From 87d8b7b36c3528b7ad14e01ac0aec06df88d6ff3 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 20 Jun 2026 10:52:41 +0300 Subject: protonbridge: switch to --noninteractive daemon mode for clean k8s exec login MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The faketty pipe approach from the shenxn image caused CrashLoopBackOff: writing to the FIFO via echo sends EOF which terminates cat and bridge. Instead: override entrypoint to run bridge --noninteractive directly (the bridge binary at /usr/lib/protonmail/bridge/bridge). Bridge v3 embeds a gRPC server; the separate 'bridge --cli' exec connects to it as a client. Login flow: kubectl exec -it -- /usr/lib/protonmail/bridge/bridge --cli socat port forwarding (25→1025, 143→1143) preserved in the entrypoint. Co-Authored-By: Claude Sonnet 4.6 --- .../helm-chart/templates/deployment.yaml | 38 +++++++++++++++------- 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/f3s/protonbridge/helm-chart/templates/deployment.yaml b/f3s/protonbridge/helm-chart/templates/deployment.yaml index 95c461f..a14619c 100644 --- a/f3s/protonbridge/helm-chart/templates/deployment.yaml +++ b/f3s/protonbridge/helm-chart/templates/deployment.yaml @@ -6,7 +6,7 @@ metadata: spec: replicas: 1 # Recreate so the old pod fully terminates before the new one starts — - # prevents two bridge instances racing for the same config/keychain on NFS. + # prevents two bridge instances racing for the same vault on NFS. strategy: type: Recreate selector: @@ -72,21 +72,35 @@ spec: mountPath: /bridge-data containers: - name: protonbridge - # Bridge v3 headless. Reads keychain from pass (set up by the init container). - # IMAP + SMTP listen once an account is logged in. + # Bridge v3 in non-interactive daemon mode. The gRPC server embedded in bridge + # allows a separate CLI client process to connect for initial login and management. # - # FIRST-TIME SETUP (run once): - # kubectl exec -it -n services -- bridge --cli - # > login - # Enter ProtonMail credentials. Session persists in pass on PVC. - # Run 'info' in the CLI to get the IMAP/SMTP bridge password. + # FIRST-TIME SETUP (run once after pod is Running): + # 1. Get pod name: kubectl get pod -n services -l app=protonbridge + # 2. Connect the interactive CLI to the running bridge daemon: + # kubectl exec -it -n services -- /usr/lib/protonmail/bridge/bridge --cli + # 3. At the bridge> prompt: type 'login' + # 4. Enter ProtonMail email and password when prompted + # 5. After login, run: info (note the IMAP/SMTP bridge passwords) + # 6. Type: quit (exits CLI; bridge daemon keeps running) # - # EMAIL CLIENT SETUP: - # IMAP: :30143, STARTTLS, accept self-signed cert - # SMTP: :30025, STARTTLS, accept self-signed cert + # Session persists in pass on NFS PVC; subsequent restarts reconnect automatically. + # + # EMAIL CLIENT SETUP (after login): + # IMAP: :30143, STARTTLS, accept self-signed cert + # SMTP: :30025, STARTTLS, accept self-signed cert # Username: your ProtonMail address - # Password: bridge-generated password (from 'info' in bridge --cli) + # Password: bridge-generated password (from 'info' in the CLI above) image: shenxn/protonmail-bridge:latest + command: + - /bin/bash + - -c + - | + export GNUPGHOME=/bridge-data/.gnupg + export PASSWORD_STORE_DIR=/bridge-data/.password-store + socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 & + socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 & + exec /usr/lib/protonmail/bridge/bridge --noninteractive env: - name: GNUPGHOME value: /bridge-data/.gnupg -- cgit v1.2.3