# NetworkPolicy: isolamento del namespace tenant.
# - mongodb-tenant: ingress solo dai pod tenant-api e dagli altri membri del replica set.
# - tenant-api:     ingress solo dall'ingress controller (namespace 'ingress-nginx').
# - tenant-admin:   ingress solo dall'ingress controller.
# Egress: non vincolato (DNS, registry, SMTP, LOGINMASTER_API_URL devono restare raggiungibili).
#
# Nota: la namespace label 'kubernetes.io/metadata.name' è automatica dal K8s 1.22+.
# Se l'ingress controller è installato in un namespace diverso, modificare il selector.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mongodb-tenant
  namespace: ${NAMESPACE}
spec:
  podSelector:
    matchLabels:
      app: mongodb-tenant
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: mongodb-tenant
        - podSelector:
            matchLabels:
              app: tenant-api
      ports:
        - protocol: TCP
          port: 27017
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: tenant-api
  namespace: ${NAMESPACE}
spec:
  podSelector:
    matchLabels:
      app: tenant-api
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx
      ports:
        - protocol: TCP
          port: 3000
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: tenant-admin
  namespace: ${NAMESPACE}
spec:
  podSelector:
    matchLabels:
      app: tenant-admin
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx
      ports:
        - protocol: TCP
          port: 80