Sync chart from pieced-threema-gateway 0.1.6

2026-05-17 08:35:58 +00:00
parent b5abc5958f
commit 819e90c16c
3 changed files with 17 additions and 4 deletions
--- a/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
+++ b/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
@@ -51,7 +51,17 @@ spec:
            - port: "8080"
              protocol: TCP
  egress:
-    # DNS
+    # DNS — with the proxy interceptor on so toFQDNs rules below
+    # actually work.
+    #
+    # Cilium `toFQDNs` matches against a per-pod identity that is
+    # populated only when the Cilium DNS proxy observes a resolution
+    # for that name. The proxy is enabled per-policy by a `rules.dns`
+    # clause on the DNS egress: without it, DNS resolution still
+    # succeeds (we allow port 53 to kube-system) but Cilium never
+    # learns the resolved IP, so the subsequent TCP connect to
+    # msgapi.threema.ch is denied at egress and the relay logs
+    # "fetch failed" with no further detail.
    - toEndpoints:
        - matchLabels:
            "k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": "kube-system"
@@ -61,6 +71,9 @@ spec:
              protocol: UDP
            - port: "53"
              protocol: TCP
+          rules:
+            dns:
+              - matchPattern: "*"
    # Threema Gateway public API
    - toFQDNs:
        - matchName: "msgapi.threema.ch"