AbsyssLab · cadolbeau-absyss · Jun 18, 2026 · Jun 18, 2026
diff --git a/charts/visual-tom/Chart.yaml b/charts/visual-tom/Chart.yaml
@@ -7,7 +7,7 @@ description: >
 type: application
 
 # Chart version (follows SemVer). Increment on every chart change.
-version: 0.2.5
+version: 0.2.6
 
 
 # Reference application version (VTOM). ITC, ITM and MFT versions are defined in values.yaml.

diff --git a/charts/visual-tom/templates/common/networkpolicy.yaml b/charts/visual-tom/templates/common/networkpolicy.yaml
@@ -150,6 +150,33 @@ spec:
         - port: {{ .Values.vtom.ports.sbdaemon }}
           protocol: TCP
 
+{{- if .Values.vtom.serverExternalAgentEgress }}
+---
+# vtom-server outbound rules to off-cluster agents (on-premise agents via VPN/peering)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-server-to-external-agents
+  namespace: {{ include "vtom.namespace" . }}
+  labels:
+    {{- include "vtom.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: vtom-server
+  policyTypes:
+    - Egress
+  egress:
+    {{- range .Values.vtom.serverExternalAgentEgress }}
+    - to:
+        - ipBlock:
+            cidr: {{ .cidr | quote }}
+      ports:
+        - port: {{ .port }}
+          protocol: {{ .protocol | default "TCP" }}
+    {{- end }}
+{{- end }}
+
 ---
 # Cloud APIs and outbound HTTPS (Key Vault, Secrets Manager, etc.)
 apiVersion: networking.k8s.io/v1

diff --git a/charts/visual-tom/values-client-template.yaml b/charts/visual-tom/values-client-template.yaml
@@ -85,6 +85,16 @@ vtom:
   # - port: 30034       # TODO: port of the target service
   #   protocol: TCP
   #   cidr: "10.0.0.0/8"
+  # Outbound rules from vtom-server to off-cluster agents (on-premise agents reached via VPN/peering).
+  # Each entry creates one egress NetworkPolicy rule. Leave empty (default) to disable.
+  # TODO: restrict cidr to the agent subnet whenever possible (avoid 0.0.0.0/0 in production).
+  serverExternalAgentEgress: []
+  # - port: 30014       # sbdaemon — job submission
+  #   protocol: TCP
+  #   cidr: "10.0.0.0/8"   # TODO: subnet of the external agents
+  # - port: 30010       # TODO: secondary agent port if applicable
+  #   protocol: TCP
+  #   cidr: "10.0.0.0/8"
 
 # -----------------------------------------------------------------------------
 # ITC (Visual TOM User Portal)

diff --git a/charts/visual-tom/values.yaml b/charts/visual-tom/values.yaml
@@ -162,6 +162,16 @@ vtom:
   # - port: 30034
   #   protocol: TCP
   #   cidr: "10.0.0.0/8"   # restrict to the target CIDR whenever possible
+  # Outbound rules for vtom-server to off-cluster agents (e.g. on-premise agents reached via VPN/peering).
+  # Ports typically used: 30014 (sbdaemon) and 30010 (secondary agent port).
+  # Each entry creates one egress NetworkPolicy rule. Leave empty to disable.
+  serverExternalAgentEgress: []
+  # - port: 30014
+  #   protocol: TCP
+  #   cidr: "10.0.0.0/8"   # restrict to the agent subnet whenever possible
+  # - port: 30010
+  #   protocol: TCP
+  #   cidr: "10.0.0.0/8"
 
 # -----------------------------------------------------------------------------
 # ITC (Visual TOM User Portal)