From be08d985f698d98df765d4d1bc320dfd40afeb1c Mon Sep 17 00:00:00 2001
From: ian-flores <iflores.siaca@posit.co>
Date: Tue, 3 Feb 2026 17:59:15 -0800
Subject: [PATCH] Add NetworkPolicy for flightdeck component

Add flightdeck to the list of components that get NetworkPolicies
created by the site controller. This ensures flightdeck has consistent
network isolation like other components (connect, workbench, home, etc).

The policy allows:
- Ingress from traefik namespace on port 8080 (web traffic)
- Ingress from alloy namespace on port 8080 (metrics)
- Egress to all destinations (same as other components)
---
 .../core/site_controller_networkpolicies.go   | 60 +++++++++++++++++++
 internal/tcpport.go                           |  1 +
 2 files changed, 61 insertions(+)

diff --git a/internal/controller/core/site_controller_networkpolicies.go b/internal/controller/core/site_controller_networkpolicies.go
index edb49d84..455bd3f5 100644
--- a/internal/controller/core/site_controller_networkpolicies.go
+++ b/internal/controller/core/site_controller_networkpolicies.go
@@ -78,6 +78,11 @@ func (r *SiteReconciler) reconcileNetworkPolicies(ctx context.Context, req ctrl.
 		return err
 	}
 
+	if err := r.reconcileFlightdeckNetworkPolicy(ctx, req.Namespace, l, site); err != nil {
+		l.Error(err, "error ensuring flightdeck network policy")
+		return err
+	}
+
 	return nil
 }
 
@@ -90,6 +95,7 @@ func (r *SiteReconciler) cleanupNetworkPolicies(ctx context.Context, req ctrl.Re
 		"chronicle",
 		"connect",
 		"connect-session",
+		"flightdeck",
 		"home",
 		"keycloak",
 		"packagemanager",
@@ -723,3 +729,57 @@ func (r *SiteReconciler) reconcileWorkbenchSessionNetworkPolicy(ctx context.Cont
 	})
 	return err
 }
+
+func (r *SiteReconciler) reconcileFlightdeckNetworkPolicy(ctx context.Context, namespace string, l logr.Logger, site *v1beta1.Site) error {
+	policyName := site.Name + "-flightdeck"
+
+	policy := &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      policyName,
+			Namespace: namespace,
+		},
+	}
+	_, err := internal.CreateOrUpdateResource(ctx, r.Client, r.Scheme, l, policy, site, func() error {
+		policy.Labels = site.KubernetesLabels()
+		policy.Spec = networkingv1.NetworkPolicySpec{
+			PodSelector: metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					v1beta1.SiteLabelKey:               site.Name,
+					v1beta1.KubernetesInstanceLabelKey: policyName,
+				},
+			},
+			PolicyTypes: []networkingv1.PolicyType{
+				networkingv1.PolicyTypeEgress,
+				networkingv1.PolicyTypeIngress,
+			},
+			Egress: []networkingv1.NetworkPolicyEgressRule{
+				{},
+			},
+			Ingress: []networkingv1.NetworkPolicyIngressRule{
+				{
+					From: []networkingv1.NetworkPolicyPeer{
+						{
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									v1beta1.KubernetesMetadataNameKey: "traefik",
+								},
+							},
+						},
+						{
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									v1beta1.KubernetesMetadataNameKey: grafanaAlloyNamespace,
+								},
+							},
+						},
+					},
+					Ports: []networkingv1.NetworkPolicyPort{
+						internal.DefaultPortFlightdeckHTTP.NetworkPolicyPort(),
+					},
+				},
+			},
+		}
+		return nil
+	})
+	return err
+}
diff --git a/internal/tcpport.go b/internal/tcpport.go
index ccf60ff4..454ce145 100644
--- a/internal/tcpport.go
+++ b/internal/tcpport.go
@@ -14,6 +14,7 @@ const (
 	DefaultPortChronicleHTTP         TCPPort = 5252
 	DefaultPortChronicleMetrics      TCPPort = 3030
 	DefaultPortConnectHTTP           TCPPort = 3939
+	DefaultPortFlightdeckHTTP        TCPPort = 8080
 	DefaultPortConnectMetrics        TCPPort = 3232
 	DefaultPortConnectSession        TCPPort = 50734
 	DefaultPortHomeHTTP              TCPPort = 8080