help with mailu on k8s

[melbruki]

I tried all the various tlsFlavorOverride options, but the problem seems to be that it uses http01. Since the pod needs a certificate to start and cannot complete the challenge without coming up first, this creates a chicken-and-egg problem where the certificate request fails.

When I enable the ingress and external service, I can get a certificate on the ingress for the webmail and admin interfaces, but not for the mail ports.

I’m running a bare-metal, multi-node Kubernetes cluster with a load balancer. The following is the configuration I’ve tried:

externalService:
  enabled: true
  type: LoadBalancer

# Set external ingress config
ingress:
  enabled: true

tlsFlavorOverride: "letsencrypt"

  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-production"

in the end, I created a certificate resource using dns01 clusterissuer and obtained a certificate named mailu-certificates. Then, I disabled the ingress and external service. I modified the template so the front service type is set to LoadBalancer, with the external traffic policy set to Local. Everything seemed to work—at least initially.

However, when I accessed /admin/domain/details, I encountered an error. After checking the logs, I found the following traceback:

  File "/app/mailu/models.py", line 260, in dns_autoconfig
    ports = {int(port.strip()) for port in app.config['PORTS'].split(',')}.union({465, 993})
ValueError: invalid literal for int() with base 10: ''

This suggests something is either wrong with the Helm chart or my values.yaml file configuration. Could anyone help diagnose what might be causing this issue?

[fastlorenzo]

The default setup uses cert-manager to request a certificate via Let'sEncrypt and exposes it to the mailu-front pod.
This certificate is then used by the mail ports.
Additionally, this cert is used by the ingress for the web ports.

Could you elaborate on how you're trying to get the certificate and why you do not use cert-manager? (which is the default)

[melbruki]

I am using cert manager I tried initially with http01 but ended up switching to dns01 . I tried different configuration in the values.yaml file but none seemed work . Can you post an example values.yaml file with mail port being exposed using a load balancer ? . I tried with ingress enabled and external service as a load balancer . The problem with this is that if you use http01 authentication then you have to manually switch the dns name in cloud flare every 2 months when it renews. Let’s say I give the load balancer dns name of mail.example.com and the load balancer ip on the ingress webmail.example.com I could not get the dns to validate on mail.example.com because it wasn’t listening on port 80 to compete the http01 challenge. So then I ended up using dns01 everything got a cert , but for some reason the webmail stopped working. At the end I just modified the service for front to have service type load balancer and one ip for mail and web ports. And disabled ingress and external service And now everything is working but I don’t know if this is a supported configuration because I had to modify the template . My set up is multiple node k8s running in bare metal with a load balancer with public ip if you could maybe paste a working values.yaml file for this setup I would greatly appreciate it I’ve been working on this non stop . Thank you