{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: {{ .component.fullName }}
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    {{- include "nplus.instanceLabels" . | nindent 4 }}
  annotations:
    {{- include "nplus.argoWave" . | nindent 4 }}
    {{- include "nplus.annotations" . | nindent 4 }}
    {{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
  podSelector:
    matchLabels:
    {{- include "nplus.selectorLabels" . | nindent 6 }}

  policyTypes:
  - Ingress
  - Egress

  ingress:

  # This is for the WebDAV Service
  {{- if ( include "nplus.ingressEnabled" . ) }}
  {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }}
  {{- end }}

  - from:
    # access from nappl core in the same instance to setup a cluster
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: core
    ports:
    {{- include "nplus.napplClusterPolicyPorts" . | nindent 4 }}

  {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }}
  {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }}


  egress:
  - to:
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: database
  - to:
    # access to application-layer in the same instance to setup a cluster
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: core
  - to:
    # access to storage-layer in the same instance
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: nstl
  - to:
    # access to rendition-server in the same namespace
    - podSelector:
        matchLabels:
          nplus/group: {{ .instance.group }}
          nplus/type: rs
{{- end }}