# This NetworkPolicy allows ingress traffic to your webhook server running
# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks
# will only work when applied in namespaces labeled with 'webhook: enabled'
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    app.kubernetes.io/name: supabase-operator
    app.kubernetes.io/managed-by: kustomize
  name: allow-webhook-traffic
  namespace: supabase-system
spec:
  podSelector:
    matchLabels:
      control-plane: controller-manager
  policyTypes:
    - Ingress
  ingress:
    # This allows ingress traffic from any namespace with the label webhook: enabled
    - from:
        - namespaceSelector:
            matchLabels:
              webhook: enabled # Only from namespaces with this label
      ports:
        - port: 443
          protocol: TCP