[virtual-machine] Use external IP for egress traffic for PortList method too

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-01-27 10:18:39 +00:00 · 2025-08-19 18:46:59 +02:00
parent 08f1bda1aa
commit a4aeeca2d3
10 changed files with 83 additions and 55 deletions
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg

 type: application
-version: 1.12.0
+version: 1.13.0
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -20,7 +20,11 @@ metadata:
  name: allow-external-communication
  namespace: {{ include "tenant.name" . }}
 spec:
-  endpointSelector: {}
+  endpointSelector:
+    matchExpressions:
+    - key: policy.cozystack.io/allow-external-communication
+      operator: NotIn
+      values: ["false"]
  ingress:
  - fromEntities:
      - world
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -164,55 +164,15 @@ tcp-balancer 0.4.2 4369b031
 tcp-balancer 0.5.0 08cb7c0f
 tcp-balancer 0.5.1 c02a3818
 tcp-balancer 0.6.0 HEAD
-tenant 1.10.0 4369b031
-tenant 1.11.0 08cb7c0f
-tenant 1.11.1 28c9fcd6
-tenant 1.11.2 c02a3818
-tenant 1.12.0 HEAD
-virtual-machine 0.1.4 f2015d65
-virtual-machine 0.1.5 263e47be
-virtual-machine 0.2.0 c0685f43
-virtual-machine 0.3.0 6c5cf5bf
-virtual-machine 0.4.0 b8e33d19
-virtual-machine 0.5.0 1ec10165
-virtual-machine 0.6.0 4e68e65c
-virtual-machine 0.7.0 e23286a3
-virtual-machine 0.7.1 0ab39f20
-virtual-machine 0.8.0 3fa4dd3a
-virtual-machine 0.8.1 93c46161
-virtual-machine 0.8.2 de19450f
-virtual-machine 0.9.0 721c12a7
-virtual-machine 0.9.1 93bdf411
-virtual-machine 0.10.0 6130f43d
-virtual-machine 0.10.2 632224a3
-virtual-machine 0.11.0 4369b031
-virtual-machine 0.12.0 acd4663a
-virtual-machine 0.12.1 909208ba
-virtual-machine 0.12.2 8ddbe32e
-virtual-machine 0.12.3 c02a3818
-virtual-machine 0.13.0 HEAD
+tenant 1.13.0 HEAD
+virtual-machine 0.14.0 HEAD
 vm-disk 0.1.0 d971f2ff
 vm-disk 0.1.1 6130f43d
 vm-disk 0.1.2 632224a3
 vm-disk 0.2.0 4369b031
 vm-disk 0.3.0 c02a3818
 vm-disk 0.4.0 HEAD
-vm-instance 0.1.0 1ec10165
-vm-instance 0.2.0 84f3ccc0
-vm-instance 0.3.0 4e68e65c
-vm-instance 0.4.0 e23286a3
-vm-instance 0.4.1 0ab39f20
-vm-instance 0.5.0 3fa4dd3a
-vm-instance 0.5.1 de19450f
-vm-instance 0.6.0 721c12a7
-vm-instance 0.7.0 6130f43d
-vm-instance 0.7.2 632224a3
-vm-instance 0.8.0 4369b031
-vm-instance 0.9.0 acd4663a
-vm-instance 0.10.0 909208ba
-vm-instance 0.10.1 8ddbe32e
-vm-instance 0.10.2 c02a3818
-vm-instance 0.11.0 HEAD
+vm-instance 0.12.0 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf
--- a/packages/apps/virtual-machine/Chart.yaml
+++ b/packages/apps/virtual-machine/Chart.yaml
@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.13.0
+version: 0.14.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.13.0
+appVersion: 0.14.0
--- a/packages/apps/virtual-machine/templates/service.yaml
+++ b/packages/apps/virtual-machine/templates/service.yaml
@@ -6,14 +6,12 @@ metadata:
  name: {{ include "virtual-machine.fullname" . }}
  labels:
    {{- include "virtual-machine.labels" . | nindent 4 }}
-  {{- if eq .Values.externalMethod "WholeIP" }}
  annotations:
    networking.cozystack.io/wholeIP: "true"
-  {{- end }}
 spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  externalTrafficPolicy: Local
-    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
+    {{- if ((include "cozy-lib.network.disableLoadBalancerNodePorts" $) | fromYaml) }}
  allocateLoadBalancerNodePorts: false
    {{- end }}
  selector:
@@ -29,3 +27,27 @@ spec:
    {{- end }}
    {{- end }}
 {{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+      - cluster
+  - fromEntities:
+      - world
+    {{- if eq .Values.externalMethod "PortList" }}
+    toPorts:
+      - ports:
+          {{- range .Values.externalPorts }}
+          - port: {{ quote . }}
+          {{- end }}
+    {{- end }}
+  egress:
+  - toEntities:
+      - world
--- a/packages/apps/virtual-machine/templates/vm.yaml
+++ b/packages/apps/virtual-machine/templates/vm.yaml
@@ -62,6 +62,7 @@ spec:
  template:
    metadata:
      annotations:
+        policy.cozystack.io/allow-external-communication: "false"
        kubevirt.io/allow-pod-bridge-network-live-migration: "true"
      labels:
        {{- include "virtual-machine.labels" . | nindent 8 }}
--- a/packages/apps/vm-instance/Chart.yaml
+++ b/packages/apps/vm-instance/Chart.yaml
@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0
+version: 0.12.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.11.0
+appVersion: 0.12.0
--- a/packages/apps/vm-instance/templates/service.yaml
+++ b/packages/apps/vm-instance/templates/service.yaml
@@ -6,14 +6,12 @@ metadata:
  name: {{ include "virtual-machine.fullname" . }}
  labels:
    {{- include "virtual-machine.labels" . | nindent 4 }}
-  {{- if eq .Values.externalMethod "WholeIP" }}
  annotations:
    networking.cozystack.io/wholeIP: "true"
-  {{- end }}
 spec:
  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
  externalTrafficPolicy: Local
-    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
+    {{- if ((include "cozy-lib.network.disableLoadBalancerNodePorts" $) | fromYaml) }}
  allocateLoadBalancerNodePorts: false
    {{- end }}
  selector:
@@ -29,3 +27,27 @@ spec:
    {{- end }}
    {{- end }}
 {{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+      - cluster
+  - fromEntities:
+      - world
+    {{- if eq .Values.externalMethod "PortList" }}
+    toPorts:
+      - ports:
+        {{- range .Values.externalPorts }}
+        - port: {{ quote . }}
+        {{- end }}
+    {{- end }}
+  egress:
+  - toEntities:
+      - world
--- a/packages/apps/vm-instance/templates/vm.yaml
+++ b/packages/apps/vm-instance/templates/vm.yaml
@@ -26,6 +26,7 @@ spec:
  template:
    metadata:
      annotations:
+        policy.cozystack.io/allow-external-communication: "false"
        kubevirt.io/allow-pod-bridge-network-live-migration: "true"
      labels:
        {{- include "virtual-machine.labels" . | nindent 8 }}
--- a/scripts/migrations/18
+++ b/scripts/migrations/18
@@ -0,0 +1,18 @@
+#!/bin/sh
+# Migration 18 --> 19
+
+# Upgrade tenants.apps to new chart version
+kubectl get tenants.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+  kubectl patch tenants.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.13.0"}'
+done
+
+# Upgrade virtualmachines.apps to new chart version
+kubectl get virtualmachines.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+  kubectl patch virtualmachines.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.14.0"}'
+done
+kubectl get vminstances.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+  kubectl patch vminstances.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.12.0"}'
+done
+
+# Write version to cozystack-version config
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=19 --dry-run=client -o yaml | kubectl apply -f-