From 6b419a91845df65044dab731a7c8042c74c80f60 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Fri, 22 May 2026 10:58:34 -0400
Subject: [PATCH] fix(thelounge): split cilium network policy to resolve ldap
 connectivity

---
 thelounge/ciliumnetworkpolicy-egress.yaml  | 47 ++++++++++++++++++++++
 thelounge/ciliumnetworkpolicy-ingress.yaml | 20 +++++++++
 thelounge/kustomization.yaml               |  3 +-
 3 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 thelounge/ciliumnetworkpolicy-egress.yaml
 create mode 100644 thelounge/ciliumnetworkpolicy-ingress.yaml

diff --git a/thelounge/ciliumnetworkpolicy-egress.yaml b/thelounge/ciliumnetworkpolicy-egress.yaml
new file mode 100644
index 0000000..2be7864
--- /dev/null
+++ b/thelounge/ciliumnetworkpolicy-egress.yaml
@@ -0,0 +1,47 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: thelounge-egress
+  namespace: irc
+  labels:
+    app.kubernetes.io/name: thelounge
+    app.kubernetes.io/component: network-policy
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: thelounge
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: kube-system
+        k8s:k8s-app: kube-dns
+    toPorts:
+    - ports:
+      - port: "53"
+        protocol: ANY
+      rules:
+        dns:
+        - matchPattern: "*"
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: auth
+        k8s:app.kubernetes.io/name: authentik-outpost-ldap
+        k8s:goauthentik.io/outpost-type: ldap
+    toPorts:
+    - ports:
+      - port: "389"
+        protocol: TCP
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: irc
+        k8s:app.kubernetes.io/name: znc
+    toPorts:
+    - ports:
+      - port: "6501"
+        protocol: TCP
+  - toFQDNs:
+    - matchName: "irc.passthepopcorn.me"
+    toPorts:
+    - ports:
+      - port: "6697"
+        protocol: TCP
\ No newline at end of file
diff --git a/thelounge/ciliumnetworkpolicy-ingress.yaml b/thelounge/ciliumnetworkpolicy-ingress.yaml
new file mode 100644
index 0000000..3d20dce
--- /dev/null
+++ b/thelounge/ciliumnetworkpolicy-ingress.yaml
@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: thelounge-ingress
+  namespace: irc
+  labels:
+    app.kubernetes.io/name: thelounge
+    app.kubernetes.io/component: network-policy
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: thelounge
+  ingress:
+  - fromEntities:
+    - ingress
+    - host
+    toPorts:
+    - ports:
+      - port: "9000"
+        protocol: TCP
\ No newline at end of file
diff --git a/thelounge/kustomization.yaml b/thelounge/kustomization.yaml
index ff87268..a56eb04 100644
--- a/thelounge/kustomization.yaml
+++ b/thelounge/kustomization.yaml
@@ -4,5 +4,6 @@ resources:
   - statefulset.yaml
   - service.yaml
   - httproute.yaml
-  - ciliumnetworkpolicy.yaml
+  - ciliumnetworkpolicy-ingress.yaml
+  - ciliumnetworkpolicy-egress.yaml
   - config.yaml