Fix resources isues 22

infrastructure/platform/mail/mailu-helm/prod/values.yaml

@@ -103,18 +103,24 @@ replicaCount: 1  # Can be increased in production as needed
 secretKey: "generate-strong-key-here-for-production"
 
 # Ingress configuration for production - disabled to use with existing ingress
+# External nginx-ingress handles TLS termination and proxies to Mailu front
 ingress:
-  enabled: false  # Disable chart's Ingress; use existing one
+  enabled: false  # Disable chart's Ingress; use existing mailu-ingress.yaml
   tls: false      # Disable TLS in chart since ingress handles it
-  tlsFlavorOverride: notls  # No TLS on internal NGINX; expect external proxy to handle TLS
-  realIpHeader: X-Forwarded-For  # Header for client IP from your Ingress
-  realIpFrom: 0.0.0.0/0  # Trust all proxies (restrict to your Ingress pod CIDR for security)
+  tlsFlavorOverride: notls  # No TLS on internal NGINX; external ingress handles TLS
+  # CRITICAL: Real IP header configuration for proper client IP detection
+  # This must match the header set by nginx-ingress (X-Real-IP)
+  # Reference: https://mailu.io/2.0/reverse.html
+  realIpHeader: X-Real-IP
+  realIpFrom: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"  # Trust cluster pod CIDRs
   path: /
   pathType: ImplementationSpecific
 
-# TLS flavor for production (uses Let's Encrypt)
+# TLS flavor for production
+# "notls" because external ingress handles TLS termination
+# The ingress sends X-Forwarded-Proto: https to tell Mailu the original protocol
 tls:
-  flavor: "cert"
+  flavor: "notls"
 
 # Welcome message (enabled in production)
 welcomeMessage: