6.2 KiB
Mailu Helm Chart for Bakery-IA
This directory contains the Helm chart configuration for Mailu, replacing the previous Kustomize-based setup.
Overview
The Mailu email server is now deployed using the official Mailu Helm chart instead of Kustomize manifests. This provides better maintainability, easier upgrades, and standardized configuration. The setup is configured to work behind your existing Ingress controller (NGINX), with the internal Mailu NGINX acting as a proxy for services like webmail while your existing Ingress handles traffic routing, TLS termination, and forwarding to Mailu's internal NGINX on HTTP (port 80).
Directory Structure
mailu-helm/
├── values.yaml # Base configuration values
├── dev/
│ └── values.yaml # Development-specific overrides
├── prod/
│ └── values.yaml # Production-specific overrides
└── mailu-ingress.yaml # Sample ingress configuration for use with existing ingress
Critical Configuration Preservation
The following critical configurations from the original Kustomize setup have been preserved:
- Domain settings: Domain and hostnames for both dev and prod
- External relay: MailerSend SMTP relay configuration
- Redis integration: Connection to shared Redis cluster (database 15)
- Database settings: PostgreSQL connection details
- Resource limits: CPU and memory requests/limits matching original setup
- Network policies: Security policies restricting access to authorized services
- Storage: 10Gi persistent volume for mail data
- Ingress configuration: Built-in ingress disabled to work with existing ingress
Deployment
Prerequisites
- Helm 3.x installed
- Kubernetes cluster with storage provisioner
- Ingress controller (NGINX) - already deployed in your cluster
- Cert-manager for TLS certificates (optional, depends on your ingress setup)
- External SMTP relay account (MailerSend - https://mailersend.com)
Deployment Commands
For Development:
helm repo add mailu https://mailu.github.io/helm-charts/
helm repo update
helm install mailu-dev mailu/mailu \
--namespace bakery-ia \
--create-namespace \
--values mailu-helm/values.yaml \
--values mailu-helm/dev/values.yaml
For Production:
helm repo add mailu https://mailu.github.io/helm-charts/
helm repo update
helm install mailu-prod mailu/mailu \
--namespace bakery-ia \
--create-namespace \
--values mailu-helm/values.yaml \
--values mailu-helm/prod/values.yaml
Upgrading
To upgrade to a newer version of the Mailu Helm chart:
helm repo update
helm upgrade mailu-dev mailu/mailu \
--namespace bakery-ia \
--values mailu-helm/values.yaml \
--values mailu-helm/dev/values.yaml
Ingress Configuration
The Mailu Helm chart is configured to work with your existing Ingress setup:
- ingress.enabled: false: Disables the chart's built-in Ingress creation
- tlsFlavorOverride: notls: Tells Mailu's internal NGINX not to enforce TLS, as your Ingress handles TLS termination
- realIpHeader: X-Forwarded-For: Ensures Mailu's NGINX logs and processes the correct client IPs from behind your Ingress
- realIpFrom: 0.0.0.0/0: Trusts all proxies (restrict to your Ingress pod CIDR for security)
Required Ingress Resource
You need to create an Ingress resource to route traffic to Mailu. Here's an example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mailu-ingress
namespace: bakery-ia # Same as Mailu's namespace
annotations:
kubernetes.io/ingress.class: nginx # Or your Ingress class
nginx.ingress.kubernetes.io/proxy-body-size: "100m" # Allow larger email attachments
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" # For long connections
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # Redirect HTTP to HTTPS
# If using Cert-Manager: cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- mail.bakery-ia.dev # or mail.bakewise.ai for prod
secretName: mail-tls-secret # Your TLS Secret
rules:
- host: mail.bakery-ia.dev # or mail.bakewise.ai for prod
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: mailu-front-http # Mailu's front service (check with kubectl get svc -n bakery-ia)
port:
number: 80
Apply it: kubectl apply -f ingress.yaml.
This routes all traffic from https://mail.[domain]/ to Mailu's internal NGINX, which proxies to webmail (/webmail), admin (/admin), etc.
Configuration Details
Environment-Specific Values
-
Development (
dev/values.yaml):- Domain:
bakery-ia.local - No TLS enforcement internally (handled by ingress)
- Disabled antivirus to save resources
- Debug logging level
- Domain:
-
Production (
prod/values.yaml):- Domain:
bakewise.ai - No TLS enforcement internally (handled by ingress)
- Enabled antivirus
- Warning logging level
- Domain:
Secrets Management
Sensitive values like passwords and API keys should be managed through Kubernetes secrets rather than being stored in the values files. The Helm chart supports referencing existing secrets for:
- Database passwords
- Redis passwords
- External relay credentials
- Mailu secret key
Integration with Notification Service
The notification service continues to connect to Mailu via the internal service name mailu-postfix.bakery-ia.svc.cluster.local on port 587 with STARTTLS.
Access Information
- Admin Panel:
https://mail.[domain]/admin - Webmail:
https://mail.[domain]/webmail - SMTP:
mail.[domain]:587(STARTTLS) - handled via separate TCP services if needed - IMAP:
mail.[domain]:993(SSL/TLS) - handled via separate TCP services if needed
Migration Notes
When migrating from the Kustomize setup to Helm:
- Ensure all existing PVCs are preserved during migration
- Export any existing mail data before migration if needed
- Update any hardcoded service references in other deployments
- Verify that network policies still allow necessary communications
- Configure your existing ingress to route traffic to the Mailu services