apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-same-namespace-ingress
spec:
  endpointSelector: {}   # All pods in this namespace
  ingress:
    - fromEndpoints:
        - matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - git-limbosolutions-com

    
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-traefik-ingress
spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: gitea

  ingress:
    # -------------------------------------------------------------
    # Allow Traefik (in kube-system) to reach Gitea on port 3000 and 2222
    # -------------------------------------------------------------
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: traefik
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - traefik
                - traefik-public
      toPorts:
        - ports:
            - port: "3000"
              protocol: TCP
        - ports:
            - port: "2222"
              protocol: TCP