From 2308e1103ab67267307631cb8d215c246fe12714 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Thu, 21 May 2026 10:15:19 -0400
Subject: [PATCH] fix(thelounge): allow ingress from cilium gateway entity

The previous selector matched an Istio-style label that does not exist
on Cilium gateway pods, which caused default-deny ingress and blocked
access to thelounge. Use fromEntities: ingress to match Cilium's own
gateway/ingress pods, consistent with the cluster repo's webhook CNP.
---
 thelounge/ciliumnetworkpolicy.yaml | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/thelounge/ciliumnetworkpolicy.yaml b/thelounge/ciliumnetworkpolicy.yaml
index 2c9b7d1..4afa782 100644
--- a/thelounge/ciliumnetworkpolicy.yaml
+++ b/thelounge/ciliumnetworkpolicy.yaml
@@ -8,15 +8,8 @@ spec:
     matchLabels:
       app.kubernetes.io/name: thelounge
   ingress:
-  - fromEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: gateway-system
-        k8s:gateway.networking.k8s.io/gateway-name: external
-    toPorts:
-    - ports:
-      - port: "9000"
-        protocol: TCP
   - fromEntities:
+    - ingress
     - host
     toPorts:
     - ports: