diff --git a/templates/configmap-autodiscover.yaml b/templates/configmap-autodiscover.yaml new file mode 100644 index 0000000000000000000000000000000000000000..64e70a210bd474787b31ca4809568a9fa5ee2df9 --- /dev/null +++ b/templates/configmap-autodiscover.yaml @@ -0,0 +1,83 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mailu-helm.fullname" . }}-autodiscover + labels: + {{- include "mailu-helm.labels" . | nindent 4 }} + component: autodiscover +data: + config-v1.1.xml: |- + <?xml version="1.0" encoding="UTF-8"?> + <clientConfig version="1.1"> + <emailProvider id="{{ .Values.config.domain }}"> + <domain>{{ .Values.config.domain }}</domain> + <displayName>{{ .Values.config.siteName }}</displayName> + <displayShortName>{{ .Values.config.domain }}</displayShortName> + <incomingServer type="imap"> + <hostname>{{ .Values.config.domain }}</hostname> + <port>993</port> + <socketType>SSL</socketType> + <authentication>password-cleartext</authentication> + <username>%EMAILADDRESS%</username> + </incomingServer> + <outgoingServer type="smtp"> + <hostname>kuschku.de</hostname> + <port>465</port> + <socketType>SSL</socketType> + <authentication>password-cleartext</authentication> + <username>%EMAILADDRESS%</username> + </outgoingServer> + <documentation url="{{ .Values.admin.host }}{{ .Values.admin.path }}/ui/client"> + <descr lang="en">Configure your email client</descr> + </documentation> + </emailProvider> + </clientConfig> + autodiscover.xml: |- + <?xml version="1.0" encoding="utf-8" ?> + <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> + <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> + <User> + <DisplayName>{{ .Values.config.siteName }}</DisplayName> + </User> + <Account> + <AccountType>email</AccountType> + <Action>settings</Action> + <ServiceHome>{{ .Values.admin.host }}{{ .Values.admin.path }}</ServiceHome> + <Protocol> + <Type>IMAP</Type> + <Server>{{ .Values.config.domain }}</Server> + <Port>993</Port> + <DomainRequired>true</DomainRequired> + <SPA>off</SPA> + <SSL>on</SSL> + <AuthRequired>on</AuthRequired> + <SMTPLast>off</SMTPLast> + </Protocol> + <Protocol> + <Type>SMTP</Type> + <Server>{{ .Values.config.domain }}</Server> + <Port>465</Port> + <DomainRequired>true</DomainRequired> + <SPA>off</SPA> + <SSL>on</SSL> + <AuthRequired>on</AuthRequired> + <SMTPLast>off</SMTPLast> + </Protocol> + <Protocol> + <Type>DAV</Type> + <Server>{{ .Values.webdav.host }}{{ .Values.webdav.path }}</Server> + <DomainRequired>true</DomainRequired> + <SPA>off</SPA> + <SSL>on</SSL> + <AuthRequired>on</AuthRequired> + </Protocol> + </Account> + </Response> + </Autodiscover> + mta-sts.txt: |- + version: STSv1 + mode: enforce + {{ range .Values.config.hostnames -}} + mx: {{ . }} + {{ end -}} + max_age: 604800 diff --git a/templates/deploy-autodiscover.yaml b/templates/deploy-autodiscover.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5e268bc83bccf6473d50b76cd7410b888353e482 --- /dev/null +++ b/templates/deploy-autodiscover.yaml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "mailu-helm.fullname" . }}-autodiscover + labels: + component: autodiscover + {{- include "mailu-helm.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + component: autodiscover + {{- include "mailu-helm.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + component: autodiscover + {{- include "mailu-helm.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + volumes: + - name: config + configMap: + name: {{ include "mailu-helm.fullname" . }}-autodiscover + containers: + - name: autodiscover + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "nginx:stable-alpine" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: "http" + containerPort: 80 + protocol: "TCP" + resources: + {{- toYaml .Values.admin.resources | nindent 12 }} + volumeMounts: + - name: config + mountPath: "/usr/share/nginx/html" + - name: config + mountPath: "/usr/share/nginx/html/mail" + startupProbe: + httpGet: + path: /config-v1.1.xml + port: http + periodSeconds: 10 + failureThreshold: 30 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /config-v1.1.xml + port: http + periodSeconds: 10 + failureThreshold: 3 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /config-v1.1.xml + port: http + periodSeconds: 10 + failureThreshold: 1 + timeoutSeconds: 5 diff --git a/templates/ingress-admin.yaml b/templates/ingress-admin.yaml index c3c7a185bf3df8c0743516a3af4fcfbd80e8ecfb..72c3641f9a62ef07712776bd31ed482c9747e1c3 100644 --- a/templates/ingress-admin.yaml +++ b/templates/ingress-admin.yaml @@ -6,17 +6,13 @@ metadata: {{- include "mailu-helm.labels" . | nindent 4 }} component: admin annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/server-snippet: |- location @login { return 302 "/sso/login"; } - - location ~ ^/.well-known/(carddav|caldav) { - return 301 "{{ .Values.webdav.path }}"; - } + {{- range $key, $value := .Values.ingress.annotations }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} spec: rules: - host: "{{ .Values.admin.host }}" diff --git a/templates/ingress-antispam.yaml b/templates/ingress-antispam.yaml index aff0191d708859839f40ea3151f29059794317ae..930207c3ab7d9764ed544ae74fe8ac96866124c4 100644 --- a/templates/ingress-antispam.yaml +++ b/templates/ingress-antispam.yaml @@ -6,14 +6,15 @@ metadata: {{- include "mailu-helm.labels" . | nindent 4 }} component: antispam annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/auth-url: "http://{{ include "mailu-helm.fullname" . }}-admin.{{ .Release.Namespace }}.svc.{{ .Values.clusterSuffix }}/internal/auth/admin" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header X-Real-IP ""; proxy_set_header X-Forwarded-For ""; proxy_set_header Password "mailu"; + {{- range $key, $value := .Values.ingress.annotations }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} spec: rules: - host: "{{ .Values.admin.host }}" diff --git a/templates/ingress-autodiscover.yaml b/templates/ingress-autodiscover.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a808aa46b98a63ac157b0c307ea6883bef6d0938 --- /dev/null +++ b/templates/ingress-autodiscover.yaml @@ -0,0 +1,64 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "mailu-helm.fullname" . }}-autodiscover + labels: + {{- include "mailu-helm.labels" . | nindent 4 }} + component: autodiscover + annotations: + nginx.ingress.kubernetes.io/cache-enable: "true" + nginx.ingress.kubernetes.io/cache-generation: "2" + nginx.ingress.kubernetes.io/cache-whitelist-query-params: "" + nginx.ingress.kubernetes.io/configuration-snippet: |- + rewrite ^/.well-known/(carddav|caldav)$ "https://{{ .Values.webdav.host }}{{ .Values.webdav.path }}" permanent; + {{- range $key, $value := .Values.ingress.annotations }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} +spec: + rules: + {{ range .Values.config.hostnames }} + - host: {{ . }} + http: + paths: + - path: "/.well-known/carddav" + backend: + service: + name: {{ include "mailu-helm.fullname" $ }}-autodiscover + port: + name: http + pathType: Prefix + - path: "/.well-known/caldav" + backend: + service: + name: {{ include "mailu-helm.fullname" $ }}-autodiscover + port: + name: http + pathType: Prefix + - path: "/.well-known/mta-sts.txt" + backend: + service: + name: {{ include "mailu-helm.fullname" $ }}-autodiscover + port: + name: http + pathType: Prefix + {{ end }} + - host: "autodiscover.{{ .Values.config.domain }}" + http: + paths: + - path: "/" + backend: + service: + name: {{ include "mailu-helm.fullname" . }}-autodiscover + port: + name: http + pathType: Prefix + - host: "autoconfig.{{ .Values.config.domain }}" + http: + paths: + - path: "/" + backend: + service: + name: {{ include "mailu-helm.fullname" . }}-autodiscover + port: + name: http + pathType: Prefix diff --git a/templates/ingress-webdav.yaml b/templates/ingress-webdav.yaml index 14f6f687173ed81fbd739c82de4fbfb50b157357..040fb327545b45ffc5c103f10f316fb35faaf088 100644 --- a/templates/ingress-webdav.yaml +++ b/templates/ingress-webdav.yaml @@ -6,16 +6,16 @@ metadata: {{- include "mailu-helm.labels" . | nindent 4 }} component: webdav annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/auth-url: "http://{{ include "mailu-helm.fullname" . }}-admin.{{ .Release.Namespace }}.svc.{{ .Values.clusterSuffix }}/internal/auth/basic" nginx.ingress.kubernetes.io/configuration-snippet: |- auth_request_set $user $upstream_http_x_user; proxy_set_header X-Remote-User $user; proxy_set_header X-Script-Name "{{ .Values.webdav.path }}"; - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/rewrite-target: /$2 + {{- range $key, $value := .Values.ingress.annotations }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} spec: rules: - host: "{{ .Values.webdav.host }}" diff --git a/templates/ingress-webmail.yaml b/templates/ingress-webmail.yaml index 737ba77447636048b4938a306ade5776f817567e..5bd1839e819b14a347ebeeedc5fafb14d385944d 100644 --- a/templates/ingress-webmail.yaml +++ b/templates/ingress-webmail.yaml @@ -6,7 +6,6 @@ metadata: {{- include "mailu-helm.labels" . | nindent 4 }} component: webmail annotations: - kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/auth-url: "http://{{ include "mailu-helm.fullname" . }}-admin.{{ .Release.Namespace }}.svc.{{ .Values.clusterSuffix }}/internal/auth/user" nginx.ingress.kubernetes.io/configuration-snippet: |- @@ -15,8 +14,9 @@ metadata: auth_request_set $token $upstream_http_x_user_token; proxy_set_header 'X-Remote-User-Token' $token; error_page 403 @login; - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "0" + {{- range $key, $value := .Values.ingress.annotations }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} spec: rules: - host: "{{ .Values.webmail.host }}" diff --git a/templates/service-autodiscover.yaml b/templates/service-autodiscover.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7b7e33819d989bfd4f15d029fcb371d8b288096b --- /dev/null +++ b/templates/service-autodiscover.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mailu-helm.fullname" . }}-autodiscover + labels: + {{- include "mailu-helm.labels" . | nindent 4 }} + component: autodiscover +spec: + type: {{ .Values.service.type }} + ports: + - port: 80 + targetPort: http + protocol: "TCP" + name: http + selector: + {{- include "mailu-helm.selectorLabels" . | nindent 4 }} + component: autodiscover diff --git a/values.yaml b/values.yaml index 4d77aa04ffef885fdd33062ff9f0f136f07390bf..683df70eb95334005af38bb953a33f01adacb35f 100644 --- a/values.yaml +++ b/values.yaml @@ -12,7 +12,10 @@ image: config: secretKey: "changeMe" domain: "example.com" - hostnames: "example.com,mail.example.com,imap.example.com" + hostnames: + - "example.com" + - "mail.example.com" + - "imap.example.com" passwordScheme: "PBKDF2" messageSizeLimit: "500000000" realIpFrom: "0.0.0.0/0" @@ -151,3 +154,6 @@ nodeSelector: { } tolerations: [ ] affinity: { } + +ingress: + annotations: {}