From 6cbb5d8792576402bdb2f59888859385bd3a2e9e Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Thu, 23 Apr 2026 09:59:17 -0500
Subject: [PATCH] fix(agent-zero): NetworkPolicy egress rule for fc-llm-bridge
 (ADR-088)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The chat_model flip (62db15c) pointed Agent Zero at
fc-llm-bridge.fc-llm-bridge.svc.cluster.local:8080 but the existing
agent-zero-netpol only allowed egress to specific node IPs
(10.0.56.20:11434, 10.0.57.17:11434, 10.0.57.16:5200, 10.0.56.11:6443)
plus public-internet (with RFC1918 exclusion). ClusterIP traffic to
10.43.0.0/16 was implicitly denied, so pod-exec curl to the bridge
timed out after 134s.

Adds an egress rule allowing TCP 8080 to the fc-llm-bridge namespace
(matched by kubernetes.io/metadata.name which K8s 1.22+ sets
automatically). No ingress changes needed — fc-llm-bridge has no
NetworkPolicy, so the ingress side is already open.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/agent-zero/agent-zero.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/apps/agent-zero/agent-zero.yaml b/apps/agent-zero/agent-zero.yaml
index 02c22f0..567e262 100644
--- a/apps/agent-zero/agent-zero.yaml
+++ b/apps/agent-zero/agent-zero.yaml
@@ -531,6 +531,15 @@ spec:
             cidr: 10.0.56.11/32
       ports:
         - port: 6443
+    # FlowerCore LLM Bridge (ADR-088 chat_model routing) — ClusterIP service
+    # in the fc-llm-bridge namespace on port 8080.
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: fc-llm-bridge
+      ports:
+        - port: 8080
+          protocol: TCP
     # Allow internet (for kubectl image pull, etc)
     - to:
         - ipBlock: