From cd7698a6e9cb862e346e0ec9a61cc90231ea5cec Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Sun, 28 May 2023 12:02:33 +0800
Subject: [PATCH] fix(headscale): allow cloudflared ingress

---
 kube/3-deploy/2-apps/headscale/app/netpol.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/kube/3-deploy/2-apps/headscale/app/netpol.yaml b/kube/3-deploy/2-apps/headscale/app/netpol.yaml
index 4d2e06cc..f3ea9af7 100644
--- a/kube/3-deploy/2-apps/headscale/app/netpol.yaml
+++ b/kube/3-deploy/2-apps/headscale/app/netpol.yaml
@@ -27,6 +27,22 @@ spec:
               protocol: TCP
             - port: "9090"
               protocol: UDP
+    # Cloudflare tunnel
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: cloudflare
+            app.kubernetes.io/instance: cloudflared
+            app.kubernetes.io/name: cloudflared
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+            - port: "8080"
+              protocol: UDP
+            - port: "9090"
+              protocol: TCP
+            - port: "9090"
+              protocol: UDP
     # allow ingress
     - fromEntities:
         - world