{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "grafana.fullname" . }}
  namespace: {{ include "grafana.namespace" . }}
  labels:
    {{- include "grafana.labels" . | nindent 4 }}
    {{- with .Values.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  policyTypes:
    {{- if .Values.networkPolicy.ingress }}
    - Ingress
    {{- end }}
    {{- if .Values.networkPolicy.egress.enabled }}
    - Egress
    {{- end }}
  podSelector:
    matchLabels:
      {{- include "grafana.selectorLabels" . | nindent 6 }}

  {{- if .Values.networkPolicy.egress.enabled }}
  egress:
    {{- if not .Values.networkPolicy.egress.blockDNSResolution }}
    - ports:
        - port: 53
          protocol: UDP
    {{- end }}
    - ports:
        {{ .Values.networkPolicy.egress.ports | toJson }}
      {{- with .Values.networkPolicy.egress.to }}
      to:
        {{- toYaml . | nindent 12 }}
      {{- end }}
  {{- end }}
  {{- if .Values.networkPolicy.ingress }}
  ingress:
    - ports:
      - port: {{ .Values.service.targetPort }}
      {{- if not .Values.networkPolicy.allowExternal }}
      from:
        - podSelector:
            matchLabels:
              {{ include "grafana.fullname" . }}-client: "true"
        {{- with .Values.networkPolicy.explicitNamespacesSelector }}
        - namespaceSelector:
            {{- toYaml . | nindent 12 }}
        {{- end }}
        - podSelector:
            matchLabels:
              {{- include "grafana.labels" . | nindent 14 }}
              role: read
      {{- end }}
  {{- end }}
{{- end }}