homelab: add cilium policies to argocd

Signed-off-by: aserowy <serowy@hotmail.com>

cluster/homelab/argocd.nix

@@ -21,6 +21,73 @@
         };
         global.networkPolicy.create = true;
       };
+    };
+
+        resources = {
+    ciliumNetworkPolicies = {
+      allow-world-egress.spec = {
+        endpointSelector.matchLabels."app.kubernetes.io/name" = "argocd-repo-server";
+        egress = [
+          {
+            toEndpoints = [
+              {
+                matchLabels = {
+                  "k8s:io.kubernetes.pod.namespace" = "kube-system";
+                  "k8s:k8s-app" = "kube-dns";
+                };
+              }
+            ];
+            toPorts = [
+              {
+                ports = [
+                  {
+                    port = "53";
+                    protocol = "ANY";
+                  }
+                ];
+                rules.dns = [
+                  { matchPattern = "*"; }
+                ];
+              }
+            ];
+          }
+          {
+            toFQDNs = [
+              { matchName = "github.com"; }
+            ];
+            toPorts = [
+              {
+                ports = [
+                  {
+                    port = "443";
+                    protocol = "TCP";
+                  }
+                ];
+              }
+            ];
+          }
+        ];
+      };
+
+      allow-kube-apiserver-egress.spec = {
+        endpointSelector.matchLabels."app.kubernetes.io/part-of" = "argocd";
+        egress = [
+          {
+            toEntities = [ "kube-apiserver" ];
+            toPorts = [
+              {
+                ports = [
+                  {
+                    port = "6443";
+                    protocol = "TCP";
+                  }
+                ];
+              }
+            ];
+          }
+        ];
+      };
+    };
     };
   };
 }