apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-same-namespace-ingress
spec:
  endpointSelector: {}   # All pods in this namespace
  ingress:
    - fromEndpoints:
        - matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - git-limbosolutions-com

---

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-gitea-ingress
spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: gitea

  ingress:
    # -------------------------------------------------------------
    # Allow Traefik (in kube-system) to reach Gitea on port 3000
    # -------------------------------------------------------------
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: traefik
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - kube-system
      toPorts:
        - ports:
            - port: "3000"
              protocol: TCP

    # -------------------------------------------------------------
    # Allow SSH (2222)
    # -------------------------------------------------------------
    - fromCIDRSet:
        - cidr: 0.0.0.0/0
      toPorts:
        - ports:
            - port: "2222"
              protocol: TCP