From 1ff000e564a1cc58a2bf9636e9c8b5d85d1f8bcc Mon Sep 17 00:00:00 2001
From: Timtor Chen <to@timtor.dev>
Date: Tue, 9 Apr 2024 23:14:43 +0800
Subject: [PATCH] fix: networkpolicy allow immich to jumpcloud

---
 .../mydata/immich/app/networkpolicy.yaml      | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/kubernetes/mydata/immich/app/networkpolicy.yaml b/kubernetes/mydata/immich/app/networkpolicy.yaml
index 0751beaf..d47bb4e0 100644
--- a/kubernetes/mydata/immich/app/networkpolicy.yaml
+++ b/kubernetes/mydata/immich/app/networkpolicy.yaml
@@ -76,6 +76,28 @@ specs:
                 port: "5432"
               - protocol: TCP
                 port: "6379"
+  # allow immich-server to jumpcloud endpoint
+  - endpointSelector:
+      matchLabels:
+        app.kubernetes.io/name: immich
+        app.kubernetes.io/component: server
+    egress:
+      - toEndpoints:
+          - matchLabels:
+              k8s:io.kubernetes.pod.namespace: kube-system
+              k8s-app: kube-dns
+        toPorts:
+          - ports:
+              - protocol: ANY
+                port: "53"
+            rules:
+              dns: &sso
+                - matchPattern: "oauth.id.jumpcloud.com"
+      - toFQDNs: *sso
+        toPorts:
+          - ports:
+              - protocol: TCP
+                port: "443"
   # allow machine-learning download model from huggingface.co
   - endpointSelector:
       matchLabels: