{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}}
{{- $mutating_webhook_port := default 8080 .Values.injectKanisterSidecar.webhookServer.port -}}
{{- if .Values.networkPolicy.create }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector: {}
  policyTypes:
  - Ingress
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: access-k10-services
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector:
    matchLabels:
      release: {{ .Release.Name }}
  ingress:
    - from:
        - podSelector:
            matchLabels:
              access-k10-services: allowed
      ports:
        - protocol: TCP
          port: {{ .Values.service.externalPort }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: cross-services-allow
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector:
    matchLabels:
      release: {{ .Release.Name }}
  ingress:
    - from:
      - podSelector:
          matchLabels:
            release: {{ .Release.Name }}
      ports:
        - protocol: TCP
          port: {{ .Values.service.externalPort }}
{{- if (include "k10.isMulticlusterPrimary" .) }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-gateway-to-mc-external
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector:
    matchLabels:
      component: mccontrollermanager
      release: {{ .Release.Name }}
  ingress:
    - from:
      - podSelector:
          matchLabels:
            service: gateway
            release: {{ .Release.Name }}
      ports:
        - protocol: TCP
          port: {{ include "k10.mcExternalPort" nil }}
{{- end }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: logging-allow-internal
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector:
    matchLabels:
      release: {{ .Release.Name }}
      run: logging-svc
  ingress:
    - from:
      - podSelector:
          matchLabels:
            release: {{ .Release.Name }}
      ports:
        # Logging input port
        - protocol: TCP
          port: 24224
        - protocol: TCP
          port: 24225
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-external
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector:
    matchLabels:
      service: gateway
      release: {{ .Release.Name }}
  ingress:
  - from: []
    ports:
    - protocol: TCP
      port: 8000
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-all-api
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector:
    matchLabels:
      run: aggregatedapis-svc
      release: {{ .Release.Name }}
  ingress:
  - from:
    ports:
    - protocol: TCP
      port: {{ .Values.service.aggregatedApiPort }}
{{- if .Values.gateway.exposeAdminPort }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-gateway-admin
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector:
    matchLabels:
      release: {{ .Release.Name }}
      service: gateway
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: prometheus
          component: server
          release: {{ .Release.Name }}
    ports:
    - protocol: TCP
      port: {{ $admin_port }}
{{- end -}}
{{- if .Values.injectKanisterSidecar.enabled }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-mutating-webhook
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector:
    matchLabels:
      release: {{ .Release.Name }}
      run: controllermanager-svc
  ingress:
  - from:
    ports:
    - protocol: TCP
      port: {{ $mutating_webhook_port }}
{{- end -}}
{{- if or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true") }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: gateway-dex-allow
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "helm.labels" . | indent 4 }}
spec:
  podSelector:
    matchLabels:
      release: {{ .Release.Name }}
      run: auth-svc
  ingress:
  - from:
    - podSelector:
        matchLabels:
          service: gateway
          release: {{ .Release.Name }}
    ports:
    - protocol: TCP
      port: 8080
{{- end -}}
{{- $mainCtx := . }}
{{- $colocatedList := include "get.enabledColocatedSvcList" . | fromYaml }}
{{- range $primary, $secondaryList := $colocatedList }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: {{ $primary }}-svc-allow-secondary-services
  namespace: {{ $mainCtx.Release.Namespace }}
  labels:
{{ include "helm.labels" $mainCtx | indent 4 }}
spec:
  podSelector:
    matchLabels:
      release: {{ $mainCtx.Release.Name }}
      run: {{ $primary }}-svc
  ingress:
  - from:
    - podSelector:
        matchLabels:
          release: {{ $mainCtx.Release.Name }}
    ports:
  {{- range $skip, $secondary := $secondaryList }}
  {{- $colocConfig := index (include "k10.colocatedServices" . | fromYaml) $secondary }}
    - protocol: TCP
      port: {{ $colocConfig.port }}
  {{- end -}}
{{- end -}}
{{- end -}}