From a072918bb134400d083223b55ff0100e09346aa1 Mon Sep 17 00:00:00 2001 From: Charles-Antoine Dolbeau Date: Thu, 18 Jun 2026 11:53:32 +0200 Subject: [PATCH] feat(networkpolicy): allow vtom-server egress to off-cluster agents (v0.2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add serverExternalAgentEgress — a configurable list of ipBlock rules that let vtom-server reach on-premise or remote agents (ports 30014/30010) via VPN or VPC peering. Follows the same pattern as apiserverExternalEgress. The rule is only rendered when the list is non-empty, so existing deployments are unaffected. --- charts/visual-tom/Chart.yaml | 2 +- .../templates/common/networkpolicy.yaml | 27 +++++++++++++++++++ charts/visual-tom/values-client-template.yaml | 10 +++++++ charts/visual-tom/values.yaml | 10 +++++++ 4 files changed, 48 insertions(+), 1 deletion(-) diff --git a/charts/visual-tom/Chart.yaml b/charts/visual-tom/Chart.yaml index 5012bb6..83ed9da 100644 --- a/charts/visual-tom/Chart.yaml +++ b/charts/visual-tom/Chart.yaml @@ -7,7 +7,7 @@ description: > type: application # Chart version (follows SemVer). Increment on every chart change. -version: 0.2.5 +version: 0.2.6 # Reference application version (VTOM). ITC, ITM and MFT versions are defined in values.yaml. diff --git a/charts/visual-tom/templates/common/networkpolicy.yaml b/charts/visual-tom/templates/common/networkpolicy.yaml index 1b7c0e6..0f1d99a 100644 --- a/charts/visual-tom/templates/common/networkpolicy.yaml +++ b/charts/visual-tom/templates/common/networkpolicy.yaml @@ -150,6 +150,33 @@ spec: - port: {{ .Values.vtom.ports.sbdaemon }} protocol: TCP +{{- if .Values.vtom.serverExternalAgentEgress }} +--- +# vtom-server outbound rules to off-cluster agents (on-premise agents via VPN/peering) +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-server-to-external-agents + namespace: {{ include "vtom.namespace" . }} + labels: + {{- include "vtom.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: vtom-server + policyTypes: + - Egress + egress: + {{- range .Values.vtom.serverExternalAgentEgress }} + - to: + - ipBlock: + cidr: {{ .cidr | quote }} + ports: + - port: {{ .port }} + protocol: {{ .protocol | default "TCP" }} + {{- end }} +{{- end }} + --- # Cloud APIs and outbound HTTPS (Key Vault, Secrets Manager, etc.) apiVersion: networking.k8s.io/v1 diff --git a/charts/visual-tom/values-client-template.yaml b/charts/visual-tom/values-client-template.yaml index 5655655..bdeb190 100644 --- a/charts/visual-tom/values-client-template.yaml +++ b/charts/visual-tom/values-client-template.yaml @@ -85,6 +85,16 @@ vtom: # - port: 30034 # TODO: port of the target service # protocol: TCP # cidr: "10.0.0.0/8" + # Outbound rules from vtom-server to off-cluster agents (on-premise agents reached via VPN/peering). + # Each entry creates one egress NetworkPolicy rule. Leave empty (default) to disable. + # TODO: restrict cidr to the agent subnet whenever possible (avoid 0.0.0.0/0 in production). + serverExternalAgentEgress: [] + # - port: 30014 # sbdaemon — job submission + # protocol: TCP + # cidr: "10.0.0.0/8" # TODO: subnet of the external agents + # - port: 30010 # TODO: secondary agent port if applicable + # protocol: TCP + # cidr: "10.0.0.0/8" # ----------------------------------------------------------------------------- # ITC (Visual TOM User Portal) diff --git a/charts/visual-tom/values.yaml b/charts/visual-tom/values.yaml index cc76d34..ec3b0b2 100644 --- a/charts/visual-tom/values.yaml +++ b/charts/visual-tom/values.yaml @@ -162,6 +162,16 @@ vtom: # - port: 30034 # protocol: TCP # cidr: "10.0.0.0/8" # restrict to the target CIDR whenever possible + # Outbound rules for vtom-server to off-cluster agents (e.g. on-premise agents reached via VPN/peering). + # Ports typically used: 30014 (sbdaemon) and 30010 (secondary agent port). + # Each entry creates one egress NetworkPolicy rule. Leave empty to disable. + serverExternalAgentEgress: [] + # - port: 30014 + # protocol: TCP + # cidr: "10.0.0.0/8" # restrict to the agent subnet whenever possible + # - port: 30010 + # protocol: TCP + # cidr: "10.0.0.0/8" # ----------------------------------------------------------------------------- # ITC (Visual TOM User Portal)