Replace CiliumNetworkPolicies with Istio AuthorizationPolicies, point
the thelounge HTTPRoute at the istio-external gateway, and give each
workload a dedicated ServiceAccount for precise mTLS identity.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous selector matched an Istio-style label that does not exist
on Cilium gateway pods, which caused default-deny ingress and blocked
access to thelounge. Use fromEntities: ingress to match Cilium's own
gateway/ingress pods, consistent with the cluster repo's webhook CNP.
Add CiliumNetworkPolicy ingress rules so thelounge only accepts traffic
from the cilium external gateway in gateway-system, and znc only from
the thelounge pod. Allow host entity on both for kubelet probes.
Switch znc service to ClusterIP and drop the external-dns annotation
since direct external IRC client access is no longer desired.
Drop the istio.io/dataplane-mode label and the AuthorizationPolicies
for thelounge and znc. Gateway was returning upstream connect errors
when traffic transited ztunnel; reverting the namespace to non-mesh
restores reachability. CiliumNetworkPolicies remain for egress filtering.
targetRefs: kind: Service policies require waypoint binding which is not
working in Istio 1.29.2 — WaypointAccepted: False and ztunnel routes
directly to pods bypassing the waypoint. Selector-based policies are
enforced at ztunnel L4 without requiring waypoint.
WaypointAccepted: False on both policies — Istio 1.29 requires
istio.io/use-waypoint on the Service directly, namespace label alone
is insufficient for targetRefs: kind: Service policy binding.
- Add namespace.yaml with istio ambient + waypoint labels
- Add waypoint Gateway (istio-waypoint) scoped to irc namespace
- Switch thelounge HTTPRoute from Cilium external to istio-external gateway
- Add AuthorizationPolicy for thelounge (allow inbound from gateway-system only)
- Add AuthorizationPolicy for znc (allow all on port 6501 for IRC clients)
- Add namespace: irc to root kustomization, remove dependency on targetNamespace
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
- Fix indentation in service.yaml files (thelounge and znc)
- Fix indentation in statefulset.yaml (thelounge)
- Add missing newlines at end of files
- Resolves yamllint errors from CI/CD workflows
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Removed serviceName field from both StatefulSets since stable pod DNS
is not required for single-replica IRC applications. StatefulSets only
need serviceName when using headless Services for stable network identities.
Also removed statefulset-has-servicename ignore since it's now properly fixed.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Instead of just skipping security checks, properly fix the issues:
**Pod & Container Security Context:**
- Add runAsUser: 1000 (non-root)
- Add runAsGroup: 1000
- Add fsGroup: 1000 for volume permissions
- Add seccompProfile: RuntimeDefault
- Drop ALL capabilities (principle of least privilege)
**Resource Management:**
- Add ephemeral-storage requests (1Gi) and limits (2Gi)
**Health Checks:**
- Change thelounge liveness probe from TCP to HTTP
- Reduces false positives and provides better health signals
**Reduced Exceptions:**
- Removed 6+ security check exceptions
- Now only skip: image tags (intentional), read-only FS (apps need writes)
- Removed Polaris runAsRootAllowed exemptions
**Note:** If containers fail to start post-merge, may need to adjust UIDs
or add specific capabilities. LinuxServer images may need tweaking.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Reverted HTTPRoute hostname to use Flux variable ${THELOUNGE_HOSTNAME}
and updated kubeconform to skip HTTPRoute validation instead.
Flux substitutes variables at deployment time, so the validation
needs to skip resources with variable substitution syntax.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Chris Farhood