{{- if .Values.networkPolicy.enabled }}
# Network isolation for the operator itself.
# Restricts egress to only the services it needs: K8s API, OpenBao, LiteLLM, DNS.
# No ingress is needed except for metrics scraping (optional).
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: pieced-operator-egress
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: pieced-operator
spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: pieced-operator
  egress:
    # DNS resolution
    - toEndpoints:
        - matchLabels:
            k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: kube-system
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
            - port: "53"
              protocol: TCP

    # Kubernetes API server (for controller-runtime)
    - toEntities:
        - kube-apiserver
      toPorts:
        - ports:
            - port: "6443"
              protocol: TCP

    # OpenBao (policy/role management, secret read/write)
    - toEndpoints:
        - matchLabels:
            k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: openbao
      toPorts:
        - ports:
            - port: "8200"
              protocol: TCP

    # LiteLLM (team/key provisioning)
    - toEndpoints:
        - matchLabels:
            k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: inference
      toPorts:
        - ports:
            - port: "4000"
              protocol: TCP
  ingress:
    # Allow Prometheus scraping metrics (optional, from monitoring namespace)
    - fromEndpoints:
        - matchLabels:
            k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: monitoring
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
{{- end }}