protonbridge: switch to --noninteractive daemon mode for clean k8s exec login

The faketty pipe approach from the shenxn image caused CrashLoopBackOff:
writing to the FIFO via echo sends EOF which terminates cat and bridge.

Instead: override entrypoint to run bridge --noninteractive directly (the
bridge binary at /usr/lib/protonmail/bridge/bridge). Bridge v3 embeds a
gRPC server; the separate 'bridge --cli' exec connects to it as a client.
Login flow: kubectl exec -it <pod> -- /usr/lib/protonmail/bridge/bridge --cli
socat port forwarding (25→1025, 143→1143) preserved in the entrypoint.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

1 files changed, 26 insertions, 12 deletions

diff --git a/f3s/protonbridge/helm-chart/templates/deployment.yaml b/f3s/protonbridge/helm-chart/templates/deployment.yaml
index 95c461f..a14619c 100644
--- a/f3s/protonbridge/helm-chart/templates/deployment.yaml
+++ b/f3s/protonbridge/helm-chart/templates/deployment.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   replicas: 1
   # Recreate so the old pod fully terminates before the new one starts —
-  # prevents two bridge instances racing for the same config/keychain on NFS.
+  # prevents two bridge instances racing for the same vault on NFS.
   strategy:
     type: Recreate
   selector:
@@ -72,21 +72,35 @@ spec:
           mountPath: /bridge-data
       containers:
       - name: protonbridge
-        # Bridge v3 headless. Reads keychain from pass (set up by the init container).
-        # IMAP + SMTP listen once an account is logged in.
+        # Bridge v3 in non-interactive daemon mode. The gRPC server embedded in bridge
+        # allows a separate CLI client process to connect for initial login and management.
         #
-        # FIRST-TIME SETUP (run once):
-        #   kubectl exec -it -n services <pod> -- bridge --cli
-        #   > login
-        # Enter ProtonMail credentials. Session persists in pass on PVC.
-        # Run 'info' in the CLI to get the IMAP/SMTP bridge password.
+        # FIRST-TIME SETUP (run once after pod is Running):
+        #   1. Get pod name: kubectl get pod -n services -l app=protonbridge
+        #   2. Connect the interactive CLI to the running bridge daemon:
+        #        kubectl exec -it -n services <pod-name> -- /usr/lib/protonmail/bridge/bridge --cli
+        #   3. At the bridge> prompt: type 'login'
+        #   4. Enter ProtonMail email and password when prompted
+        #   5. After login, run: info   (note the IMAP/SMTP bridge passwords)
+        #   6. Type: quit  (exits CLI; bridge daemon keeps running)
         #
-        # EMAIL CLIENT SETUP:
-        #   IMAP: <r-vm-lan-ip>:30143, STARTTLS, accept self-signed cert
-        #   SMTP: <r-vm-lan-ip>:30025, STARTTLS, accept self-signed cert
+        # Session persists in pass on NFS PVC; subsequent restarts reconnect automatically.
+        #
+        # EMAIL CLIENT SETUP (after login):
+        #   IMAP: <any-r-vm-lan-ip>:30143, STARTTLS, accept self-signed cert
+        #   SMTP: <any-r-vm-lan-ip>:30025, STARTTLS, accept self-signed cert
         #   Username: your ProtonMail address
-        #   Password: bridge-generated password (from 'info' in bridge --cli)
+        #   Password: bridge-generated password (from 'info' in the CLI above)
         image: shenxn/protonmail-bridge:latest
+        command:
+        - /bin/bash
+        - -c
+        - |
+          export GNUPGHOME=/bridge-data/.gnupg
+          export PASSWORD_STORE_DIR=/bridge-data/.password-store
+          socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
+          socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
+          exec /usr/lib/protonmail/bridge/bridge --noninteractive
         env:
         - name: GNUPGHOME
           value: /bridge-data/.gnupg