# Selenium Grid NetworkPolicy.
#
# Captured into bluejay-infra 2026-05-07 during the regroup audit. This
# NetworkPolicy was previously applied via `kubectl apply` directly to
# the cluster with no source-of-truth anywhere — a fresh cluster rebuild
# would have lost all of it (including the Selenium Grid → Traefik VIP
# allow rule for AAT runs against `*.iamworkin.lan` services).
#
# The Selenium Grid Deployment + Services themselves are still managed
# outside ArgoCD (deployed via raw kubectl from the original Selenium
# Grid bring-up). Migrating those into bluejay-infra is a separate lane —
# this commit only restores GitOps repeatability for the NetworkPolicy.
#
# Rules captured from the live cluster's `kubectl get netpol -n selenium
# selenium-netpol -o yaml` on 2026-05-07. Originally applied 2026-03-15
# (from `metadata.creationTimestamp` before the field was stripped).
#
# Allows:
#   - Egress: CoreDNS, intra-namespace pod-to-pod (4442/4443/4444/5555),
#     Traefik VIP for `*.iamworkin.lan` AAT runs, all FC namespaces on
#     standard FC service ports (5100/5200/5300/5400/8080), pod CIDR
#     (10.42.0.0/16) + service CIDR (10.43.0.0/16) for the same ports,
#     LAN gateway range (10.0.56.0/24) for HTTPS, edge2 CUPS print
#     (10.0.57.16:5200), public internet 80/443 (excluding RFC1918), and
#     fc-signage:5190 for the signage AAT lane.
#   - Ingress: Traefik (4444 + 8089 ACME-solver-style), intra-pod,
#     telephony / gitea / fc-system / fc-signage / github-runner namespaces
#     on 4444.
#
# 2026-05-25: added github-runner ingress on 4444 so CI jobs running in
# self-hosted runner pods (e.g. FlowerCore.Print.Web `help-screenshots`)
# can reach the grid. Without this allow, the session POST to
# `selenium-hub.selenium.svc.cluster.local:4444` was DNAT'd to the hub
# pod IP and then dropped at the Calico ingress hook — Selenium UI showed
# 0/4 sessions while the .NET HTTP client timed out at 60s. Same family
# as `feedback_netpol_dnat_backend_port`, wrong-source-namespace flavor.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: selenium-netpol
  namespace: selenium
  labels:
    app.kubernetes.io/part-of: selenium
    app.kubernetes.io/component: isolation
spec:
  egress:
  - ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
    to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
  - ports:
    - port: 4442
      protocol: TCP
    - port: 4443
      protocol: TCP
    - port: 4444
      protocol: TCP
    - port: 5555
      protocol: TCP
    to:
    - podSelector: {}
  - ports:
    - port: 443
      protocol: TCP
    - port: 80
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.0.56.200/32
  - ports:
    - port: 443
      protocol: TCP
    - port: 80
      protocol: TCP
    - port: 5200
      protocol: TCP
    - port: 5300
      protocol: TCP
    - port: 5400
      protocol: TCP
    - port: 5100
      protocol: TCP
    - port: 8080
      protocol: TCP
    to:
    - namespaceSelector: {}
  - ports:
    - port: 443
      protocol: TCP
    - port: 80
      protocol: TCP
    - port: 8443
      protocol: TCP
    - port: 8080
      protocol: TCP
    - port: 5200
      protocol: TCP
    - port: 5300
      protocol: TCP
    - port: 5400
      protocol: TCP
    - port: 5100
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.43.0.0/16
  - ports:
    - port: 443
      protocol: TCP
    - port: 80
      protocol: TCP
    - port: 8443
      protocol: TCP
    - port: 8080
      protocol: TCP
    - port: 5200
      protocol: TCP
    - port: 5300
      protocol: TCP
    - port: 5400
      protocol: TCP
    - port: 5100
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.42.0.0/16
  - ports:
    - port: 443
      protocol: TCP
    - port: 80
      protocol: TCP
    - port: 8443
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.0.56.0/24
  - ports:
    - port: 5200
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.0.57.16/32
  - ports:
    - port: 80
      protocol: TCP
    - port: 443
      protocol: TCP
    to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 172.16.0.0/12
        - 192.168.0.0/16
  - ports:
    - port: 5190
      protocol: TCP
    to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: fc-signage
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: traefik-system
    ports:
    - port: 4444
      protocol: TCP
    - port: 8089
      protocol: TCP
  - from:
    - podSelector: {}
    ports:
    - port: 4442
      protocol: TCP
    - port: 4443
      protocol: TCP
    - port: 4444
      protocol: TCP
    - port: 5555
      protocol: TCP
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: telephony
    ports:
    - port: 4444
      protocol: TCP
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: gitea
    ports:
    - port: 4444
      protocol: TCP
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: fc-system
    ports:
    - port: 4444
      protocol: TCP
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: fc-signage
    ports:
    - port: 4444
      protocol: TCP
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: github-runner
    ports:
    - port: 4444
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress