polish(helm): configurable NetworkPolicy ingress peers + clearer API_ENCRYPTION_KEY comment

- networkPolicy.ingressFrom lets operators scope the ingress-controller
  rule to a specific namespace/podSelector. Defaults to a single empty
  peer (`- {}`), which is the explicit form of "any source" — same
  effective behavior as the old `from: []` but unambiguous across CNIs.
  To restrict, override with e.g.:
    networkPolicy:
      ingressFrom:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx

- API_ENCRYPTION_KEY comment: drop the "must be exactly 64 hex
  characters" phrasing that sat awkwardly next to `openssl rand -hex 32`.
  The generation command already produces the required length.

Author: waleedlatif1

helm/sim/templates/networkpolicy.yaml

@@ -26,9 +26,10 @@ spec:
     - protocol: TCP
       port: {{ .Values.app.service.targetPort }}
   {{- end }}
-  # Allow ingress from ingress controller
+  # Allow ingress from ingress controller (configurable peers; defaults to any)
   {{- if .Values.ingress.enabled }}
-  - from: []
+  - from:
+      {{- toYaml (default (list (dict)) .Values.networkPolicy.ingressFrom) | nindent 6 }}
     ports:
     - protocol: TCP
       port: {{ .Values.app.service.targetPort }}
@@ -131,9 +132,10 @@ spec:
     ports:
     - protocol: TCP
       port: {{ .Values.realtime.service.targetPort }}
-  # Allow ingress from ingress controller
+  # Allow ingress from ingress controller (configurable peers; defaults to any)
   {{- if .Values.ingress.enabled }}
-  - from: []
+  - from:
+      {{- toYaml (default (list (dict)) .Values.networkPolicy.ingressFrom) | nindent 6 }}
     ports:
     - protocol: TCP
       port: {{ .Values.realtime.service.targetPort }}

helm/sim/values.yaml

@@ -101,8 +101,8 @@ app:
     CRON_SECRET: ""         # OPTIONAL - required only if cronjobs.enabled=true, authenticates scheduled job requests
 
     # Optional: API Key Encryption (RECOMMENDED for production)
-    # Generate 64-character hex string using: openssl rand -hex 32 (outputs 64 hex chars = 32 bytes)
-    API_ENCRYPTION_KEY: ""  # OPTIONAL - encrypts API keys at rest, must be exactly 64 hex characters, if not set keys stored in plain text
+    # Generate with: openssl rand -hex 32 (produces the required 64-hex-char / 32-byte value).
+    API_ENCRYPTION_KEY: ""  # OPTIONAL - encrypts API keys at rest; if unset, keys are stored in plain text
     REDIS_URL: ""           # OPTIONAL - Redis connection string for caching/sessions; can also come from app secret or External Secrets
 
     # Email & Communication
@@ -951,7 +951,18 @@ monitoring:
 networkPolicy:
   enabled: false
 
-  # Custom ingress rules
+  # NetworkPolicyPeers allowed to reach the app/realtime pods on the
+  # ingress-controller path. Defaults to `- {}` (any source), which matches the
+  # common case where the ingress controller is the only thing routing to these
+  # ports. To restrict ingress to a specific controller namespace, replace with:
+  #   ingressFrom:
+  #     - namespaceSelector:
+  #         matchLabels:
+  #           kubernetes.io/metadata.name: ingress-nginx
+  ingressFrom:
+    - {}
+
+  # Custom ingress rules appended to the policy
   ingress: []
 
   # Egress configuration