Commit Graph

2 Commits

Author SHA1 Message Date
Chris Farhood 19b175dcf2 feat(irc): restrict ingress to gateway and thelounge
Best Practices / Kube-score Analysis (push) Has been cancelled
Best Practices / Polaris Audit (push) Has been cancelled
Best Practices / Resource Usage Analysis (push) Has been cancelled
Best Practices / PR Summary Report (push) Has been cancelled
Best Practices / Polaris PR Review (push) Has been cancelled
Security Scan / Trivy Security Scan (push) Has been cancelled
Security Scan / Trivy PR Review (push) Has been cancelled
Security Scan / Checkov IaC Scan (push) Has been cancelled
Security Scan / Checkov PR Review (push) Has been cancelled
Validate Manifests / Kustomize Build Test (push) Successful in 35s
Validate Manifests / YAML Lint (push) Failing after 35s
Validate Manifests / Kubernetes Schema Validation (push) Successful in 35s
Add CiliumNetworkPolicy ingress rules so thelounge only accepts traffic
from the cilium external gateway in gateway-system, and znc only from
the thelounge pod. Allow host entity on both for kubelet probes.

Switch znc service to ClusterIP and drop the external-dns annotation
since direct external IRC client access is no longer desired.
2026-05-17 08:17:20 -04:00
Chris Farhood 84ee1fa8b8 refactor: drop istio mesh egress, use cilium FQDN for znc egress filtering
Best Practices / Kube-score Analysis (push) Has been cancelled
Best Practices / Polaris Audit (push) Has been cancelled
Best Practices / Resource Usage Analysis (push) Has been cancelled
Best Practices / PR Summary Report (push) Has been cancelled
Best Practices / Polaris PR Review (push) Has been cancelled
Security Scan / Trivy Security Scan (push) Has been cancelled
Security Scan / Trivy PR Review (push) Has been cancelled
Security Scan / Checkov IaC Scan (push) Has been cancelled
Security Scan / Checkov PR Review (push) Has been cancelled
Validate Manifests / Kustomize Build Test (push) Has been cancelled
Validate Manifests / Kubernetes Schema Validation (push) Has been cancelled
Validate Manifests / YAML Lint (push) Has been cancelled
Istio ambient cannot do hostname-based egress filtering without L7
processing (waypoint/sidecar). Cilium FQDN CiliumNetworkPolicy is the
right tool — DNS-aware L3/L4 enforcement.

- Remove waypoint deployment and namespace/service label references
- Move TheLounge HTTPRoute back to Cilium external gateway
- Add CiliumNetworkPolicy for znc: allow DNS + irc.passthepopcorn.me:6697
- Remove orphaned znc/egress.yaml (Istio VirtualService routing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 18:03:11 -04:00