diff --git a/Chart.yaml b/Chart.yaml index 3821903..ed9385b 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -5,8 +5,8 @@ description: | Fournit : Deployment hardened, Service, Ingress avec cert-manager + rate-limit, ConfigMap, ExternalSecret (Vault → K8s), NetworkPolicy, PDB, ServiceMonitor, HPA. type: application -version: 1.0.2 -appVersion: "1.0.2" +version: 1.0.3 +appVersion: "1.0.3" kubeVersion: ">=1.28.0-0" maintainers: - name: Lions Infrastructure Team diff --git a/templates/networkpolicy.yaml b/templates/networkpolicy.yaml index 7d53509..466c058 100644 --- a/templates/networkpolicy.yaml +++ b/templates/networkpolicy.yaml @@ -63,17 +63,24 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} - # Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs) + # Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs, ingress hairpin) + # Inclut le node IP lui-même pour résoudre les URLs publiques (ex: security.lions.dev) + # qui reviennent vers ingress-nginx via hairpin NAT - to: - ipBlock: cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 ports: - port: 443 protocol: TCP - port: 80 protocol: TCP + # Egress additionnels définis par l'app (pour accès cluster-internal) + {{- range .Values.networkPolicy.allowEgressExtra }} + - to: + {{- toYaml .to | nindent 8 }} + {{- with .ports }} + ports: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} {{- end }} diff --git a/values.yaml b/values.yaml index b6c9d78..14bf57b 100644 --- a/values.yaml +++ b/values.yaml @@ -234,6 +234,9 @@ networkPolicy: # - port: 8080 # protocol: TCP + # allowEgressExtra : pour cas avancés (egress vers ipBlock spécifique, etc.) + allowEgressExtra: [] + # ------------------------------------------------------------ # PodDisruptionBudget # ------------------------------------------------------------