helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard
verified publisher icon Mailu

fix: Fix Traefik TLS verification to front

Open fastlorenzo opened this issue 1 year ago • 3 comments

This pull request introduces several changes fixing support for Traefik as an ingress controller and allowing the disabling of TLS verification between Traefik and the backend.

Documentation updates:

  • mailu/README.md: Added descriptions for new ingress settings, including ingress.type and ingress.traefik.insecureSkipVerify. [1] [2]

Configuration updates:

  • mailu/values.yaml: Introduced new parameters ingress.type and ingress.traefik.insecureSkipVerify to support Traefik and allow disabling TLS verification.

Template updates:

  • mailu/templates/front/ingress.yaml: Added conditional annotations for Traefik when ingress.traefik.insecureSkipVerify is enabled.
  • mailu/templates/front/service.yaml: Included serversTransport configuration for Traefik when ingress.traefik.insecureSkipVerify is enabled.
  • mailu/templates/front/traefik-serverstransport.yaml: Added a new template for ServersTransport resource configuration when using Traefik with insecureSkipVerify.

Fixes #368

fastlorenzo avatar Dec 27 '24 20:12 fastlorenzo

I tried this locally and it only worked when adding the following annotation to the mailu-front service. I removed all traefik annotations from the ingress and only added this one to the service.

    traefik.ingress.kubernetes.io/service.serverstransport: mailu-mailu@kubernetescrd

Also, helm warns about the serversTransport field:

W1229 15:25:16.280479   52728 warnings.go:70] unknown field "spec.ports[12].serversTransport"

DrPsychick avatar Dec 29 '24 14:12 DrPsychick

Hi everyone

Just wondering if there’s any update on this topic?

I tried applying the suggested solution with my Traefik setup, but it looks like the Ingress isn’t working properly. From what I can tell, the problem comes from the fact that it’s not possible to clearly separate the HTTP port from the mail service ports.

It might be useful to introduce a way to split those concerns:

  • HTTP(S) traffic could be routed through Traefik (via Ingress).
  • Mail-specific ports could still be exposed through a NodePort or another service type.

That way we could leverage Traefik for the web parts (admin/webmail, API, etc.) while keeping the mail protocols accessible.

Teravla avatar Sep 21 '25 17:09 Teravla

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.

github-actions[bot] avatar Oct 23 '25 02:10 github-actions[bot]