fix(atlantis): Use prod-openfga, prod-rabbitmq, staging-sorcerer and staging-plume

.envrc

@@ -1,16 +1,12 @@
 #!/usr/bin/env bash
 # the shebang is ignored, but nice for editors
-watch_file npins/sources.json
+watch_file nix/sources.json
 
 # Load .env file if it exists
 dotenv_if_exists
 
+# Set npins dir
+export NPINS_DIRECTORY="nix"
+
 # Activate development shell
-if type lorri &>/dev/null; then
+use nix
-    echo "direnv: using lorri from PATH ($(type -p lorri))"
-    eval "$(lorri direnv)"
-else
-    # fall back to using direnv's builtin nix support
-    # to prevent bootstrapping problems.
-    use nix
-fi

.gitignore

@@ -1,7 +1,6 @@
 *.tgz
 _*/
 .direnv/
-.env
 .pre-commit-config.yaml
 _*.yaml
 backup/

.gitlab-ci.yml

@@ -0,0 +1,46 @@
+image:
+  name: alpine/helm:latest
+  entrypoint: [ "/bin/bash", "-c" ]
+
+stages:
+  - release
+
+release:
+  stage: release
+  rules:
+  - if: '$CI_COMMIT_BRANCH =~ /^main/'
+    when: always
+  - when: never
+  script:
+    - |
+      cd $CI_PROJECT_DIR
+      for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
+        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
+        if [ ! -z $pack ]; then
+          chart=$(basename $pack)
+          curl --request POST \
+               --user gitlab-ci-token:$CI_JOB_TOKEN \
+               --form "chart=@${chart}" \
+               "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
+        fi
+      done
+
+rebuild:
+  stage: release
+  rules:
+    - when: manual
+      allow_failure: true
+  script:
+    - |
+      cd $CI_PROJECT_DIR
+      for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
+        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
+        if [ ! -z $pack ]; then
+          chart=$(basename $pack)
+          curl --request POST \
+               --user gitlab-ci-token:$CI_JOB_TOKEN \
+               --form "chart=@${chart}" \
+               "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
+        fi
+      done
+

attic/.helmignore

@@ -14,13 +14,13 @@
 *.swp
 *.bak
 *.tmp
+*.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
-base/
+*.nix
-prod/
+old/
-staging/
+nix/
-review/

attic/Chart.yaml

@@ -1,6 +1,7 @@
 apiVersion: v2
-name: docs
+name: sys
-description: Oceanbox Documentation
+description: A Helm chart for Kubernetes
+
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
@@ -10,9 +11,17 @@ description: Oceanbox Documentation
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
+
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v0.1.0
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
 # This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
+# incremented each time you make changes to the application. Versions are not expected to
-appVersion: v0.1.0
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+dependencies: # A list of the chart requirements (optional)
+  - name: sys-cilium-policies
+    condition: cilium.enabled

attic/charts/cilium/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-name: diagrid-dashboard
+name: cilium
 description: A Helm chart for Kubernetes
 
 # A chart can be either an 'application' or a 'library' chart.

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-applicationset-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-applicationset-ingress
+  namespace: argocd
+spec:
+  description: Allow access from the ingress controller
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: applicationset-controller
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-notifications.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-argo-notifications
+  namespace: argocd
+spec:
+  description: Allow access to the ArgoCD Notifications
+  egress:
+    - toFQDNs:
+        - matchName: slack.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: notifications-controller

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-argo-repo-access-applicationset
+  namespace: argocd
+spec:
+  description: Allow access to the ArgoCD repo Applicationset
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: applicationset-controller

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-argo-repo-access.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-argo-repo-access
+  namespace: argocd
+spec:
+  description: Allow access to the ArgoCD repo server
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: repo-server

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-chartmuseum-ingress
+  namespace: argocd
+spec:
+  description: Allow access to the chartmuseum ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: chartmuseum
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-image-updater-repo-access
+  namespace: argocd
+spec:
+  description: Allow argoCD image updater to access github container registry
+  egress:
+    - toFQDNs:
+        - matchName: ghcr.io
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-image-updater

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
+  namespace: argocd
+spec:
+  description: Allow access from the ingress controller
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: server
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-kube-api.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: argocd
+spec:
+  description: Allow access to the Kube API server
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-microsoft-sso.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-microsoft-sso
+  namespace: argocd
+spec:
+  description: Allow argoCD dex server to authenticate to microsoft online azure oatuh
+  egress:
+    - toFQDNs:
+        - matchName: login.microsoftonline.com
+        - matchPattern: '*.microsoftonline.com'
+        - matchName: github.com
+        - matchName: api.github.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics-rollout
+  namespace: argocd
+spec:
+  description: Allow access to the Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: argo-rollouts
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "8090"
+              protocol: TCP

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics-workflows
+  namespace: argocd
+spec:
+  description: Allow access to the Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: argo-workflows
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "9090"
+              protocol: TCP

attic/charts/cilium/templates/argocd/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -0,0 +1,30 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: argocd
+spec:
+  description: Allow access to the Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: argocd
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "8082"
+              protocol: TCP
+            - port: "8080"
+              protocol: TCP
+            - port: "9001"
+              protocol: TCP
+            - port: "9121"
+              protocol: TCP
+            - port: "8084"
+              protocol: TCP
+            - port: "8083"
+              protocol: TCP
+            - port: "5558"
+              protocol: TCP

attic/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server-to-cert-manager
+  namespace: cert-manager
+spec:
+  description: Allow the API server to communicate with the cert-manager pods
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cert-manager
+spec:
+  description: Allow the Kube API server to communicate with cert-manager
+  egress:
+    - toEntities:
+        - kube-apiserver
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -1,19 +1,18 @@
-{{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
   name: allow-prometheus-metrics
-  namespace: ingress-haproxy
+  namespace: cert-manager
 spec:
+  description: Allow Prometheus metrics
   endpointSelector:
     matchLabels:
-      app.kubernetes.io/instance: ingress-haproxy
+      app.kubernetes.io/instance: cert-manager
   ingress:
     - fromEndpoints:
         - matchLabels:
             io.kubernetes.pod.namespace: prometheus
     - toPorts:
         - ports:
-            - port: "1024"
+            - port: "9402"
               protocol: TCP
-{{- end }}

attic/charts/cilium/templates/cert-manager/CiliumNetworkPolicy-allow-world-traffic.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-traffic
+  namespace: cert-manager
+spec:
+  description: Allow the world to communicate with cert-manager
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/cilium-spire/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cilium-spire
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/cilium-spire/CiliumNetworkPolicy-allow-remote-node-to-server.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-server
+  namespace: cilium-spire
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "8081"
+              protocol: TCP

attic/charts/cilium/templates/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,22 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cilium-test
+spec:
+  egress:
+    - toEndpoints:
+        - {}
+    - toEntities:
+        - cluster
+    - toEntities:
+        - remote-node
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - cluster
+    - fromEntities:
+        - world

attic/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-acme-solvers
+spec:
+  description: Policy for ingress for Acme Solvers.
+  endpointSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

attic/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-dns.yaml

@@ -0,0 +1,24 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-dns
+spec:
+  description: 'description: Allow only dns traffic by default. Also acts as a deny-all policy'
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+        - rules:
+            dns:
+              - matchPattern: '*'
+  endpointSelector:
+    matchExpressions:
+      - key: io.kubernetes.pod.namespace
+        operator: NotIn
+        values:
+          - kube-system

attic/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-mariadb-operator
+spec:
+  description: allow mariadb instances to be reached by operator
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: mariadb
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: mariadb-operator
+            io.kubernetes.pod.namespace: mariadb-operator
+      toPorts:
+        - ports:
+            - port: "3306"
+              protocol: TCP

attic/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml

@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-s3-traffic
+spec:
+  description: Policy for egress for CNPG Backups.
+  egress:
+    - toFQDNs:
+      {{- range .Values.s3.hosts }}
+        - matchName: {{ . | quote }}
+      {{- end }}
+      {{- range .Values.s3.patterns }}
+        - matchPattern: {{ . | quote }}
+      {{- end }}
+    - toCIDR:
+      {{- range .Values.s3.cidr }}
+        - {{ . | quote }}
+      {{- end }}
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: cilium-health-checks
+spec:
+  description: Health checks
+  egress:
+    - toEntities:
+        - remote-node
+  endpointSelector:
+    matchLabels:
+      reserved:health: ""
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/clusterwide/CiliumClusterwideNetworkPolicy-deny-all.yaml

@@ -0,0 +1,9 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: deny-all
+spec:
+  description: Deny all
+  egress: []
+  endpointSelector: {}
+  ingress: []

attic/charts/cilium/templates/cnpg/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cnpg
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgres-operator

attic/charts/cilium/templates/cnpg/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: cnpg
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+    - toPorts:
+        - ports:
+            - port: "9443"
+              protocol: TCP

attic/charts/cilium/templates/downscaler/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: kube-downscaler
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      application: downscaler-py-kube-downscaler

attic/charts/cilium/templates/downscaler/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: kube-downscaler
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+    - toPorts:
+        - ports:
+            - port: "9443"
+              protocol: TCP

attic/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-host-traffic.yaml

@@ -1,9 +1,8 @@
-{{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
   name: allow-host-traffic
-  namespace: ingress-haproxy
+  namespace: ingress-nginx
 spec:
   egress:
     - toEntities:
@@ -11,6 +10,5 @@ spec:
         - host
   endpointSelector:
     matchLabels:
-      app.kubernetes.io/name: kubernetes-ingress
+      app.kubernetes.io/component: controller
-      app.kubernetes.io/instance: ingress-haproxy
+      app.kubernetes.io/instance: ingress-nginx
-{{- end }}

attic/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-hubble-traffic.yaml

@@ -1,9 +1,8 @@
-{{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
   name: allow-hubble-traffic
-  namespace: ingress-haproxy
+  namespace: ingress-nginx
 spec:
   egress:
     - toFQDNs:
@@ -11,6 +10,5 @@ spec:
         - matchPattern: hubble.*.*.*.*
   endpointSelector:
     matchLabels:
-      app.kubernetes.io/name: kubernetes-ingress
+      app.kubernetes.io/component: controller
-      app.kubernetes.io/instance: ingress-haproxy
+      app.kubernetes.io/instance: ingress-nginx
-{{- end }}

attic/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: ingress-nginx
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: ingress-nginx
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "9913"
+              protocol: TCP

attic/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-s3-traffic.yaml

@@ -0,0 +1,19 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-s3-traffic
+  namespace: ingress-nginx
+spec:
+  egress:
+    - toCIDR:
+        - 10.139.2.10/32
+    - toCIDR:
+        - 10.139.2.11/32
+    - toCIDR:
+        - 10.139.2.20/32
+    - toCIDR:
+        - 10.139.2.21/32
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx

attic/charts/cilium/templates/ingress-nginx/CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml

@@ -1,14 +1,13 @@
-{{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-world-to-ingress-haproxy
+  name: allow-world-to-ingress-nginx
-  namespace: ingress-haproxy
+  namespace: ingress-nginx
 spec:
   endpointSelector:
     matchLabels:
-      app.kubernetes.io/name: kubernetes-ingress
+      app.kubernetes.io/component: controller
-      app.kubernetes.io/instance: ingress-haproxy
+      app.kubernetes.io/instance: ingress-nginx
   ingress:
     - fromEntities:
         - world
@@ -18,4 +17,3 @@ spec:
               protocol: TCP
             - port: "443"
               protocol: TCP
-{{- end }}

attic/charts/cilium/templates/jaeger/CiliumNetworkPolicy-allow-kube-api.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: jaeger
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+    - toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/jaeger/CiliumNetworkPolicy-allow-remote-node-to-jaeger.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-jaeger
+  namespace: jaeger
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: jaeger-operator
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/kafka/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: kafka
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: kafka-operator

attic/charts/cilium/templates/kafka/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: kafka
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+    - toPorts:
+        - ports:
+            - port: "9443"
+              protocol: TCP

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-controller-metrics.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-controller-metrics
+  namespace: kube-system
+spec:
+  description: Allow Controller Metrics
+  endpointSelector:
+    matchLabels:
+      k8s-app: kube-controller-manager
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "10257"
+              protocol: TCP

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-csi-webhook.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-csi-webhook
+  namespace: kube-system
+spec:
+  endpointSelector:
+    matchLabels:
+      app: csi-snapshot-webhook
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-metrics.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dns-metrics
+  namespace: kube-system
+spec:
+  description: Allow DNS metrics
+  endpointSelector:
+    matchLabels:
+      k8s-app: kube-dns
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "9153"
+              protocol: TCP

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns-world.yaml

@@ -0,0 +1,31 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dns-world
+  namespace: kube-system
+spec:
+  description: Allow DNS World
+  egress:
+    - toCIDR:
+        - 8.8.8.8/32
+        - 172.31.254.11/32
+        - 1.1.1.1/32
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+          rules:
+            dns:
+              - matchPattern: '*'
+    - toEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+          rules:
+            dns:
+              - matchPattern: '*'
+  endpointSelector:
+    matchLabels:
+      k8s-app: kube-dns

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-dns.yaml

@@ -0,0 +1,19 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dns
+  namespace: kube-system
+spec:
+  description: Allow DNS
+  endpointSelector:
+    matchLabels:
+      k8s-app: kube-dns
+  ingress:
+    - fromEndpoints:
+        - matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-host-traffic.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-traffic
+  namespace: kube-system
+spec:
+  description: Allow Host Traffic
+  egress:
+    - toEntities:
+        - remote-node
+        - host
+        - kube-apiserver
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-hubble-ingress
+  namespace: kube-system
+spec:
+  description: Allow Hubble ingress
+  endpointSelector:
+    matchLabels:
+      k8s-app: hubble-ui
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-oauth2-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-hubble-oauth2-ingress
+  namespace: kube-system
+spec:
+  description: Allow Hubble OAuth2 ingress
+  endpointSelector:
+    matchLabels:
+      k8s-app: oauth2-proxy
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-hubble-relay-metrics.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-hubble-relay-metrics
+  namespace: kube-system
+spec:
+  description: Allow Hubble Relay Metrics
+  endpointSelector:
+    matchLabels:
+      k8s-app: hubble-relay
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "9966"
+              protocol: TCP

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-microsoft-sso.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-microsoft-sso
+  namespace: kube-system
+spec:
+  description: Allow Microsoft SSO
+  egress:
+    - toFQDNs:
+        - matchName: login.microsoftonline.com
+        - matchPattern: '*.microsoftonline.com'
+        - matchName: graph.microsoft.com
+  endpointSelector:
+    matchLabels:
+      k8s-app: oauth2-proxy

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-namespace-traffic.yaml

@@ -0,0 +1,26 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-namespace-traffic
+  namespace: kube-system
+spec:
+  description: Allow Namespace Traffic
+  egress:
+    - toEndpoints:
+        - {}
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+          rules:
+            dns:
+              - matchPattern: '*'
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEndpoints:
+        - {}

attic/charts/cilium/templates/kube-system/CiliumNetworkPolicy-allow-proxy-metrics.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-proxy-metrics
+  namespace: kube-system
+spec:
+  description: Allow Proxy metrics
+  endpointSelector:
+    matchLabels:
+      k8s-app: kube-proxy
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "10249"
+              protocol: TCP

attic/charts/cilium/templates/kubelet-serving/CiliumNetworkPolicy-allow-kube-api.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: kubelet-serving-cert-approver
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: kyverno
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+    - toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: kyverno
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: kyverno
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "8000"
+              protocol: TCP

attic/charts/cilium/templates/kyverno/CiliumNetworkPolicy-allow-remote-node-to-kyverno.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-kyverno
+  namespace: kyverno
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: kyverno
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-loki-backend-to-api-server.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-loki-backend-to-api-server
+  namespace: loki
+spec:
+  description: Promtail needs to reach kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: backend
+      app.kubernetes.io/instance: loki

attic/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: loki
+spec:
+  description: Allow Prometheus read and write
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "3100"
+              protocol: TCP
+            - port: "3500"
+              protocol: TCP

attic/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-promtail-to-api-server.yaml

@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-promtail-to-api-server
+  namespace: loki
+spec:
+  description: Promtail needs to reach kube-apiserver
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: promtail

attic/charts/cilium/templates/loki/CiliumNetworkPolicy-allow-stats-grafana.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-stats-grafana
+  namespace: loki
+spec:
+  description: Allow stats
+  egress:
+    - toFQDNs:
+        - matchName: stats.grafana.org
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: loki

attic/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: mariadb-operator
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: mariadb-operator

attic/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-host-to-mariadb.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-to-mariadb
+  namespace: mariadb-operator
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: mariadb-operator
+  ingress:
+    - fromEntities:
+        - host

attic/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: mariadb-operator
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: mariadb-operator
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP

attic/charts/cilium/templates/mariadb-operator/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: mariadb-operator
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+            - port: "9443"
+              protocol: TCP

attic/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-host-traffic.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-traffic
+  namespace: mayastor
+spec:
+  description: Allow Host Traffic
+  egress:
+    - toEntities:
+        - remote-node
+        - host
+        - kube-apiserver
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-agent-core.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-agent-core
+  namespace: mayastor
+spec:
+  description: Allow Remote to Agent Core
+  endpointSelector:
+    matchLabels:
+      app: agent-core
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-etcd.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-etcd
+  namespace: mayastor
+spec:
+  description: Allow Remote to Etcd
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: etcd
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/mayastor/CiliumNetworkPolicy-allow-remote-node-to-maya.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-maya
+  namespace: mayastor
+spec:
+  description: Allow Remote to Mayastor
+  endpointSelector:
+    matchLabels:
+      app: api-rest
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-kube-api.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-kube-api
+spec:
+  description: Allow access to the Kube API server
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app: minio

attic/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-minio-operator.yaml

@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-minio-operator
+spec:
+  description: Allow access to the Kube API server
+  endpointSelector:
+    matchLabels:
+      app: minio
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: minio-operator
+      toPorts:
+        - ports:
+            - port: "9000"
+              protocol: TCP

attic/charts/cilium/templates/minio-operator/CiliumClusterwideNetworkPolicy-allow-nodeport-ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-nodeport-ingress
+spec:
+  description: Allow access to the Kube API server
+  endpointSelector:
+    matchLabels:
+      app: minio
+  ingress:
+    - fromEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "9000"
+              protocol: TCP

attic/charts/cilium/templates/minio-operator/CiliumNetworkPolicy-allow-kube-api.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: minio-operator
+spec:
+  description: Allow access to the Kube API server
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/odigos-system/CiliumNetworkPolicy-allow-kube-api.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: odigos-system
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/odigos-system/CiliumNetworkPolicy-allow-port-4317.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-port-4317
+  namespace: odigos-system
+spec:
+  egress:
+    - toPorts:
+        - ports:
+            - port: "4317"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/one-password-operator/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: one-password
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: one-password-operator

attic/charts/cilium/templates/one-password-operator/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: one-password
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+    - toPorts:
+        - ports:
+            - port: "9443"
+              protocol: TCP

attic/charts/cilium/templates/opencost/CiliumNetworkPolicy-allow-kube-api.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: opencost
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: opencost

attic/charts/cilium/templates/otel/CiliumNetworkPolicy-allow-otel-collector-loadbalancer-ingress.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-otel-collector-loadbalancer-ingress
+  namespace: otel
+spec:
+  description: Allow ingress from world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: opentelemetry-collector
+  ingress:
+    - fromEntities:
+        - world

attic/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-mail-egress.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-mail-egress
+  namespace: postfix
+spec:
+  description: Allow mailserver to send mails to world
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app: smtp-relay

attic/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-mail-ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-mail-ingress
+  namespace: postfix
+spec:
+  description: Allow all services in cluster to send mail
+  endpointSelector:
+    matchLabels:
+      app: smtp-relay
+  ingress:
+    - fromEndpoints:
+        - matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "25"
+              protocol: TCP
+            - port: "587"
+              protocol: TCP

attic/charts/cilium/templates/postfix/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: postfix
+spec:
+  description: 'Allow prometheus metrics '
+  endpointSelector:
+    matchLabels:
+      app: smtp-relay
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "9154"
+              protocol: TCP

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-alerting.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-alerting
+  namespace: prometheus
+spec:
+  description: Allow alerting
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: prom-alertmanager

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-alertmanager-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-alertmanager-ingress
+  namespace: prometheus
+spec:
+  description: Allow Nginx ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: alertmanager
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-dns-metrics.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dns-metrics
+  namespace: prometheus
+spec:
+  description: Allow DNS metrics
+  egress:
+    - toPorts:
+        - ports:
+            - port: "9153"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-etcd-metrics.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-etcd-metrics
+  namespace: prometheus
+spec:
+  description: Allow ETCD metrics
+  egress:
+    - toPorts:
+        - ports:
+            - port: "2379"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-ingress
+  namespace: prometheus
+spec:
+  description: Allow Grafana ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-oidc-login.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-oidc-login
+  namespace: prometheus
+spec:
+  description: Allow Grafana OIDC login
+  egress:
+    - toFQDNs:
+        - matchName: login.microsoftonline.com
+        - matchPattern: '*.microsoftonline.com'
+        - matchName: api.github.com
+        - matchName: github.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-plugins.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-plugins
+  namespace: prometheus
+spec:
+  description: Allow Grafana Plugins
+  egress:
+    - toFQDNs:
+        - matchName: grafana.com
+        - matchName: storage.googleapis.com
+        - matchName: raw.githubusercontent.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-grafana-secure-gravatar.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-secure-gravatar
+  namespace: prometheus
+spec:
+  description: Allow Grafana Secure Gravatar
+  egress:
+    - toFQDNs:
+        - matchName: secure.grafana.com
+        - matchName: secure.gravatar.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-host-traffic.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-traffic
+  namespace: prometheus
+spec:
+  description: Allow Host Traffic
+  egress:
+    - toEntities:
+        - remote-node
+        - host
+        - kube-apiserver
+  endpointSelector:
+    matchLabels: {}

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-nginx-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-nginx-ingress
+  namespace: prometheus
+spec:
+  description: Allow Nginx ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-opencost-scrape.yaml

@@ -0,0 +1,19 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-opencost-scrape
+  namespace: prometheus
+spec:
+  description: Allow OpenCost scrape
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: opencost
+            io.kubernetes.pod.namespace: opencost
+    - toPorts:
+        - ports:
+            - port: "9090"
+              protocol: TCP

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-remote-node-to-metrics-server.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-metrics-server
+  namespace: prometheus
+spec:
+  description: Allow Remote Metrics Server
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: metrics-server
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-remote-node-to-webhook.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-webhook
+  namespace: prometheus
+spec:
+  description: Allow Remote Web Hook
+  endpointSelector:
+    matchLabels:
+      app: kube-prometheus-stack-operator
+  ingress:
+    - fromEntities:
+        - remote-node

attic/charts/cilium/templates/prometheus/CiliumNetworkPolicy-allow-robusta-ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-robusta-ingress
+  namespace: prometheus
+spec:
+  description: Allow Robusta ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prom-prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: robusta