From 5b9e6fb5e0952ec3de9eb1318a19767c083e6a94 Mon Sep 17 00:00:00 2001
From: Quentin Bisson <quentin@giantswarm.io>
Date: Wed, 14 Feb 2024 14:02:12 +0100
Subject: [PATCH] Add CNP for PMO (#1528)

---
 CHANGELOG.md                                  |  4 +++
 .../templates/cilium-network-policy.yaml      | 36 +++++++++++++++++++
 .../prometheus-cilium-network-policy.yaml     | 34 ------------------
 3 files changed, 40 insertions(+), 34 deletions(-)
 create mode 100644 helm/prometheus-meta-operator/templates/cilium-network-policy.yaml
 delete mode 100644 helm/prometheus-meta-operator/templates/prometheus/prometheus-cilium-network-policy.yaml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 758a6832f..426b362ff 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add CNP for prometheus-meta-operator to be able to talk to the api-server in locked-down clusters.
+
 ## [4.67.3] - 2024-02-13
 
 ### Added
diff --git a/helm/prometheus-meta-operator/templates/cilium-network-policy.yaml b/helm/prometheus-meta-operator/templates/cilium-network-policy.yaml
new file mode 100644
index 000000000..660803df5
--- /dev/null
+++ b/helm/prometheus-meta-operator/templates/cilium-network-policy.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.ciliumNetworkPolicy.enabled -}}
+{{- if .Capabilities.APIVersions.Has "cilium.io/v2" -}}
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "resource.default.name" . }}
+  namespace: {{ include "resource.default.namespace" . }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "labels.selector" . | nindent 6 }}
+  egress:
+    - toEntities:
+      ## Needed to create anything in the MCs.
+      - kube-apiserver
+      ## Needed to set remote write informations.
+      - cluster
+      ## Needed to access opsgenie and create heartbeats.
+      - world
+  ingress:
+    - fromEntities:
+      - cluster
+      toPorts:
+      - ports:
+        - port: "8000"
+          protocol: "TCP"
+        rules:
+          http:
+          - method: "GET"
+            path: "/metrics"
+          - method: "GET"
+            path: "/healthz"
+{{ end }}
+{{ end }}
diff --git a/helm/prometheus-meta-operator/templates/prometheus/prometheus-cilium-network-policy.yaml b/helm/prometheus-meta-operator/templates/prometheus/prometheus-cilium-network-policy.yaml
deleted file mode 100644
index 540bdef0e..000000000
--- a/helm/prometheus-meta-operator/templates/prometheus/prometheus-cilium-network-policy.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-{{ if .Values.ciliumNetworkPolicy.enabled }}
-{{- if .Capabilities.APIVersions.Has "cilium.io/v2" -}}
-apiVersion: "cilium.io/v2"
-kind: CiliumNetworkPolicy
-metadata:
-  namespace: {{ .Release.Namespace }}
-  name: prometheus
-  labels:
-    {{- include "labels.common" . | nindent 4 }}
-spec:
-  endpointSelector:
-    matchLabels:
-      app.kubernetes.io/name: prometheus
-  egress:
-    - toEntities:
-      - kube-apiserver
-      - cluster
-    # the below allows access to the kubernetes API server via the external
-    # loadbalancer - prometheus appears to talk to the apiserver directly on
-    # the master nodes and also via the loadbalancer.
-    - toEntities:
-      - world
-      toPorts:
-      - ports:
-        - port: "443"
-        - port: "6443"
-  ingress:
-    - fromEntities:
-      - cluster
-      toPorts:
-      - ports:
-        - port: "9090"
-{{ end }}
-{{ end }}