{{- if .Values.clusterConfig.cilium.enabled }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-egress
  namespace: niks3
spec:
  # ekman has no cluster-wide allow-namespace-traffic baseline (unlike hel1/oceanbox),
  # so once niks3 is selected by an egress rule it is default-deny for egress and every
  # destination must be listed explicitly: RGW (S3), in-namespace PostgreSQL, and DNS.
  description: niks3 egress to Ceph RGW (S3), in-namespace PostgreSQL, and kube-dns
  endpointSelector:
    matchLabels:
      app: niks3
  egress:
    # Ceph RadosGW (S3 object storage backend) via NodePort
    - toCIDR:
        - 10.255.241.30/32
        - 10.255.241.31/32
        - 10.255.241.32/32
      toPorts:
        - ports:
            - port: "30080"
              protocol: TCP
    # PostgreSQL (CNPG niks3-db cluster, same namespace)
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: niks3
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP
    # DNS resolution
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP
          rules:
            dns:
              - matchPattern: "*"
{{- end }}