# oauth2-proxy must be configured with --upstream=http://hubble-ui:80
# so that it proxies authenticated requests to hubble-ui.
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: hubble-ui
  namespace: kube-system
spec:
  parentRefs:
  - name: shared-gateway
    namespace: kube-system
    sectionName: https-hel1
  hostnames:
  - hubble.hel1.oceanbox.io
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: "/"
    backendRefs:
    - name: oauth2-proxy
      port: 80
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-gateway-to-hubble-ui
  namespace: kube-system
spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: oauth2-proxy
  ingress:
  - fromCIDRSet:
    - cidr: 10.0.0.0/8
    - cidr: 172.16.0.0/12
    - cidr: 192.168.0.0/16
    - cidr: 100.64.0.0/12
  - fromEndpoints:
    - matchLabels:
        "k8s:io.kubernetes.pod.namespace": kube-system