Fix network policy and request forwarding (#31)

XenitAB · Jun 6, 2021 · 13e1002 · 13e1002
1 parent 6e26131
commit 13e1002
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/charts/azdo-proxy/templates/networkpolicy.yaml b/charts/azdo-proxy/templates/networkpolicy.yaml
@@ -2,17 +2,43 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
- name: {{ include "azdo-proxy.fullname" . }}-deny-ingress
+ name: {{ include "azdo-proxy.fullname" . }}
  labels:
  {{- include "azdo-proxy.labels" . | nindent 4 }}
 spec:
+ podSelector:
+ matchLabels:
+ {{- include "azdo-proxy.labels" . | nindent 6 }}
  policyTypes:
  - Ingress
  - Egress
  ingress:
- - from:
- - podSelector: {}
+ - from:
+ - podSelector:
+ matchLabels:
+ app: source-controller
+ ports:
+ - port: 8080
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ name: prometheus
+ ports:
+ - port: 9090
  egress:
- - {}
- podSelector: {}
+ - to:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ except:
+ - 10.0.0.0/8
+ - 172.16.0.0/12
+ - 192.168.0.0/16
+ - to:
+ - namespaceSelector: {}
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - port: 53
+ protocol: UDP
 {{- end }}
diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -92,6 +92,7 @@ func proxyHandler(logger logr.Logger, proxies map[string]*httputil.ReverseProxy,
 
  // Overwrite the authorization header with the PAT token
  logger.Info("Authenticated request", "path", r.URL.Path)
+ r.Host = target.Host
  r.Header.Del("Authorization")
  patB64 := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("pat:%s", pat)))
  r.Header.Add("Authorization", "Basic "+patB64)