Description
Hi,
We tried to deploy Mailu with EKS and AWS Load Balancer Controller.
We modified mailu-front-ext service to use Network Load Balancer with DNS name and tried to implement HTTPS and IMAPS connection.
My values.yaml
externalService:
enabled: true
type: LoadBalancer
## Example for LoadBalancer:
## type: LoadBalancer
loadBalancerIP: ""
externalTrafficPolicy: Local
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: external
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ******
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "993,443"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "HTTP"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "80"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/health"
service.beta.kubernetes.io/load-balancer-source-ranges: 0.0.0.0/0
external-dns.alpha.kubernetes.io/hostname: mail.****.net
ports:
pop3: false
pop3s: true
imap: true
imaps: true
smtp: true
smtps: true
submission: false
manageSieve: true
extraEnvVars:
- name: TLS_FLAVOR
value: "notls"
ingress:
enabled: false
mailu-front-ext-service-patches.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: front
app.kubernetes.io/instance: mailu
name: mailu-front-ext
namespace: app-systems
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: 443
- name: http
port: 80
protocol: TCP
targetPort: 80
We also removed the default cert volumes and VolumeMount in mailu-deployment with patches.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- mailu-admin-config.yaml
patches:
- path:
- path:
- path: mailu-front-ext-service-patches.yaml
patchesJson6902:
- target:
group: apps
version: v1
kind: Deployment
name: mailu-front
namespace: app-systems
patch: |-
- op: remove
path: /spec/template/spec/volumes
- op: remove
path: /spec/template/spec/containers/0/volumeMounts
We tried to override default nginx.conf to change the mail section, but there's no include /overrides/*.conf; in the mail section, override was defined for http section only.
Configmap to override the nginx.conf
apiVersion: v1
kind: ConfigMap
metadata:
name: mailu-nginx-conf-override
namespace: app-systems
data:
nginx.conf: |
# The only change is in the mail section for port 993
mail {
server_name {{ HOSTNAMES.split(",")[0] }};
auth_http http://127.0.0.1:8000/auth/email;
proxy_pass_error_message on;
resolver {{ RESOLVER }} valid=30s;
error_log /dev/stderr info;
{% if PROXY_PROTOCOL in ['all', 'mail'] and REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
set_real_ip_from {{ from_ip }};
{% endfor %}{% endif %}
# IMAPS server block
server {
listen 993{% if PROXY_PROTOCOL in ['all', 'mail'] %} proxy_protocol{% endif %};
{% if SUBNET6 %}
listen [::]:993{% if PROXY_PROTOCOL in ['all', 'mail'] %} proxy_protocol{% endif %};
{% endif %}
protocol imap;
imap_auth plain;
auth_http_header Auth-Port 993;
proxy_pass {{ IMAP_ADDRESS }}:143;
proxy_protocol on;
}
}
We couldn't connect with IMAPS port to the host and we could reached the Host URL only with http, we defined certificate in the annotations, though.
We will be more grateful if you help us to implement Network Loadbalancer with AWS LB.
Note:
I hope this would be helpful whoever wants to use ingess with AWS LB and External DNS.
Ingress is working with AWS LB with Deployment patches aforementioned.
But, you can't access to the Host with IMAPS, we must use Network Load Balancer.
These are our ingress configuration for the Application Load Balancer:
ingress:
enabled: true
ingressClassName: alb
pathType: Prefix
apiVersion: ''
path: "/"
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/success-codes: 200,301
alb.ingress.kubernetes.io/group.name: systems-group
external-dns.alpha.kubernetes.io/hostname: mail.******-dev.net
tls: false
selfSigned: false
extraHosts: []
extraPaths: []
extraTls: []
secrets: []
extraRules: []
realIpHeader: X-Forwarded-For
realIpFrom: ''
tlsFlavorOverride: notls
mailu-ingress-patches.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mailu
namespace: app-systems
labels:
app.kubernetes.io/instance: mailu
spec:
tls:
- hosts:
- mail.*****-dev.net
kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- mailu-admin-config.yaml
-
patches:
- path:
- path:
- path: mailu-ingress-patches.yaml
patchesJson6902:
- target:
group: apps
version: v1
kind: Deployment
name: mailu-front
namespace: app-systems
patch: |-
- op: remove
path: /spec/template/spec/volumes
- op: remove
path: /spec/template/spec/containers/0/volumeMounts