From ec560b07adc55c0dc86a53dc18d1e05d90779458 Mon Sep 17 00:00:00 2001 From: Chris Werner Rau Date: Mon, 19 Aug 2024 16:32:58 +0200 Subject: [PATCH] =?UTF-8?q?fix(base-cluster/cert-manager):=20ciliumNetwork?= =?UTF-8?q?Policy=20for=20cert-manager=20otherwise=20it=20can't=20correctl?= =?UTF-8?q?y=20talk=20to=20letsencrypt,=20...=20=F0=9F=A4=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../templates/cert-manager/cert-manager.yaml | 8 ++++---- .../templates/cert-manager/ciliumNetworkPolicy.yaml | 12 +++++++++--- .../global/ciliumClusterwideNetworkPolicy.yaml | 11 +++-------- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/charts/base-cluster/templates/cert-manager/cert-manager.yaml b/charts/base-cluster/templates/cert-manager/cert-manager.yaml index 0809b2315..21119f9ab 100644 --- a/charts/base-cluster/templates/cert-manager/cert-manager.yaml +++ b/charts/base-cluster/templates/cert-manager/cert-manager.yaml @@ -33,10 +33,10 @@ spec: defaultIssuerKind: ClusterIssuer {{- end }} {{ if .Values.certManager.dnsChallengeNameservers }} - {{- $nameservers := list -}} - {{- range $ip, $port := .Values.certManager.dnsChallengeNameservers }} - {{- $nameservers = append $nameservers (printf "%s:%v" $ip $port) -}} - {{- end -}} + {{- $nameservers := list -}} + {{- range $ip, $port := .Values.certManager.dnsChallengeNameservers -}} + {{- $nameservers = append $nameservers (printf "%s:%v" $ip $port) -}} + {{- end -}} extraArgs: - --dns01-recursive-nameservers={{- $nameservers | sortAlpha | join "," }} {{- end }} diff --git a/charts/base-cluster/templates/cert-manager/ciliumNetworkPolicy.yaml b/charts/base-cluster/templates/cert-manager/ciliumNetworkPolicy.yaml index 56bf28ab2..6880fc623 100644 --- a/charts/base-cluster/templates/cert-manager/ciliumNetworkPolicy.yaml +++ b/charts/base-cluster/templates/cert-manager/ciliumNetworkPolicy.yaml @@ -19,9 +19,15 @@ spec: - port: "9402" protocol: TCP egress: + - toEntities: + - world # allow access to letsencrypt and the DNS apis + toPorts: + - ports: + - port: "443" + protocol: TCP - toEntities: - kube-apiserver - - toPorts: + - toPorts: # needs to talk to all possible DNS servers - ports: - port: "53" protocol: UDP @@ -50,7 +56,7 @@ spec: - port: "10250" protocol: TCP - fromEntities: - - host + - health toPorts: - ports: - port: "6080" @@ -72,7 +78,7 @@ spec: app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager ingress: - - { } + - {} egress: - toEntities: - kube-apiserver diff --git a/charts/base-cluster/templates/global/ciliumClusterwideNetworkPolicy.yaml b/charts/base-cluster/templates/global/ciliumClusterwideNetworkPolicy.yaml index a81c1d90e..6e8822b40 100644 --- a/charts/base-cluster/templates/global/ciliumClusterwideNetworkPolicy.yaml +++ b/charts/base-cluster/templates/global/ciliumClusterwideNetworkPolicy.yaml @@ -6,11 +6,10 @@ metadata: labels: {{- include "common.labels.standard" $ | nindent 4 }} spec: endpointSelector: - matchLabels: { } + matchLabels: {} egress: - toEntities: - cluster - - host - toEntities: - world toPorts: @@ -38,13 +37,9 @@ spec: matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.global.networkPolicy.dnsLabels "context" $) | nindent 6 }} egress: - toEntities: - - kube-apiserver - toPorts: - - ports: - - port: "6443" - protocol: TCP + - kube-apiserver - toEntities: - - all + - all toPorts: - ports: - port: "53"