From 1163261860d349dfa4c851c5f42d91d95a9c57ae Mon Sep 17 00:00:00 2001
From: nold <nold@gnu.one>
Date: Thu, 6 Jan 2022 11:48:28 +0100
Subject: [PATCH] Fix: ingress-external network policy

---
 projects/drone/project.yml            |  3 +++
 projects/gitea/project.yml            |  4 ++++
 projects/ingress-external/project.yml |  2 ++
 projects/nextcloud/project.yaml       |  4 ++++
 resources/networkpolicy.yml           | 21 ++++++++++++++++++++-
 5 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/projects/drone/project.yml b/projects/drone/project.yml
index 30231977..2c477bba 100644
--- a/projects/drone/project.yml
+++ b/projects/drone/project.yml
@@ -8,6 +8,9 @@ config:
     - allow-runner
     - allow-minio
 
+  labels:
+    environment: external
+
 apps:
   - name: drone
     repoURL: https://github.com/nold360/drone-charts.git
diff --git a/projects/gitea/project.yml b/projects/gitea/project.yml
index 0c45492a..70fd98fe 100644
--- a/projects/gitea/project.yml
+++ b/projects/gitea/project.yml
@@ -5,6 +5,10 @@ config:
     - internet
     rules:
     - allow-ssh
+
+  labels:
+    environment: external
+
 apps:
 - name: gitea
   repoURL: https://dl.gitea.io/charts/
diff --git a/projects/ingress-external/project.yml b/projects/ingress-external/project.yml
index b5fa46d1..ed75e316 100644
--- a/projects/ingress-external/project.yml
+++ b/projects/ingress-external/project.yml
@@ -3,6 +3,8 @@ config:
   networkPolicy:
     rules:
     - allow-dns
+    - allow-ingress-traffic
+    - allow-external-services
 
 apps:
 - name: ingress-external
diff --git a/projects/nextcloud/project.yaml b/projects/nextcloud/project.yaml
index e80e0010..590cbaff 100644
--- a/projects/nextcloud/project.yaml
+++ b/projects/nextcloud/project.yaml
@@ -3,6 +3,10 @@ config:
   networkPolicy:
     groups:
     - internet
+ 
+  labels:
+    environment: external
+
 apps:
 - name: nextcloud
   repoURL: https://nextcloud.github.io/helm
diff --git a/resources/networkpolicy.yml b/resources/networkpolicy.yml
index cf969cac..12b82c9f 100644
--- a/resources/networkpolicy.yml
+++ b/resources/networkpolicy.yml
@@ -68,7 +68,7 @@ networkPolicy:
       - from:
         - namespaceSelector:
             matchLabels:
-              app.heqet.gnu.one/name: ingress-external
+              project.heqet.gnu.one/name: ingress-external
 
     # Allow SSH for Gitea
     allow-ssh:
@@ -134,3 +134,22 @@ networkPolicy:
         - namespaceSelector:
             matchLabels:
               name: minio
+
+    allow-ingress-traffic:
+      podSelector: {}
+      policyTypes:
+      - Ingress
+      ingress:
+      - {}
+
+    allow-external-services:
+      podSelector: {}
+      policyTypes:
+      - Egress
+      egress:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              environment: external
+
+