Fix network policy and request forwarding (#31)

phillebaba · web-flow · commit 13e100216972 · 2021-06-06T20:58:20.000+02:00
diff --git a/charts/azdo-proxy/templates/networkpolicy.yaml b/charts/azdo-proxy/templates/networkpolicy.yaml
@@ -2,17 +2,43 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ include "azdo-proxy.fullname" . }}-deny-ingress
+  name: {{ include "azdo-proxy.fullname" . }}
   labels:
     {{- include "azdo-proxy.labels" . | nindent 4 }}
 spec:
+  podSelector:
+    matchLabels:
+      {{- include "azdo-proxy.labels" . | nindent 6 }}
   policyTypes:
     - Ingress
     - Egress
   ingress:
-  - from:
-    - podSelector: {}
+    - from:
+        - podSelector:
+            matchLabels:
+              app: source-controller
+      ports:
+        - port: 8080
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: prometheus
+      ports:
+        - port: 9090
   egress:
-    - {}
-  podSelector: {}
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
 {{- end }}
diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -92,6 +92,7 @@ func proxyHandler(logger logr.Logger, proxies map[string]*httputil.ReverseProxy,
 
 		// Overwrite the authorization header with the PAT token
 		logger.Info("Authenticated request", "path", r.URL.Path)
+		r.Host = target.Host
 		r.Header.Del("Authorization")
 		patB64 := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("pat:%s", pat)))
 		r.Header.Add("Authorization", "Basic "+patB64)
