refactor: move resorces and policies to system

values/system/oceanbox/network/idp/allow-api-server.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels: {}
+  egress:
+  - toEntities:
+    - kube-apiserver
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP

values/system/oceanbox/network/idp/allow-gitlab.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-oidc-login
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: cerbos
+  egress:
+  - toFQDNs:
+    - matchName: gitlab.com
+    - matchPattern: '*.gitlab.com'

values/system/oceanbox/network/idp/allow-idp-external-access.yaml

@@ -0,0 +1,13 @@
+piVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-external-idp
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: login.microsoftonline.com
+    - matchName: graph.microsoft.com
+    - matchName: s3.k1.itpartner.no
+    - matchName: telemetry.cerbos.dev
+  endpointSelector: {}
+

values/system/oceanbox/network/idp/allow-itp-smtpgw.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-itp-smtp
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: keycloak
+  egress:
+  - toFQDNs:
+    - matchName: smtpgw.itpartner.no

values/system/oceanbox/network/idp/allow-keycloak.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-keycloak
+  namespace: idp
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: dex
+  egress:
+  - toFQDNs:
+    - matchName: auth.srv.oceanbox.io