From 0180d9e2824438e998a7664218453eae3ccda0bf Mon Sep 17 00:00:00 2001 From: fastlorenzo Date: Fri, 27 Dec 2024 21:07:26 +0100 Subject: [PATCH] fix: Fix Traefik TLS verification to front Signed-off-by: fastlorenzo --- mailu/README.md | 56 ++++++++++--------- mailu/templates/front/ingress.yaml | 3 + mailu/templates/front/service.yaml | 3 + .../front/traefik-serverstransport.yaml | 11 ++++ mailu/values.yaml | 7 +++ 5 files changed, 53 insertions(+), 27 deletions(-) create mode 100644 mailu/templates/front/traefik-serverstransport.yaml diff --git a/mailu/README.md b/mailu/README.md index 06d2937a..65b15e6b 100644 --- a/mailu/README.md +++ b/mailu/README.md @@ -267,33 +267,35 @@ Check that the deployed pods are all running. ### Ingress settings -| Name | Description | Value | -| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `ingress.enabled` | Enable external ingress | `true` | -| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | -| `ingress.path` | Default path for the ingress record | `/` | -| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `ingress.tls` | Enable TLS configuration for the hosts defined at `hostnames` parameter | `true` | -| `ingress.existingSecret` | Name of an existing Secret containing the TLS certificates for the Ingress | `""` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | -| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | -| `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` | -| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` | -| `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` | -| `ingress.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` | -| `ingress.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` | -| `ingress.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` | -| `ingress.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` | -| `ingress.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` | -| `ingress.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` | -| `ingress.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` | -| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` | +| Name | Description | Value | +| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `ingress.enabled` | Enable external ingress | `true` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.path` | Default path for the ingress record | `/` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.tls` | Enable TLS configuration for the hosts defined at `hostnames` parameter | `true` | +| `ingress.existingSecret` | Name of an existing Secret containing the TLS certificates for the Ingress | `""` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `ingress.realIpHeader` | Sets the value of `REAL_IP_HEADER` environment variable in the `front` pod | `X-Forwarded-For` | +| `ingress.realIpFrom` | Sets the value of `REAL_IP_FROM` environment variable in the `front` pod | `""` | +| `ingress.tlsFlavorOverride` | Overrides the value of `TLS_FLAVOR` environment variable in the `front` pod | `""` | +| `ingress.proxyProtocol.pop3` | Enable PROXY protocol for POP3 (110/tcp) | `false` | +| `ingress.proxyProtocol.pop3s` | Enable PROXY protocol for POP3S (995/tcp) | `false` | +| `ingress.proxyProtocol.imap` | Enable PROXY protocol for IMAP (143/tcp) | `false` | +| `ingress.proxyProtocol.imaps` | Enable PROXY protocol for IMAPS (993/tcp) | `false` | +| `ingress.proxyProtocol.smtp` | Enable PROXY protocol for SMTP (25/tcp) | `false` | +| `ingress.proxyProtocol.smtps` | Enable PROXY protocol for SMTPS (465/tcp) | `false` | +| `ingress.proxyProtocol.submission` | Enable PROXY protocol for Submission (587/tcp) | `false` | +| `ingress.proxyProtocol.manageSieve` | Enable PROXY protocol for ManageSieve (4190/tcp) | `false` | +| `ingress.type` | Ingress type (nginx or traefik) | `nginx` | +| `ingress.traefik.insecureSkipVerify` | Disable TLS verification for Traefik (between Traefik and the backend) | `true` | ### Proxy auth configuration diff --git a/mailu/templates/front/ingress.yaml b/mailu/templates/front/ingress.yaml index 0bd94fbd..fa68657d 100644 --- a/mailu/templates/front/ingress.yaml +++ b/mailu/templates/front/ingress.yaml @@ -18,6 +18,9 @@ metadata: {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} + {{- if and (eq .Values.ingress.type "traefik") .Values.ingress.enabled .Values.ingress.traefik.insecureSkipVerify }} + traefik.ingress.kubernetes.io/servers-transport: {{ printf "%s-%s@kubernetescrd" (include "common.names.namespace" .) (include "mailu.fullname" .) | quote }} + {{- end }} spec: {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} ingressClassName: {{ .Values.ingress.ingressClassName | quote }} diff --git a/mailu/templates/front/service.yaml b/mailu/templates/front/service.yaml index 131802a5..57d26f59 100644 --- a/mailu/templates/front/service.yaml +++ b/mailu/templates/front/service.yaml @@ -53,5 +53,8 @@ spec: port: 14190 protocol: TCP - name: https + {{- if and (eq .Values.ingress.type "traefik") .Values.ingress.enabled .Values.ingress.traefik.insecureSkipVerify }} + serversTransport: {{ include "mailu.fullname" . }} + {{- end }} port: 443 protocol: TCP diff --git a/mailu/templates/front/traefik-serverstransport.yaml b/mailu/templates/front/traefik-serverstransport.yaml new file mode 100644 index 00000000..b69329a8 --- /dev/null +++ b/mailu/templates/front/traefik-serverstransport.yaml @@ -0,0 +1,11 @@ +# Only do this if .Values.ingress.type is traefik and .Values.ingress.enabled is true and .Values.ingress.traefik.insecureSkipVerify is true +{{- if and (eq .Values.ingress.type "traefik") .Values.ingress.enabled .Values.ingress.traefik.insecureSkipVerify }} +--- +apiVersion: traefik.io/v1alpha1 +kind: ServersTransport +metadata: + name: {{ include "mailu.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} +spec: + insecureSkipVerify: true +{{- end }} diff --git a/mailu/values.yaml b/mailu/values.yaml index f690cf7a..3133890a 100644 --- a/mailu/values.yaml +++ b/mailu/values.yaml @@ -639,6 +639,13 @@ ingress: submission: false manageSieve: false + ## @param ingress.type Ingress type (nginx or traefik) + type: nginx + + ## @param ingress.traefik.insecureSkipVerify Disable TLS verification for Traefik (between Traefik and the backend) + traefik: + insecureSkipVerify: true + ## @section Proxy auth configuration ## ref: https://mailu.io/master/configuration.html#header-authentication-using-an-external-proxy proxyAuth: