From eea685065a2261caa93f87075cfa5fd5b86e6152 Mon Sep 17 00:00:00 2001
From: IvanHunters <xorokhotnikov@gmail.com>
Date: Tue, 4 Nov 2025 01:59:16 +0300
Subject: [PATCH 1/4] [flux] Close Flux Operator ports to external access This
 patch updates the Flux Operator Deployment to remove hostPort and
 hostNetwork, ensuring that ports 8080 and 8081 are only accessible within the
 cluster. This prevents external exposure and improves security.

```release-note
[flux] Close Flux Operator ports (8080/8081) to external access for improved security.
```

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
---
 packages/system/fluxcd-operator/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/system/fluxcd-operator/values.yaml b/packages/system/fluxcd-operator/values.yaml
index 9053689a..250c19c4 100644
--- a/packages/system/fluxcd-operator/values.yaml
+++ b/packages/system/fluxcd-operator/values.yaml
@@ -4,7 +4,7 @@ flux-operator:
     - key: node.kubernetes.io/not-ready
       operator: Exists
       effect: NoSchedule
-  hostNetwork: true
+  hostNetwork: false
   resources:
     limits:
       cpu: 100m

From 52a23eacfc32430d8b008b765c64a81526521bae Mon Sep 17 00:00:00 2001
From: IvanHunters <xorokhotnikov@gmail.com>
Date: Tue, 4 Nov 2025 12:00:30 +0300
Subject: [PATCH 2/4] close metrics port for external

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
---
 .../templates/network-policy.yaml              | 18 ++++++++++++++++++
 packages/system/fluxcd-operator/values.yaml    |  2 +-
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml

diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
new file mode 100644
index 00000000..fc7fa004
--- /dev/null
+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "flux-operator.fullname" . }}-restrict
+spec:
+  nodeSelector: {}
+  ingressDeny:
+    - fromEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+            - port: "8081"
+              protocol: TCP
+  ingress:
+    - fromEntities:
+        - cluster
diff --git a/packages/system/fluxcd-operator/values.yaml b/packages/system/fluxcd-operator/values.yaml
index 250c19c4..9053689a 100644
--- a/packages/system/fluxcd-operator/values.yaml
+++ b/packages/system/fluxcd-operator/values.yaml
@@ -4,7 +4,7 @@ flux-operator:
     - key: node.kubernetes.io/not-ready
       operator: Exists
       effect: NoSchedule
-  hostNetwork: false
+  hostNetwork: true
   resources:
     limits:
       cpu: 100m

From f60e2555c990a2cb2766802e512a15d890bb15fa Mon Sep 17 00:00:00 2001
From: IvanHunters <xorokhotnikov@gmail.com>
Date: Tue, 4 Nov 2025 12:14:43 +0300
Subject: [PATCH 3/4] add patch

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
---
 packages/system/fluxcd-operator/Makefile      |  1 +
 .../patches/networkPolicy.diff                | 23 +++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 packages/system/fluxcd-operator/patches/networkPolicy.diff

diff --git a/packages/system/fluxcd-operator/Makefile b/packages/system/fluxcd-operator/Makefile
index f41360ee..84ffc6fe 100644
--- a/packages/system/fluxcd-operator/Makefile
+++ b/packages/system/fluxcd-operator/Makefile
@@ -10,3 +10,4 @@ update:
 	rm -rf charts
 	helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts
 	patch --no-backup-if-mismatch -p1 < patches/kubernetesEnvs.diff
+	patch --no-backup-if-mismatch -p1 < patches/networkPolicy.diff
diff --git a/packages/system/fluxcd-operator/patches/networkPolicy.diff b/packages/system/fluxcd-operator/patches/networkPolicy.diff
new file mode 100644
index 00000000..d2adc974
--- /dev/null
+++ b/packages/system/fluxcd-operator/patches/networkPolicy.diff
@@ -0,0 +1,23 @@
+diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
+new file mode 100644
+--- /dev/null	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
++++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
+@@ -0,0 +1,18 @@
++apiVersion: cilium.io/v2
++kind: CiliumClusterwideNetworkPolicy
++metadata:
++  name: {{ include "flux-operator.fullname" . }}-restrict
++spec:
++  nodeSelector: {}
++  ingressDeny:
++    - fromEntities:
++        - world
++      toPorts:
++        - ports:
++            - port: "8080"
++              protocol: TCP
++            - port: "8081"
++              protocol: TCP
++  ingress:
++    - fromEntities:
++        - cluster

From 48c6e23ca017393c3725775be04dee4f9ca1e926 Mon Sep 17 00:00:00 2001
From: IvanHunters <xorokhotnikov@gmail.com>
Date: Tue, 4 Nov 2025 17:56:49 +0300
Subject: [PATCH 4/4] add rule for success installing

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
---
 .../charts/flux-operator/templates/network-policy.yaml         | 3 +++
 packages/system/fluxcd-operator/patches/networkPolicy.diff     | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
index fc7fa004..0a9db1cc 100644
--- a/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml
@@ -1,3 +1,5 @@
+{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumClusterwideNetworkPolicy" }}
+---
 apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
 metadata:
@@ -16,3 +18,4 @@ spec:
   ingress:
     - fromEntities:
         - cluster
+{{- end }}
diff --git a/packages/system/fluxcd-operator/patches/networkPolicy.diff b/packages/system/fluxcd-operator/patches/networkPolicy.diff
index d2adc974..a7bf3207 100644
--- a/packages/system/fluxcd-operator/patches/networkPolicy.diff
+++ b/packages/system/fluxcd-operator/patches/networkPolicy.diff
@@ -3,6 +3,7 @@ new file mode 100644
 --- /dev/null	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
 +++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/network-policy.yaml	(revision 52a23eacfc32430d8b008b765c64a81526521bae)
 @@ -0,0 +1,18 @@
++{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumClusterwideNetworkPolicy" }}
 +apiVersion: cilium.io/v2
 +kind: CiliumClusterwideNetworkPolicy
 +metadata:
@@ -21,3 +22,4 @@ new file mode 100644
 +  ingress:
 +    - fromEntities:
 +        - cluster
++{{- end }}