From 2c12f35f75f6dba63d32f91cf1359f48af1d7815 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <astoltz@iamwork.in>
Date: Sun, 14 Jun 2026 16:25:25 -0500
Subject: [PATCH] agent-zero: fix fc_dms netpol egress port (8080 = pod
 targetPort, not svc 80)

NetworkPolicy matches the destination POD port. dms-web svc:80 -> containerPort
8080, so the egress must allow 8080 (the fc-chat rule already allows 80+8080,
which is why chat worked and dms timed out). Add 8080 to the fc-dms egress.
---
 apps/agent-zero/agent-zero.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/apps/agent-zero/agent-zero.yaml b/apps/agent-zero/agent-zero.yaml
index 2ae50cb..56f9c9d 100644
--- a/apps/agent-zero/agent-zero.yaml
+++ b/apps/agent-zero/agent-zero.yaml
@@ -666,8 +666,9 @@ spec:
         - port: 5300
           protocol: TCP
     # FlowerCore DMS Manager MCP (product-manager fan-out) — in-cluster
-    # dms-web on port 80. Every in-cluster MCP target needs an explicit
-    # egress allow (the policy denies private ranges by default).
+    # dms-web. NetworkPolicy matches the destination POD port: dms-web svc:80
+    # targets containerPort 8080, so the egress MUST allow 8080 (not the svc
+    # port 80) — same as the fc-chat rule. Allow both for parity.
     - to:
         - namespaceSelector:
             matchLabels:
@@ -675,6 +676,8 @@ spec:
       ports:
         - port: 80
           protocol: TCP
+        - port: 8080
+          protocol: TCP
     # Allow internet (for kubectl image pull, etc)
     - to:
         - ipBlock: