5 Commits

Author	SHA1	Message	Date
Chris Farhood	19b175dcf2	feat(irc): restrict ingress to gateway and thelounge ... Add CiliumNetworkPolicy ingress rules so thelounge only accepts traffic from the cilium external gateway in gateway-system, and znc only from the thelounge pod. Allow host entity on both for kubelet probes. Switch znc service to ClusterIP and drop the external-dns annotation since direct external IRC client access is no longer desired.	2026-05-17 08:17:20 -04:00
Chris Farhood	84ee1fa8b8	refactor: drop istio mesh egress, use cilium FQDN for znc egress filtering ... Istio ambient cannot do hostname-based egress filtering without L7 processing (waypoint/sidecar). Cilium FQDN CiliumNetworkPolicy is the right tool — DNS-aware L3/L4 enforcement. - Remove waypoint deployment and namespace/service label references - Move TheLounge HTTPRoute back to Cilium external gateway - Add CiliumNetworkPolicy for znc: allow DNS + irc.passthepopcorn.me:6697 - Remove orphaned znc/egress.yaml (Istio VirtualService routing) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-16 18:03:11 -04:00
Chris Farhood	0614d6b91a	fix(irc): bind services to waypoint for AuthorizationPolicy enforcement ... WaypointAccepted: False on both policies — Istio 1.29 requires istio.io/use-waypoint on the Service directly, namespace label alone is insufficient for targetRefs: kind: Service policy binding.	2026-05-15 22:46:21 -04:00
Chris Farhood	9a6c78680b	fix: correct YAML indentation and add missing newlines ... - Fix indentation in service.yaml files (thelounge and znc) - Fix indentation in statefulset.yaml (thelounge) - Add missing newlines at end of files - Resolves yamllint errors from CI/CD workflows Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>	2026-02-08 10:52:50 -05:00
Chris Farhood	6c0c269520	initial commit	2026-01-17 08:40:50 -05:00