{{- if and .Values.fusionOperator.enabled (eq  (include "parent.dataplaneMode" . ) "shared") }}
{{- if .Values.fusionOperator.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: crd-netpol
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,pre-delete
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
  order: 10
  selector: dplane == 'crd-job'
  types:
    - Ingress
    - Egress
  egress:
    # allow to communicate to DNS pods
    - action: Allow
      protocol: UDP
      destination:
        namespaceSelector: projectcalico.org/name == 'kube-system'
        ports:
          - 53
    - action: Allow
      protocol: TCP
      destination:
        namespaceSelector: projectcalico.org/name == 'kube-system'
        ports:
          - 53
    # allow to communicate with k8s api server
    - action: Allow
      destination:
        services:
          name:  kubernetes
          namespace: default
      protocol: TCP
{{- end }}
{{- end }}