From 4d08d945a4ea022ee161dd15172f2e045140f209 Mon Sep 17 00:00:00 2001
From: Davide Piu <davide@davidepiu.xyz>
Date: Thu, 19 Feb 2026 21:47:16 +0000
Subject: [PATCH] Add NetworkPolicy to allow Traefik ingress into flux-system
 namespace

Without this policy, Flux default NetworkPolicies block traffic from kube-system
(where Traefik runs) to flux-system, causing 502 errors for both the weave-gitops
dashboard and cert-manager ACME HTTP-01 solver pods.
---
 clusters/lab/infrastructure/weave-gitops.yaml | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/clusters/lab/infrastructure/weave-gitops.yaml b/clusters/lab/infrastructure/weave-gitops.yaml
index 8404246..2f68c2a 100644
--- a/clusters/lab/infrastructure/weave-gitops.yaml
+++ b/clusters/lab/infrastructure/weave-gitops.yaml
@@ -38,6 +38,26 @@ spec:
         memory: 128Mi
 ---
 apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-from-traefik
+  namespace: flux-system
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    ports:
+    - port: 9001
+      protocol: TCP
+    - port: 8089
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: weave-gitops