{{- if .Values.envoy.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: {{ template "envoy.appName" . }}
  namespace: {{ .Release.Namespace }}
spec:
  order: 10
  selector: dplane == 'envoy'
  types:
    - Ingress
    - Egress
  ingress:
    ### traffic from the load balancer ###
    - action: Allow
      protocol: TCP
      source: {{ toYaml .Values.envoy.calicoNetpol.subnetEntityRule | nindent 8 }}
      destination:
        ports:
          {{- range .Values.envoy.service.ports }}
          - {{ .targetPort }}
          {{end }}
  egress:
    # allow to communicate to DNS pods
    - action: Allow
      protocol: UDP
      destination:
        namespaceSelector: projectcalico.org/name == 'kube-system'
        ports:
          - 53
    - action: Allow
      protocol: TCP
      destination:
        namespaceSelector: projectcalico.org/name == 'kube-system'
        ports:
          - 53
    ### all egress traffic to the inbound-worker,orchestrator ###
    - action: Allow
      protocol: TCP
      destination:
        selector: dplane == 'inbound-worker' || dplane == 'orchestrator' || dplane == 'pep-server'
        namespaceSelector: projectcalico.org/name == '{{ .Release.Namespace }}'
    ### Traffic to the internet ###
    - action: Allow
      protocol: TCP
      destination: {{ toYaml .Values.envoy.calicoNetpol.outboundRule | nindent 8 }}
{{- end}}