# NetworkPolicies for the shared apps-pg cnpg cluster (RAILIANCE-WP-0003).
# The databases namespace has a default-deny-all policy; each cluster
# needs explicit egress-to-kube-api, ingress-from-cnpg-operator, and
# ingress-from-app-namespace policies.
#
# Unlike gitea-db (which hard-codes `default` as the consumer ns), this
# triplet uses a label-based opt-in: any namespace carrying the label
# `railiance.io/postgres-client=apps-pg` may connect on TCP/5432. The
# shared cluster cannot know its consumer namespaces in advance, so it
# expects each consumer to add this label as part of its onboarding.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-kube-api-apps-pg
  namespace: databases
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: apps-pg
  policyTypes:
    - Egress
  egress:
    - ports:
        - port: 6443
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-cnpg-operator-apps-pg
  namespace: databases
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: apps-pg
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: cnpg-system
      ports:
        - port: 5432
          protocol: TCP
        - port: 8000
          protocol: TCP
        - port: 9187
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-app-namespaces-apps-pg
  namespace: databases
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: apps-pg
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              railiance.io/postgres-client: apps-pg
          podSelector: {}
      ports:
        - port: 5432
          protocol: TCP