Remove service image overrides from kustomization - use base manifest tags [skip ci]

infrastructure/platform/mail/mailu-helm/prod/values.yaml

@@ -21,6 +21,11 @@ domain: "bakewise.ai"
 hostnames:
   - "mail.bakewise.ai"
 
+# Network configuration for MicroK8s
+# This must match your cluster's pod CIDR
+# MicroK8s default is 10.1.0.0/16, but check with: kubectl cluster-info dump | grep -m 1 cluster-cidr
+subnet: "10.1.0.0/16"
+
 # Initial admin account for production environment
 # Password is stored in mailu-admin-credentials secret
 initialAccount:
@@ -31,17 +36,13 @@ initialAccount:
   existingSecretPasswordKey: "password"
   mode: "ifmissing"
 
-# External relay configuration for production (Mailgun)
-# All outbound emails will be relayed through Mailgun SMTP
-# To configure:
-#   1. Register at mailgun.com and verify your domain (bakewise.ai)
-#   2. Get your SMTP credentials from Mailgun dashboard
-#   3. Update the secret in configs/mailgun-credentials-secret.yaml
-#   4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
+# External relay configuration for production (MailerSend)
+# All outbound emails will be relayed through MailerSend SMTP
+# Secret already exists: mailu-mailersend-credentials
 externalRelay:
-  host: "[smtp.mailgun.org]:587"
-  # Credentials loaded from Kubernetes secret
-  secretName: "mailu-mailgun-credentials"
+  host: "[smtp.mailersend.net]:2525"
+  # Credentials loaded from existing Kubernetes secret
+  secretName: "mailu-mailersend-credentials"
   usernameKey: "RELAY_USERNAME"
   passwordKey: "RELAY_PASSWORD"
 
@@ -136,12 +137,31 @@ antivirus:
   enabled: true
   flavor: "clamav"
 
-# Production-specific settings
+# Production-specific environment settings
+# CRITICAL: These must be consistent with the ingress/proxy setup
 env:
   DEBUG: "false"
-  LOG_LEVEL: "WARNING"
-  TLS_FLAVOR: "cert"
-  REDIS_PASSWORD: "secure-redis-password"
+  LOG_LEVEL: "INFO"  # Temporarily set to INFO for debugging
+  # TLS_FLAVOR must be "notls" when using external reverse proxy for TLS termination
+  # The ingress handles TLS and sends X-Forwarded-Proto: https
+  TLS_FLAVOR: "notls"
+  # Session cookie settings for reverse proxy setup
+  # SESSION_COOKIE_SECURE must be True since we're serving over HTTPS (via ingress)
+  SESSION_COOKIE_SECURE: "true"
+  # Increase session timeout to prevent premature logouts
+  SESSION_TIMEOUT: "3600"
+  PERMANENT_SESSION_LIFETIME: "108000"
+  # CRITICAL: Tell Mailu it's behind a reverse proxy
+  # This ensures proper URL generation for redirects
+  PROXY_PROTOCOL: "false"
+  # Trust the ingress controller's IP for real IP headers
+  REAL_IP_HEADER: "X-Real-IP"
+  REAL_IP_FROM: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+  # CRITICAL: Disable rate limiting temporarily to debug the sso.php redirect loop
+  # Reference: https://github.com/Mailu/Mailu/issues/3094
+  # The webmail can get rate-limited causing infinite redirect loops
+  AUTH_RATELIMIT_IP: "10000/minute"
+  AUTH_RATELIMIT_USER: "10000/day"
 
 # Enable monitoring in production
 monitoring: