wip: more or less working argo and cilium helmfile setup

apps/charts/sys-cilium-policies/templates/cilium-spire/CiliumNetworkPolicy-allow-api-server.yaml

@@ -1,15 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-api-server
-  namespace: cilium-spire
-spec:
-  egress:
-    - toEntities:
-        - kube-apiserver
-      toPorts:
-        - ports:
-            - port: "6443"
-              protocol: TCP
-  endpointSelector:
-    matchLabels: {}

apps/charts/sys-cilium-policies/templates/cilium-spire/CiliumNetworkPolicy-allow-remote-node-to-server.yaml

@@ -1,15 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-remote-node-to-server
-  namespace: cilium-spire
-spec:
-  endpointSelector:
-    matchLabels: {}
-  ingress:
-    - fromEntities:
-        - remote-node
-      toPorts:
-        - ports:
-            - port: "8081"
-              protocol: TCP

apps/charts/sys-cilium-policies/templates/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml

@@ -1,22 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-api-server
-  namespace: cilium-test
-spec:
-  egress:
-    - toEndpoints:
-        - {}
-    - toEntities:
-        - cluster
-    - toEntities:
-        - remote-node
-    - toEntities:
-        - world
-  endpointSelector:
-    matchLabels: {}
-  ingress:
-    - fromEntities:
-        - cluster
-    - fromEntities:
-        - world

apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml

@@ -1,13 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: allow-acme-solvers
-spec:
-  description: Policy for ingress for Acme Solvers.
-  endpointSelector:
-    matchLabels:
-      acme.cert-manager.io/http01-solver: "true"
-  ingress:
-    - fromEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: ingress-nginx

apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-dns.yaml

@@ -1,24 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: allow-dns
-spec:
-  description: 'description: Allow only dns traffic by default. Also acts as a deny-all policy'
-  egress:
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: kube-system
-            k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: UDP
-        - rules:
-            dns:
-              - matchPattern: '*'
-  endpointSelector:
-    matchExpressions:
-      - key: io.kubernetes.pod.namespace
-        operator: NotIn
-        values:
-          - kube-system

apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml

@@ -1,18 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: allow-mariadb-operator
-spec:
-  description: allow mariadb instances to be reached by operator
-  endpointSelector:
-    matchLabels:
-      app.kubernetes.io/name: mariadb
-  ingress:
-    - fromEndpoints:
-        - matchLabels:
-            app.kubernetes.io/name: mariadb-operator
-            io.kubernetes.pod.namespace: mariadb-operator
-      toPorts:
-        - ports:
-            - port: "3306"
-              protocol: TCP

apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml

@@ -1,20 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: allow-s3-traffic
-spec:
-  description: Policy for egress for CNPG Backups.
-  egress:
-    - toFQDNs:
-      {{- range .Values.s3.hosts }}
-        - matchName: {{ . | quote }}
-      {{- end }}
-      {{- range .Values.s3.patterns }}
-        - matchPattern: {{ . | quote }}
-      {{- end }}
-    - toCIDR:
-      {{- range .Values.s3.cidr }}
-        - {{ . | quote }}
-      {{- end }}
-  endpointSelector:
-    matchLabels: {}

apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml

@@ -1,15 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: cilium-health-checks
-spec:
-  description: Health checks
-  egress:
-    - toEntities:
-        - remote-node
-  endpointSelector:
-    matchLabels:
-      reserved:health: ""
-  ingress:
-    - fromEntities:
-        - remote-node

apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-deny-all.yaml

@@ -1,9 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: deny-all
-spec:
-  description: Deny all
-  egress: []
-  endpointSelector: {}
-  ingress: []