diff --git a/deploy/helm/pieced-threema-gateway/Chart.yaml b/deploy/helm/pieced-threema-gateway/Chart.yaml index 694602b..281ad0b 100644 --- a/deploy/helm/pieced-threema-gateway/Chart.yaml +++ b/deploy/helm/pieced-threema-gateway/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: pieced-threema-gateway description: PieCed IT central Threema Gateway relay type: application -version: 0.1.3 -appVersion: "0.1.3" +version: 0.1.4 +appVersion: "0.1.4" diff --git a/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml b/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml index 8c2cc1c..37442d1 100644 --- a/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml +++ b/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml @@ -68,10 +68,17 @@ spec: - ports: - port: "443" protocol: TCP - # Postgres (same namespace) + # Postgres (same namespace). + # + # We match on the namespace label rather than `cnpg.io/cluster` + # because that CNPG label is not in Cilium's default identity-relevant + # label set in most installations — pods labelled that way still get a + # generic Cilium identity, so a matchLabels on it won't match anything. + # Restricting to port 5432 + same namespace is safe: the only thing + # listening on 5432 in this namespace is CNPG. - toEndpoints: - matchLabels: - "cnpg.io/cluster": "pieced-threema-gateway-db" + "k8s:io.kubernetes.pod.namespace": {{ .Values.namespace | quote }} toPorts: - ports: - port: "5432" diff --git a/deploy/helm/pieced-threema-gateway/values.yaml b/deploy/helm/pieced-threema-gateway/values.yaml index 86f7e89..c84857b 100644 --- a/deploy/helm/pieced-threema-gateway/values.yaml +++ b/deploy/helm/pieced-threema-gateway/values.yaml @@ -6,7 +6,7 @@ namespace: threema-gateway image: repository: registry.c5ai.ch/pieced/pieced-threema-gateway - tag: "0.1.3" + tag: "0.1.4" pullPolicy: IfNotPresent # Pull from registry.c5ai.ch — matches operator + portal pattern.