{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "loki.name" . }}-namespace-only
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "loki.labels" . | nindent 4 }}
spec:
  policyTypes:
    - Ingress
    - Egress
  podSelector: {}
  egress:
    - to:
        - podSelector: {}
  ingress:
    - from:
        - podSelector: {}

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "loki.name" . }}-egress-dns
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "loki.labels" . | nindent 4 }}
spec:
  policyTypes:
    - Egress
  podSelector:
    matchLabels:
      {{- include "loki.selectorLabels" . | nindent 6 }}
  egress:
    - ports:
        - port: dns
          protocol: UDP
      to:
        - namespaceSelector: {}

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "loki.name" . }}-ingress
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "loki.labels" . | nindent 4 }}
spec:
  policyTypes:
    - Ingress
  podSelector:
    matchExpressions:
      - key: app.kubernetes.io/component
        operator: In
        values:
        {{- if .Values.gateway.enabled }}
          - gateway
        {{- else }}
          - read
          - write
        {{- end }}
    matchLabels:
      {{- include "loki.selectorLabels" . | nindent 6 }}
  ingress:
    - ports:
        - port: http-metrics
          protocol: TCP
  {{- if .Values.networkPolicy.ingress.namespaceSelector }}
      from:
        - namespaceSelector:
          {{- toYaml .Values.networkPolicy.ingress.namespaceSelector | nindent 12 }}
          {{- if .Values.networkPolicy.ingress.podSelector }}
          podSelector:
          {{- toYaml .Values.networkPolicy.ingress.podSelector | nindent 12 }}
          {{- end }}
  {{- end }}

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "loki.name" . }}-ingress-metrics
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "loki.labels" . | nindent 4 }}
spec:
  policyTypes:
    - Ingress
  podSelector:
    matchLabels:
      {{- include "loki.selectorLabels" . | nindent 6 }}
  ingress:
    - ports:
        - port: http-metrics
          protocol: TCP
    {{- if .Values.networkPolicy.metrics.cidrs }}
      from:
      {{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
        - ipBlock:
            cidr: {{ $cidr }}
      {{- end }}
      {{- if .Values.networkPolicy.metrics.namespaceSelector }}
        - namespaceSelector:
          {{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 12 }}
          {{- if .Values.networkPolicy.metrics.podSelector }}
          podSelector:
          {{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 12 }}
          {{- end }}
      {{- end }}
    {{- end }}

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "loki.name" . }}-egress-alertmanager
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "loki.labels" . | nindent 4 }}
spec:
  policyTypes:
    - Egress
  podSelector:
    matchLabels:
      {{- include "loki.backendSelectorLabels" . | nindent 6 }}
  egress:
    - ports:
        - port: {{ .Values.networkPolicy.alertmanager.port }}
          protocol: TCP
  {{- if .Values.networkPolicy.alertmanager.namespaceSelector }}
      to:
        - namespaceSelector:
          {{- toYaml .Values.networkPolicy.alertmanager.namespaceSelector | nindent 12 }}
          {{- if .Values.networkPolicy.alertmanager.podSelector }}
          podSelector:
          {{- toYaml .Values.networkPolicy.alertmanager.podSelector | nindent 12 }}
          {{- end }}
  {{- end }}

{{- if .Values.networkPolicy.externalStorage.ports }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "loki.name" . }}-egress-external-storage
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "loki.labels" . | nindent 4 }}
spec:
  policyTypes:
    - Egress
  podSelector:
    matchLabels:
      {{- include "loki.selectorLabels" . | nindent 6 }}
  egress:
    - ports:
      {{- range $port := .Values.networkPolicy.externalStorage.ports }}
        - port: {{ $port }}
          protocol: TCP
      {{- end }}
  {{- if .Values.networkPolicy.externalStorage.cidrs }}
      to:
      {{- range $cidr := .Values.networkPolicy.externalStorage.cidrs }}
        - ipBlock:
            cidr: {{ $cidr }}
      {{- end }}
  {{- end }}
{{- end }}

{{- end }}

{{- if and .Values.networkPolicy.discovery.port (eq .Values.networkPolicy.flavor "kubernetes") }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "loki.name" . }}-egress-discovery
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "loki.labels" . | nindent 4 }}
spec:
  policyTypes:
    - Egress
  podSelector:
    matchLabels:
      {{- include "loki.selectorLabels" . | nindent 6 }}
  egress:
    - ports:
        - port: {{ .Values.networkPolicy.discovery.port }}
          protocol: TCP
  {{- if .Values.networkPolicy.discovery.namespaceSelector }}
      to:
        - namespaceSelector:
          {{- toYaml .Values.networkPolicy.discovery.namespaceSelector | nindent 12 }}
          {{- if .Values.networkPolicy.discovery.podSelector }}
          podSelector:
          {{- toYaml .Values.networkPolicy.discovery.podSelector | nindent 12 }}
          {{- end }}
  {{- end }}
{{- end }}