{{- define "ports" }}
          {{- range $port := . }}
          - port: {{ $port.Port }}
            {{- if $port.Protocol }}
            protocol: {{ $port.Protocol }}
            {{- end }}
          {{- end }}
{{- end }}
{{- define "peers" }}
      {{- range .Applications }}
      - podSelector:
          matchLabels: {{ .MatchLabels | toYaml | nindent 12 }}
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: {{ .Namespace.Name }}
        {{- if .Ports }}
        ports:
          {{- template "ports" .Ports }}
        {{- end }}
      {{- end }}
{{- end }}
{{- define "networks" }}
      {{- range .Networks }}
      - ipBlock:
          cidr: {{ .CIDR}}
          except:
          {{- range $except := .Except }}
          - {{ $except }}
          {{- end }}
        {{- if .Ports }}
        ports:
          {{- template "ports" .Ports }}
        {{- end }}
      {{- end }}
{{- end }}

{{- if not .app.Namespace.Open }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: "{{.app.Name}}"
  namespace: "{{.app.Namespace.Name }}"
  labels: {{ .labels | toYaml | nindent 4 }}
spec:
  podSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
  policyTypes:
    {{- if or .ingress.Applications .ingress.Networks }}
    - Ingress
    {{- end }}
    {{- if or .egress.Applications .egress.Networks }}
    - Egress
    {{- end }}

  {{- if or .ingress.Applications .ingress.Networks }}
  ingress:
    from:
      {{- template "peers" .ingress }}
      {{- template "networks" .ingress }}
  {{- end }}

  {{- if or .egress.Applications .egress.Networks }}
  egress:
    to:
      {{- template "peers" .egress }}
      {{- template "networks" .egress }}
  {{- end }}

{{- end }}