From 19b175dcf25d7ec1bcc2ee70defad85771e8274b Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 17 May 2026 08:17:20 -0400
Subject: [PATCH] feat(irc): restrict ingress to gateway and thelounge

Add CiliumNetworkPolicy ingress rules so thelounge only accepts traffic
from the cilium external gateway in gateway-system, and znc only from
the thelounge pod. Allow host entity on both for kubelet probes.

Switch znc service to ClusterIP and drop the external-dns annotation
since direct external IRC client access is no longer desired.
---
 thelounge/ciliumnetworkpolicy.yaml | 17 ++++++++++++++++-
 znc/ciliumnetworkpolicy.yaml       | 17 ++++++++++++++++-
 znc/service.yaml                   |  4 +---
 3 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/thelounge/ciliumnetworkpolicy.yaml b/thelounge/ciliumnetworkpolicy.yaml
index cea6477..2c9b7d1 100644
--- a/thelounge/ciliumnetworkpolicy.yaml
+++ b/thelounge/ciliumnetworkpolicy.yaml
@@ -1,12 +1,27 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: thelounge-egress
+  name: thelounge
   namespace: irc
 spec:
   endpointSelector:
     matchLabels:
       app.kubernetes.io/name: thelounge
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: gateway-system
+        k8s:gateway.networking.k8s.io/gateway-name: external
+    toPorts:
+    - ports:
+      - port: "9000"
+        protocol: TCP
+  - fromEntities:
+    - host
+    toPorts:
+    - ports:
+      - port: "9000"
+        protocol: TCP
   egress:
   - toEndpoints:
     - matchLabels:
diff --git a/znc/ciliumnetworkpolicy.yaml b/znc/ciliumnetworkpolicy.yaml
index cf3227f..5201b99 100644
--- a/znc/ciliumnetworkpolicy.yaml
+++ b/znc/ciliumnetworkpolicy.yaml
@@ -1,12 +1,27 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: znc-egress
+  name: znc
   namespace: irc
 spec:
   endpointSelector:
     matchLabels:
       app.kubernetes.io/name: znc
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: irc
+        k8s:app.kubernetes.io/name: thelounge
+    toPorts:
+    - ports:
+      - port: "6501"
+        protocol: TCP
+  - fromEntities:
+    - host
+    toPorts:
+    - ports:
+      - port: "6501"
+        protocol: TCP
   egress:
   - toEndpoints:
     - matchLabels:
diff --git a/znc/service.yaml b/znc/service.yaml
index b850dcd..93fa4d4 100644
--- a/znc/service.yaml
+++ b/znc/service.yaml
@@ -6,10 +6,8 @@ metadata:
   name: znc
   labels:
     app.kubernetes.io/name: znc
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: ${ZNC_HOSTNAME}
 spec:
-  type: LoadBalancer
+  type: ClusterIP
   ports:
     - port: 6501
   selector: