[tenant] Allow egress to parent ingress pods

[lexfrei]

What this PR does

Fixes egress policy for nested Kubernetes clusters using exposeMethod: Proxied.

The clusterwide egress policy blocks traffic from tenant pods to ingress pods in parent namespaces. This breaks:

• cert-manager HTTP-01 self-check
• Any scenario where pods need to access services exposed through parent ingress

Adds egress rule allowing traffic to ingress pods (cozystack.io/service: ingress) in parent namespaces, following the same pattern as existing vminsert and etcd rules.

Release note

[tenant] Fixed tenant egress policy to allow traffic to parent ingress pods, enabling cert-manager HTTP-01 challenges and external domain access for nested clusters with exposeMethod: Proxied

Summary by CodeRabbit

• New Features
  • Enhanced network policies for multi-tenant environments with improved traffic routing based on namespace hierarchies, enabling more granular egress control.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

A conditional egress rule is added to the network policy template that, when the tenant is not "tenant-root" and the Release.Namespace follows the "tenant-*" pattern, inserts additional matchLabels entries targeting ingress services with progressively extended namespace labels derived from namespace segments.

Changes

Cohort / File(s)	Summary
Network Policy Egress Rules packages/apps/tenant/templates/networkpolicy.yaml	Added conditional block to augment egress policy with namespace-based ingress service endpoints; iterates namespace segments to build progressive namespace paths with cozystack.io/service: ingress labels when tenant pattern matches

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Through namespace segments, the rabbit hops,
Building egress rules that never stop,
With tenant patterns and labels aligned,
A network policy, thoughtfully designed!
Huzzah for ingress, now firmly in place, 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title '[tenant] Allow egress to parent ingress pods' accurately summarizes the main change: adding an egress rule to allow traffic from tenant pods to parent ingress pods in the networkpolicy.yaml file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @lexfrei, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a crucial network policy adjustment for nested Kubernetes environments utilizing exposeMethod: Proxied. It specifically modifies the tenant egress policy to permit communication with ingress pods residing in parent namespaces, thereby unblocking essential functionalities such as cert-manager HTTP-01 challenges and general access to services exposed through the parent ingress.

Highlights

• Egress Policy Fix: Addresses a critical egress policy issue that blocked traffic from tenant pods to ingress pods in parent namespaces within nested Kubernetes clusters using exposeMethod: Proxied.
• Enables Core Functionality: Resolves failures in cert-manager HTTP-01 self-check and other scenarios where tenant pods needed to access services exposed through parent ingress.
• New Egress Rule: Introduces a specific egress rule within the CiliumClusterwideNetworkPolicy to allow traffic from non-root tenant pods to ingress pods (identified by cozystack.io/service: ingress) located in parent namespaces.
• Pattern Consistency: The newly added egress rule follows the established pattern of existing vminsert and etcd rules for network policy configuration.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly adds an egress policy to allow traffic from tenant pods to ingress pods in parent namespaces, which is a necessary fix for features like cert-manager's HTTP-01 self-check in nested clusters. The logic for identifying parent namespaces is sound. However, the implementation introduces significant code duplication, as it mimics two existing blocks. My review includes a suggestion to make the new rule more precise by avoiding a redundant case, and I also strongly recommend a refactoring to address the code duplication for better long-term maintainability.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/apps/tenant/templates/networkpolicy.yaml (1)

70-82: Implementation correctly enables egress to parent ingress pods.

The new egress rule successfully allows traffic to ingress pods in parent namespaces, which resolves the cert-manager HTTP-01 challenge issue and aligns with the PR objectives. The logic correctly follows the established pattern used for vminsert and etcd.

However, as noted in the previous review, this block duplicates the same pattern three times in this file and includes a redundant rule for the tenant's own namespace (the last loop iteration generates a rule for the current namespace, which is already covered by the allow-to-ingress policy at lines 212-223).

While these concerns don't affect correctness, consider the suggestions from the previous review to improve maintainability when time permits.

Based on past review comments, the following improvements could be made in a follow-up:

• Extract the repeated pattern into a named template in _helpers.tpl
• Exclude the redundant last iteration by adding (lt (add $i 1) (len $parts)) to the conditional on line 75

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d7931fd and 4dfdbfe.

📒 Files selected for processing (1)

• packages/apps/tenant/templates/networkpolicy.yaml

🧰 Additional context used

📓 Path-based instructions (2)

packages/apps/**

📄 CodeRabbit inference engine (AGENTS.md)

Use Helm Chart umbrella pattern with vendored upstream charts in charts/ directory

Files:

• packages/apps/tenant/templates/networkpolicy.yaml

**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Do NOT directly edit upstream Helm charts in vendored charts directory; use proper chart vendoring mechanisms

Files:

• packages/apps/tenant/templates/networkpolicy.yaml

🧠 Learnings (1)

📚 Learning: 2025-07-11T06:28:13.696Z

Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1160
File: packages/system/hetzner-robotlb/charts/robotlb/templates/role.yaml:6-8
Timestamp: 2025-07-11T06:28:13.696Z
Learning: In Helm templates, the `{{-` directive chomps all leading whitespace including newlines back to the previous content, so `{{- toYaml .Values.something | nindent 2 }}` will render correctly even with apparent indentation issues. However, for better style, it's cleaner to put the template directive on the same line as the parent key (e.g., `rules: {{- toYaml .Values.serviceAccount.permissions | nindent 2 }}`).

Applied to files:

• packages/apps/tenant/templates/networkpolicy.yaml

[github-actions]

Successfully created backport PR for release-0.39:

• [Backport release-0.39] [tenant] Allow egress to parent ingress pods #1776