is true
2+
{{- if and (eq .Values.ingress.type "traefik") .Values.ingress.enabled .Values.ingress.traefik.insecureSkipVerify }}
3+
---
4+
apiVersion: traefik.io/v1alpha1
5+
kind: ServersTransport
6+
metadata:
7+
name: {{ include "mailu.fullname" . }}
8+
namespace: {{ include "common.names.namespace" . | quote }}
9+
spec:
10+
insecureSkipVerify: true
11+
{{- end }}

mailu/values.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -639,6 +639,13 @@ ingress:
639639
submission: false
640640
manageSieve: false
641641

642+
## @param ingress.type Ingress type (nginx or traefik)
643+
type: nginx
644+
645+
## @param ingress.traefik.insecureSkipVerify Disable TLS verification for Traefik (between Traefik and the backend)
646+
traefik:
647+
insecureSkipVerify: true
648+
642649
## @section Proxy auth configuration
643650
## ref: https://mailu.io/master/configuration.html#header-authentication-using-an-external-proxy
644651
proxyAuth:

0 commit comments

Comments
 (0)