feat(v1.0.3): NP egress HTTPS ouvert au node IP (hairpin) + allowEgressExtra
This commit is contained in:
@@ -5,8 +5,8 @@ description: |
|
||||
Fournit : Deployment hardened, Service, Ingress avec cert-manager + rate-limit,
|
||||
ConfigMap, ExternalSecret (Vault → K8s), NetworkPolicy, PDB, ServiceMonitor, HPA.
|
||||
type: application
|
||||
version: 1.0.2
|
||||
appVersion: "1.0.2"
|
||||
version: 1.0.3
|
||||
appVersion: "1.0.3"
|
||||
kubeVersion: ">=1.28.0-0"
|
||||
maintainers:
|
||||
- name: Lions Infrastructure Team
|
||||
|
||||
@@ -63,17 +63,24 @@ spec:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs)
|
||||
# Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs, ingress hairpin)
|
||||
# Inclut le node IP lui-même pour résoudre les URLs publiques (ex: security.lions.dev)
|
||||
# qui reviennent vers ingress-nginx via hairpin NAT
|
||||
- to:
|
||||
- ipBlock:
|
||||
cidr: 0.0.0.0/0
|
||||
except:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
ports:
|
||||
- port: 443
|
||||
protocol: TCP
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
# Egress additionnels définis par l'app (pour accès cluster-internal)
|
||||
{{- range .Values.networkPolicy.allowEgressExtra }}
|
||||
- to:
|
||||
{{- toYaml .to | nindent 8 }}
|
||||
{{- with .ports }}
|
||||
ports:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -234,6 +234,9 @@ networkPolicy:
|
||||
# - port: 8080
|
||||
# protocol: TCP
|
||||
|
||||
# allowEgressExtra : pour cas avancés (egress vers ipBlock spécifique, etc.)
|
||||
allowEgressExtra: []
|
||||
|
||||
# ------------------------------------------------------------
|
||||
# PodDisruptionBudget
|
||||
# ------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user