From 17e55ae0c9fddf9dbcfc6cdec1e2b6a568b3104c Mon Sep 17 00:00:00 2001
From: claude <claude@infrastructure>
Date: Tue, 24 Feb 2026 21:29:00 +0100
Subject: [PATCH] fix: allow Kyverno egress to Gitea external for registry
 token exchange

After changing Gitea ROOT_URL to https://git.georgepet.duckdns.org,
the registry V2 auth challenge redirects to the external URL.
Kyverno needs to reach 185.47.204.231:443 for token exchange.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/infra-network-policies/kyverno.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/apps/infra-network-policies/kyverno.yaml b/apps/infra-network-policies/kyverno.yaml
index 1ddd335..4be709a 100644
--- a/apps/infra-network-policies/kyverno.yaml
+++ b/apps/infra-network-policies/kyverno.yaml
@@ -59,6 +59,13 @@ spec:
       ports:
         - port: 3000
           protocol: TCP
+    # Gitea external (registry token exchange via ROOT_URL)
+    - to:
+        - ipBlock:
+            cidr: 185.47.204.231/32
+      ports:
+        - port: 443
+          protocol: TCP
 ---
 # Background controller: K8s API + registry
 apiVersion: networking.k8s.io/v1
@@ -84,6 +91,13 @@ spec:
       ports:
         - port: 3000
           protocol: TCP
+    # Gitea external (registry token exchange via ROOT_URL)
+    - to:
+        - ipBlock:
+            cidr: 185.47.204.231/32
+      ports:
+        - port: 443
+          protocol: TCP
 ---
 # Cleanup controller: K8s API only
 apiVersion: networking.k8s.io/v1