From a4f69a0116f6b6789ed82c8002a3226c88039634 Mon Sep 17 00:00:00 2001
From: dahoud <41957584+DahoudG@users.noreply.github.com>
Date: Wed, 22 Apr 2026 15:46:43 +0000
Subject: [PATCH] feat(v1.0.3): NP egress HTTPS ouvert au node IP (hairpin) +
 allowEgressExtra

---
 Chart.yaml                   |  4 ++--
 templates/networkpolicy.yaml | 17 ++++++++++++-----
 values.yaml                  |  3 +++
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/Chart.yaml b/Chart.yaml
index 3821903..ed9385b 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -5,8 +5,8 @@ description: |
   Fournit : Deployment hardened, Service, Ingress avec cert-manager + rate-limit,
   ConfigMap, ExternalSecret (Vault → K8s), NetworkPolicy, PDB, ServiceMonitor, HPA.
 type: application
-version: 1.0.2
-appVersion: "1.0.2"
+version: 1.0.3
+appVersion: "1.0.3"
 kubeVersion: ">=1.28.0-0"
 maintainers:
   - name: Lions Infrastructure Team
diff --git a/templates/networkpolicy.yaml b/templates/networkpolicy.yaml
index 7d53509..466c058 100644
--- a/templates/networkpolicy.yaml
+++ b/templates/networkpolicy.yaml
@@ -63,17 +63,24 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     {{- end }}
-    # Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs)
+    # Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs, ingress hairpin)
+    # Inclut le node IP lui-même pour résoudre les URLs publiques (ex: security.lions.dev)
+    # qui reviennent vers ingress-nginx via hairpin NAT
     - to:
         - ipBlock:
             cidr: 0.0.0.0/0
-            except:
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
       ports:
         - port: 443
           protocol: TCP
         - port: 80
           protocol: TCP
+    # Egress additionnels définis par l'app (pour accès cluster-internal)
+    {{- range .Values.networkPolicy.allowEgressExtra }}
+    - to:
+        {{- toYaml .to | nindent 8 }}
+      {{- with .ports }}
+      ports:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
 {{- end }}
diff --git a/values.yaml b/values.yaml
index b6c9d78..14bf57b 100644
--- a/values.yaml
+++ b/values.yaml
@@ -234,6 +234,9 @@ networkPolicy:
   #     - port: 8080
   #       protocol: TCP
 
+  # allowEgressExtra : pour cas avancés (egress vers ipBlock spécifique, etc.)
+  allowEgressExtra: []
+
 # ------------------------------------------------------------
 # PodDisruptionBudget
 # ------------------------------------------------------------