{{- include "nplus.init" $ -}}
{{- $sapIpRange   := ( (.Values.snc).sapIpRange | default ((.this.security).cni).sapIpRange ) }}

{{- if ((.this.security).cni).createNetworkPolicy }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: {{ .component.fullName }}
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    {{- include "nplus.instanceLabels" . | nindent 4 }}
  annotations:
    {{- include "nplus.argoWave" . | nindent 4 }}
    {{- include "nplus.annotations" . | nindent 4 }}
    {{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
  podSelector:
    matchLabels:
    {{- include "nplus.selectorLabels" . | nindent 6 }}

  policyTypes:
  - Ingress
  - Egress

  ingress:

  {{- if ( include "nplus.ingressEnabled" . ) }}
  {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }}
  {{- end }}

  - from:
    # access from nappl core in the same instance to setup a cluster
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: core
    ports:
    {{- include "nplus.napplClusterPolicyPorts" . | nindent 4 }}
    
  - from:
    # access from application-layer-setup container in the same instance
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: application
    {{- if ((.this.security).cni).excludeUnusedPorts }}
    ports:
    {{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
    {{- end }}

  - from:
    # access from application-layer-web in the same instance
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: web
    {{- if ((.this.security).cni).excludeUnusedPorts }}
    ports:
    {{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
    {{- end }}

  - from:
    # access from pipeliner in the same instance
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          # Allow both, Core Mode and AC Mode.
          # Core Mode Cluster ist handles above
          nplus/component: pipeliner
    {{- if ((.this.security).cni).excludeUnusedPorts }}
    ports:
    {{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
    {{- end }}

  - from:
    # access from cmis-connector in the same instance
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: cmis
    {{- if ((.this.security).cni).excludeUnusedPorts }}
    ports:
    {{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
    {{- end }}

  - from:
    # access from ilm-connector in the same instance
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: ilm
    {{- if ((.this.security).cni).excludeUnusedPorts }}
    ports:
    {{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
    {{- end }}
    
  - from:
    # access from webdav-connector in the same instance
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: webdav
    {{- if ((.this.security).cni).excludeUnusedPorts }}
    ports:
    {{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
    {{- end }}

#  - from:
#    # access from xta-connector in the same instance
#    - podSelector:
#        matchLabels:
#          app: xta-connector
#    ports:
#      - protocol: TCP
#        port: {{ (.this.meta).ports.http }}
#  - from:
#    # access from process-automation-modeler in the same namespace
#    - podSelector:
#        matchLabels:
#          app: process-automation-modeler
#    ports:
#      - protocol: TCP
#        port: {{ (.this.meta).ports.http }}

  - from:
    # PAM Access
    - namespaceSelector:
        matchExpressions:
          - {key: kubernetes.io/metadata.name, operator: In, values: [{{ .this.security.cni.pamNamespace }}]}
    - podSelector:
        matchLabels:
          nplus/instance: {{ .this.security.cni.pamInstance }}
          nplus/component: pam
    {{- if ((.this.security).cni).excludeUnusedPorts }}
    ports:
    {{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
    {{- end }}

  {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }}
  {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }}

  egress:

  {{- if and (.Values.snc).enabled $sapIpRange }}
  #
  # Allow access to out-of-cluster SAP Systems for SNC
  #
  - to:
    - ipBlock:
        cidr: {{ $sapIpRange }}
  {{- end }}

  {{- with ((.this.security).cni).dbIpRange }}
  #
  # Allow access to out-of-cluster DB Systems
  #
  - to:
    - ipBlock:
        cidr: {{ . }}
  {{- end }}

  #
  # allow database access in the same instance
  #
  - to:
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: database
  #
  # allow access to other cluster pods
  #
  - to:
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: core
  #
  # access to storage-layer in the same instance
  #
  - to:
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: nstl
  #
  # access to rendition server in the same instance
  #
  - to:
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: rs

  {{- if eq ((semver .component.version) | (semver "9.1.1200").Compare) 1 }}
  #
  # access to Kubernetes API for KubePing in older versions of nappl
  #
  # {{ .component.version }} is less than 9.1.1200 ({{ semver .component.version | (semver "9.1.1200").Compare }})
  # so we add the old kubePing mechanics.
  - ports:
      - protocol: TCP
        port: 16443
      - protocol: TCP
        port: 443
  {{- end }}

{{- end }}