lionsdev/helm-chart-lions-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(v1.0.3): NP egress HTTPS ouvert au node IP (hairpin) + allowEgressExtra

Browse Source
This commit is contained in:
dahoud
2026-04-22 15:46:43 +00:00
parent 3c1fc03ea9
commit a4f69a0116
3 changed files with 17 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Chart.yaml
View File

@@ -5,8 +5,8 @@ description: |
Fournit : Deployment hardened, Service, Ingress avec cert-manager + rate-limit, Fournit : Deployment hardened, Service, Ingress avec cert-manager + rate-limit,
ConfigMap, ExternalSecret (Vault → K8s), NetworkPolicy, PDB, ServiceMonitor, HPA. ConfigMap, ExternalSecret (Vault → K8s), NetworkPolicy, PDB, ServiceMonitor, HPA.
type: application type: application
version: 1.0.2 version: 1.0.3
appVersion: "1.0.2" appVersion: "1.0.3"
kubeVersion: ">=1.28.0-0" kubeVersion: ">=1.28.0-0"
maintainers: maintainers:
- name: Lions Infrastructure Team - name: Lions Infrastructure Team

17
templates/networkpolicy.yaml
View File

@@ -63,17 +63,24 @@ spec:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
# Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs) # Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs, ingress hairpin)
# Inclut le node IP lui-même pour résoudre les URLs publiques (ex: security.lions.dev)
# qui reviennent vers ingress-nginx via hairpin NAT
- to: - to:
- ipBlock: - ipBlock:
cidr: 0.0.0.0/0 cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
ports: ports:
- port: 443 - port: 443
protocol: TCP protocol: TCP
- port: 80 - port: 80
protocol: TCP protocol: TCP
# Egress additionnels définis par l'app (pour accès cluster-internal)
{{- range .Values.networkPolicy.allowEgressExtra }}
- to:
{{- toYaml .to | nindent 8 }}
{{- with .ports }}
ports:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- end }} {{- end }}

3
values.yaml
View File

@@ -234,6 +234,9 @@ networkPolicy:
# - port: 8080 # - port: 8080
# protocol: TCP # protocol: TCP
# allowEgressExtra : pour cas avancés (egress vers ipBlock spécifique, etc.)
allowEgressExtra: []
# ------------------------------------------------------------ # ------------------------------------------------------------
# PodDisruptionBudget # PodDisruptionBudget
# ------------------------------------------------------------ # ------------------------------------------------------------