From 3c5c1a07bd3098539515ee6a584e17c70f185c6d Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Fri, 24 Apr 2026 00:47:50 -0500
Subject: [PATCH] fix(monitoring): netpol egress allows for fc-desktop +
 Traefik hairpin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds two egress allows to monitoring-netpol so Prometheus can scrape
FlowerCore.RemoteDesktop:

1. fc-desktop namespace on port 8080 — direct ClusterIP service
   target (remotedesktop-web.fc-desktop:8080).
2. traefik-system namespace pods on ports 8080 + 8443 — covers the
   Traefik VIP hairpin path for the `https://desktop.iamworkin.lan`
   scrape target (CoreDNS wildcard resolves iamworkin.lan hostnames
   to the LB VIP; after kube-proxy DNAT, egress needs the backend
   pod port allowed per feedback_netpol_dnat_backend_port).

Without these, the fc-remotedesktop scrape times out with "context
deadline exceeded" even though the monitoring-netpol already allows
the 10.0.56.0/24 CIDR — post-DNAT the destination is a 10.42.x.x
pod IP, not the VIP.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/monitoring/noc-monitoring.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/apps/monitoring/noc-monitoring.yaml b/apps/monitoring/noc-monitoring.yaml
index 972d2cf..0d578d4 100644
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -3833,6 +3833,33 @@ spec:
       ports:
         - port: 80
           protocol: TCP
+    # FlowerCore.RemoteDesktop /metrics scrape via the fc-desktop
+    # ClusterIP Service (remotedesktop-web:8080). Also covers the
+    # Traefik VIP hairpin path since after kube-proxy DNAT, the egress
+    # destination is the backend pod IP on the service port (see
+    # feedback_netpol_dnat_backend_port).
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: fc-desktop
+      ports:
+        - port: 8080
+          protocol: TCP
+    # Traefik backend ports — needed for in-cluster egress to public
+    # iamworkin.lan hostnames that CoreDNS wildcard resolves to the
+    # LoadBalancer VIP. Post-DNAT destination is a Traefik pod on 8080/8443.
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+      ports:
+        - port: 8080
+          protocol: TCP
+        - port: 8443
+          protocol: TCP
     # IRC (irc-notify → UnrealIRCd in irc namespace via K8s DNS)
     - to:
         - namespaceSelector: