# Harbor Registry Firewall Rules for Direct Access
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "harbor-registry-host-firewall"
spec:
  description: "Allow external access to ports 80/443 only for NGINX Ingress serving Harbor"
  # Target NGINX Ingress Controller pods specifically (they use hostNetwork)
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: "ingress-nginx"
      app.kubernetes.io/component: "controller"
  ingress:
  # Allow external traffic to NGINX Ingress on HTTP/HTTPS ports
  - fromEntities:
    - world
    - cluster
    toPorts:
    - ports:
      - port: "80"
        protocol: "TCP"
      - port: "443"
        protocol: "TCP"
  
  # Allow cluster-internal traffic to NGINX Ingress
  - fromEntities:
    - cluster
    toPorts:
    - ports:
      - port: "80"
        protocol: "TCP"
      - port: "443"
        protocol: "TCP"
      - port: "10254"  # NGINX metrics port
        protocol: "TCP"

---
# Allow NGINX Ingress to reach Harbor services
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "harbor-services-access"
  namespace: "harbor-registry"
spec:
  description: "Allow NGINX Ingress Controller to reach Harbor services"
  endpointSelector:
    matchLabels:
      app: "harbor"
  ingress:
  # Allow traffic from NGINX Ingress Controller
  - fromEndpoints:
    - matchLabels:
        app.kubernetes.io/name: "ingress-nginx"
        app.kubernetes.io/component: "controller"
  
  # Allow traffic between Harbor components
  - fromEndpoints:
    - matchLabels:
        app: "harbor"