add exception to egress policy for port 8080 (#924)

tembo-io · Aug 20, 2024 · ec42853 · ec42853
1 parent 8d1513d
commit ec42853
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 2 deletions.
diff --git a/tembo-operator/Cargo.lock b/tembo-operator/Cargo.lock
diff --git a/tembo-operator/Cargo.toml b/tembo-operator/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "controller"
 description = "Tembo Operator for Postgres"
-version = "0.49.6"
+version = "0.49.7"
 edition = "2021"
 default-run = "controller"
 license = "Apache-2.0"

diff --git a/tembo-operator/src/network_policies.rs b/tembo-operator/src/network_policies.rs
@@ -311,6 +311,46 @@ pub async fn reconcile_network_policies(client: Client, namespace: &str) -> Resu
 
     apply_network_policy(namespace, &np_api, allow_proxy_to_access_tembo_ai_gateway).await?;
 
+    let allow_proxy_to_access_tembo_ai_gateway_internal_lb = serde_json::json!({
+        "apiVersion": "networking.k8s.io/v1",
+        "kind": "NetworkPolicy",
+        "metadata": {
+          "name": "allow-proxy-to-access-tembo-ai-gateway-internal-lb",
+          "namespace": format!("{namespace}"),
+        },
+        "spec": {
+          "podSelector": {
+            "matchLabels": {
+              "app": format!("{}-ai-proxy", namespace)
+            }
+          },
+          "policyTypes": ["Egress"],
+          "egress": [
+            {
+              "ports": [
+                {
+                  "port": 8080,
+                  "protocol": "TCP"
+                }
+              ],
+              "to": [
+                {
+                  "ipBlock": {
+                    "cidr": "10.0.0.0/8"
+                  }
+                }
+              ]
+            }
+          ]
+        }
+    });
+
+    apply_network_policy(
+        namespace,
+        &np_api,
+        allow_proxy_to_access_tembo_ai_gateway_internal_lb,
+    )
+    .await?;
     Ok(())
 }