---
# Celery Monitoring Network Policies
# Port-forward and health check access to Flower with proper DNS/Redis connectivity
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: celery-flower-ingress
  namespace: celery-monitoring
spec:
  description: "Allow ingress to Flower from kubectl port-forward and health checks"
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: celery-flower
      app.kubernetes.io/component: monitoring
  ingress:
  # Allow kubectl port-forward access (from cluster nodes)
  - fromEntities:
    - cluster
    - host
    toPorts:
    - ports:
      - port: "5555"
        protocol: TCP

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: celery-flower-egress
  namespace: celery-monitoring
spec:
  description: "Allow Flower to connect to Redis, DNS, and monitoring services"
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: celery-flower
      app.kubernetes.io/component: monitoring
  egress:
  # Allow all cluster-internal communication (like PieFed approach)
  # This is more permissive but still secure within the cluster
  - toEntities:
    - cluster
    - host
  


# Service access policy removed - using kubectl port-forward for local access
# Port-forward provides secure access without exposing the service externally