---
# Comprehensive CloudNativePG network policy for single-operator deployment
# This allows the Helm-deployed operator in postgresql-system to manage the cluster
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: cnpg-comprehensive-access
  namespace: postgresql-system
spec:
  description: "Allow CloudNativePG operator and cluster communication"
  endpointSelector:
    matchLabels:
      cnpg.io/cluster: postgres-shared  # Apply to postgres-shared cluster pods
  ingress:
    # Allow operator in same namespace to manage cluster
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: cloudnative-pg  # Helm-deployed operator
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP  # PostgreSQL database
            - port: "8000"
              protocol: TCP  # CloudNativePG health endpoint
            - port: "9187" 
              protocol: TCP  # PostgreSQL metrics
    # Allow cluster-wide access for applications and monitoring
    - fromEntities:
        - cluster
        - host
        - remote-node
        - kube-apiserver  # Explicitly allow API server (used for service port-forward)
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP  # PostgreSQL database access
            - port: "9187"
              protocol: TCP  # Metrics collection
    # Allow pod-to-pod communication within cluster (replication)
    - fromEndpoints:
        - matchLabels:
            cnpg.io/cluster: postgres-shared
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP  # PostgreSQL replication
            - port: "8000"
              protocol: TCP  # Health checks between replicas
---
# Allow CloudNativePG operator to reach webhook endpoints
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: cnpg-operator-webhook-access
  namespace: postgresql-system
spec:
  description: "Allow CloudNativePG operator webhook communication"
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: cloudnative-pg  # Helm-deployed operator
  ingress:
    # Allow Kubernetes API server to reach webhook
    - fromEntities:
        - host
        - cluster
      toPorts:
        - ports:
            - port: "9443"
              protocol: TCP  # CloudNativePG webhook port
  egress:
    # Allow operator to reach PostgreSQL pods for management
    - toEndpoints:
        - matchLabels:
            cnpg.io/cluster: postgres-shared
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP
            - port: "8000"
              protocol: TCP
    # Allow operator to reach Kubernetes API
    - toEntities:
        - cluster
        - host
        - remote-node