railiance-platform/helm/gitea-db-networkpolicies.yaml

# NetworkPolicies for gitea-db cnpg cluster
# The databases namespace has a default-deny-all policy; each cluster needs
# explicit egress-to-kube-api, ingress-from-cnpg-operator, and
# ingress-from-app-namespace policies.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-kube-api-gitea-db
  namespace: databases
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: gitea-db
  policyTypes:
    - Egress
  egress:
    - ports:
        - port: 6443
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-cnpg-operator-gitea-db
  namespace: databases
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: gitea-db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: cnpg-system
      ports:
        - port: 5432
          protocol: TCP
        - port: 8000
          protocol: TCP
        - port: 9187
          protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-default-gitea-db
  namespace: databases
spec:
  podSelector:
    matchLabels:
      cnpg.io/cluster: gitea-db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: default
      ports:
        - port: 5432
          protocol: TCP