{{- if .Values.crds.install }}
{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumNetworkPolicy" }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: {{ include "crdInstall" . }}
  namespace: {{ .Release.Namespace | quote }}
  annotations:
    # create hook dependencies in the right order
    "helm.sh/hook-weight": "-7"
    {{- include "crdInstallAnnotations" . | nindent 4 }}
  labels:
    app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
    {{- include "labels.selector" . | nindent 4 }}
    role: {{ include "crdInstallSelector" . | quote }}
spec:
  egress:
    - toEntities:
        - kube-apiserver
  endpointSelector: {}
{{- else }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: {{ include "crdInstall" . }}
  namespace: {{ .Release.Namespace | quote }}
  annotations:
    # create hook dependencies in the right order
    "helm.sh/hook-weight": "-7"
    {{- include "crdInstallAnnotations" . | nindent 4 }}
  labels:
    app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
    {{- include "labels.selector" . | nindent 4 }}
    role: {{ include "crdInstallSelector" . | quote }}
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
      {{- include "labels.selector" . | nindent 6 }}
  # allow egress traffic to the Kubernetes API
  egress:
    - ports:
        - port: 443
          protocol: TCP
        # legacy port kept for compatibility
        - port: 6443
          protocol: TCP
      to:
    {{- range tuple "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" }}
        - ipBlock:
            cidr: {{ . }}
    {{- end }}
  # deny ingress traffic
  ingress: []
  policyTypes:
    - Egress
    - Ingress
{{- end }}
{{- end }}