From a4aeeca2d3a5a62bcda3ab19183c9132392b7336 Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Tue, 19 Aug 2025 18:46:59 +0200
Subject: [PATCH] [virtual-machine] Use external IP for egress traffic for
 PortList method too

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 packages/apps/tenant/Chart.yaml               |  2 +-
 .../apps/tenant/templates/networkpolicy.yaml  |  6 ++-
 packages/apps/versions_map                    | 46 ++-----------------
 packages/apps/virtual-machine/Chart.yaml      |  4 +-
 .../virtual-machine/templates/service.yaml    | 28 +++++++++--
 .../apps/virtual-machine/templates/vm.yaml    |  1 +
 packages/apps/vm-instance/Chart.yaml          |  4 +-
 .../apps/vm-instance/templates/service.yaml   | 28 +++++++++--
 packages/apps/vm-instance/templates/vm.yaml   |  1 +
 scripts/migrations/18                         | 18 ++++++++
 10 files changed, 83 insertions(+), 55 deletions(-)
 create mode 100755 scripts/migrations/18

diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml
index 79702948..09dfac63 100644
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.12.0
+version: 1.13.0
diff --git a/packages/apps/tenant/templates/networkpolicy.yaml b/packages/apps/tenant/templates/networkpolicy.yaml
index b66e85ff..84df6d11 100644
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -20,7 +20,11 @@ metadata:
   name: allow-external-communication
   namespace: {{ include "tenant.name" . }}
 spec:
-  endpointSelector: {}
+  endpointSelector:
+    matchExpressions:
+    - key: policy.cozystack.io/allow-external-communication
+      operator: NotIn
+      values: ["false"]
   ingress:
   - fromEntities:
       - world
diff --git a/packages/apps/versions_map b/packages/apps/versions_map
index 61e95978..8d514dbd 100644
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -164,55 +164,15 @@ tcp-balancer 0.4.2 4369b031
 tcp-balancer 0.5.0 08cb7c0f
 tcp-balancer 0.5.1 c02a3818
 tcp-balancer 0.6.0 HEAD
-tenant 1.10.0 4369b031
-tenant 1.11.0 08cb7c0f
-tenant 1.11.1 28c9fcd6
-tenant 1.11.2 c02a3818
-tenant 1.12.0 HEAD
-virtual-machine 0.1.4 f2015d65
-virtual-machine 0.1.5 263e47be
-virtual-machine 0.2.0 c0685f43
-virtual-machine 0.3.0 6c5cf5bf
-virtual-machine 0.4.0 b8e33d19
-virtual-machine 0.5.0 1ec10165
-virtual-machine 0.6.0 4e68e65c
-virtual-machine 0.7.0 e23286a3
-virtual-machine 0.7.1 0ab39f20
-virtual-machine 0.8.0 3fa4dd3a
-virtual-machine 0.8.1 93c46161
-virtual-machine 0.8.2 de19450f
-virtual-machine 0.9.0 721c12a7
-virtual-machine 0.9.1 93bdf411
-virtual-machine 0.10.0 6130f43d
-virtual-machine 0.10.2 632224a3
-virtual-machine 0.11.0 4369b031
-virtual-machine 0.12.0 acd4663a
-virtual-machine 0.12.1 909208ba
-virtual-machine 0.12.2 8ddbe32e
-virtual-machine 0.12.3 c02a3818
-virtual-machine 0.13.0 HEAD
+tenant 1.13.0 HEAD
+virtual-machine 0.14.0 HEAD
 vm-disk 0.1.0 d971f2ff
 vm-disk 0.1.1 6130f43d
 vm-disk 0.1.2 632224a3
 vm-disk 0.2.0 4369b031
 vm-disk 0.3.0 c02a3818
 vm-disk 0.4.0 HEAD
-vm-instance 0.1.0 1ec10165
-vm-instance 0.2.0 84f3ccc0
-vm-instance 0.3.0 4e68e65c
-vm-instance 0.4.0 e23286a3
-vm-instance 0.4.1 0ab39f20
-vm-instance 0.5.0 3fa4dd3a
-vm-instance 0.5.1 de19450f
-vm-instance 0.6.0 721c12a7
-vm-instance 0.7.0 6130f43d
-vm-instance 0.7.2 632224a3
-vm-instance 0.8.0 4369b031
-vm-instance 0.9.0 acd4663a
-vm-instance 0.10.0 909208ba
-vm-instance 0.10.1 8ddbe32e
-vm-instance 0.10.2 c02a3818
-vm-instance 0.11.0 HEAD
+vm-instance 0.12.0 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf
diff --git a/packages/apps/virtual-machine/Chart.yaml b/packages/apps/virtual-machine/Chart.yaml
index c0252b85..a282fdba 100644
--- a/packages/apps/virtual-machine/Chart.yaml
+++ b/packages/apps/virtual-machine/Chart.yaml
@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.13.0
+version: 0.14.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.13.0
+appVersion: 0.14.0
diff --git a/packages/apps/virtual-machine/templates/service.yaml b/packages/apps/virtual-machine/templates/service.yaml
index e1e43912..77698a2d 100644
--- a/packages/apps/virtual-machine/templates/service.yaml
+++ b/packages/apps/virtual-machine/templates/service.yaml
@@ -6,14 +6,12 @@ metadata:
   name: {{ include "virtual-machine.fullname" . }}
   labels:
     {{- include "virtual-machine.labels" . | nindent 4 }}
-  {{- if eq .Values.externalMethod "WholeIP" }}
   annotations:
     networking.cozystack.io/wholeIP: "true"
-  {{- end }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   externalTrafficPolicy: Local
-    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
+    {{- if ((include "cozy-lib.network.disableLoadBalancerNodePorts" $) | fromYaml) }}
   allocateLoadBalancerNodePorts: false
     {{- end }}
   selector:
@@ -29,3 +27,27 @@ spec:
     {{- end }}
     {{- end }}
 {{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+      - cluster
+  - fromEntities:
+      - world
+    {{- if eq .Values.externalMethod "PortList" }}
+    toPorts:
+      - ports:
+          {{- range .Values.externalPorts }}
+          - port: {{ quote . }}
+          {{- end }}
+    {{- end }}
+  egress:
+  - toEntities:
+      - world
diff --git a/packages/apps/virtual-machine/templates/vm.yaml b/packages/apps/virtual-machine/templates/vm.yaml
index 744ec220..684e48c4 100644
--- a/packages/apps/virtual-machine/templates/vm.yaml
+++ b/packages/apps/virtual-machine/templates/vm.yaml
@@ -62,6 +62,7 @@ spec:
   template:
     metadata:
       annotations:
+        policy.cozystack.io/allow-external-communication: "false"
         kubevirt.io/allow-pod-bridge-network-live-migration: "true"
       labels:
         {{- include "virtual-machine.labels" . | nindent 8 }}
diff --git a/packages/apps/vm-instance/Chart.yaml b/packages/apps/vm-instance/Chart.yaml
index 729963cc..bf86d22d 100644
--- a/packages/apps/vm-instance/Chart.yaml
+++ b/packages/apps/vm-instance/Chart.yaml
@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0
+version: 0.12.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.11.0
+appVersion: 0.12.0
diff --git a/packages/apps/vm-instance/templates/service.yaml b/packages/apps/vm-instance/templates/service.yaml
index e1e43912..009062fd 100644
--- a/packages/apps/vm-instance/templates/service.yaml
+++ b/packages/apps/vm-instance/templates/service.yaml
@@ -6,14 +6,12 @@ metadata:
   name: {{ include "virtual-machine.fullname" . }}
   labels:
     {{- include "virtual-machine.labels" . | nindent 4 }}
-  {{- if eq .Values.externalMethod "WholeIP" }}
   annotations:
     networking.cozystack.io/wholeIP: "true"
-  {{- end }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   externalTrafficPolicy: Local
-    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
+    {{- if ((include "cozy-lib.network.disableLoadBalancerNodePorts" $) | fromYaml) }}
   allocateLoadBalancerNodePorts: false
     {{- end }}
   selector:
@@ -29,3 +27,27 @@ spec:
     {{- end }}
     {{- end }}
 {{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+      - cluster
+  - fromEntities:
+      - world
+    {{- if eq .Values.externalMethod "PortList" }}
+    toPorts:
+      - ports:
+        {{- range .Values.externalPorts }}
+        - port: {{ quote . }}
+        {{- end }}
+    {{- end }}
+  egress:
+  - toEntities:
+      - world
diff --git a/packages/apps/vm-instance/templates/vm.yaml b/packages/apps/vm-instance/templates/vm.yaml
index 1674337f..c6082a93 100644
--- a/packages/apps/vm-instance/templates/vm.yaml
+++ b/packages/apps/vm-instance/templates/vm.yaml
@@ -26,6 +26,7 @@ spec:
   template:
     metadata:
       annotations:
+        policy.cozystack.io/allow-external-communication: "false"
         kubevirt.io/allow-pod-bridge-network-live-migration: "true"
       labels:
         {{- include "virtual-machine.labels" . | nindent 8 }}
diff --git a/scripts/migrations/18 b/scripts/migrations/18
new file mode 100755
index 00000000..6250b880
--- /dev/null
+++ b/scripts/migrations/18
@@ -0,0 +1,18 @@
+#!/bin/sh
+# Migration 18 --> 19
+
+# Upgrade tenants.apps to new chart version
+kubectl get tenants.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+  kubectl patch tenants.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.13.0"}'
+done
+
+# Upgrade virtualmachines.apps to new chart version
+kubectl get virtualmachines.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+  kubectl patch virtualmachines.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.14.0"}'
+done
+kubectl get vminstances.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+  kubectl patch vminstances.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.12.0"}'
+done
+
+# Write version to cozystack-version config
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=19 --dry-run=client -o yaml | kubectl apply -f-