config: Open cert-manager netpols by default

And add config for cert-manager HTTP-01 egress.
elastisys · Sep 6, 2024 · 3fe16df · 3fe16df
1 parent 5e1ce52
commit 3fe16df
Show file tree

Hide file tree

Showing 7 changed files with 68 additions and 3 deletions.
diff --git a/config/common-config.yaml b/config/common-config.yaml
@@ -1048,6 +1048,9 @@ networkPolicies:
     letsencrypt:
       ips:
         - set-me-if-(.networkPolicies.certManager.enabled)
+    # Configure this if HTTP-01 challenges need to be enabled in cert-manager for other endpoints than the ingress-controller
+    http01:
+      ips: []
     # Configure this if DNS-01 challenges are enabled in cert-manager
     dns01:
       ips: []

diff --git a/config/flavors/dev/common-config.yaml b/config/flavors/dev/common-config.yaml
@@ -9,3 +9,16 @@ prometheus:
 
 velero:
   enabled: false
+
+networkPolicies:
+  # ADR: https://elastisys.io/compliantkubernetes/adr/0051-open-cert-manager-netpols/
+  certManager:
+    letsencrypt:
+      ips:
+        - 0.0.0.0/0
+    http01:
+      ips:
+        - 0.0.0.0/0
+    dns01:
+      ips:
+        - 0.0.0.0/0
diff --git a/config/flavors/prod/common-config.yaml b/config/flavors/prod/common-config.yaml
@@ -6,3 +6,16 @@ prometheus:
     size: 15Gi
   retention:
     size: 12GiB
+
+networkPolicies:
+  # ADR: https://elastisys.io/compliantkubernetes/adr/0051-open-cert-manager-netpols/
+  certManager:
+    letsencrypt:
+      ips:
+        - 0.0.0.0/0
+    http01:
+      ips:
+        - 0.0.0.0/0
+    dns01:
+      ips:
+        - 0.0.0.0/0
diff --git a/config/schemas/config.yaml b/config/schemas/config.yaml
@@ -6225,6 +6225,14 @@ properties:
             additionalProperties: false
             properties:
               ips: true
+          http01:
+            title: Network Policies cert-manager HTTP-01
+            description: Configure network policy rule to allow cert-manager perform HTTP-01 challenges on other endpoints than the ingress-controller.
+            type: object
+            additionalProperties: false
+            properties:
+              ips:
+                $ref: '#/$defs/iplist'
           dns01:
             title: Network Policies cert-manager DNS-01
             description: Configure network policy rule to allow cert-manager perform DNS-01 challenges.

diff --git a/helmfile.d/values/networkpolicies/common/cert-manager.yaml.gotmpl b/helmfile.d/values/networkpolicies/common/cert-manager.yaml.gotmpl
@@ -31,6 +31,16 @@ policies:
           ports:
             - tcp: 443
         {{- end }}
+        {{- with .Values | get "networkPolicies.certManager.http01.ips" list }}
+        - name: egress-rule-http01
+          peers:
+            {{- range . }}
+            - cidr: {{ . }}
+            {{- end }}
+          ports:
+            - tcp: 443
+            - tcp: 80
+        {{- end }}
         {{- with .Values | get "networkPolicies.certManager.dns01.ips" list }}
         - name: egress-rule-dns01
           peers:

diff --git a/migration/v0.41/README.md b/migration/v0.41/README.md
@@ -82,6 +82,24 @@ As with all scripts in this repository `CK8S_CONFIG_PATH` is expected to be set.
     ./bin/ck8s upgrade wc v0.41 apply
     ```
 
+1. For `dev` and `prod` flavours: The default network policies for cert-manager has changed, and now it is allowed egress to:
+
+    - `0.0.0.0/0:53/udp`
+    - `0.0.0.0/0:53/tcp`
+    - `0.0.0.0/0:80/tcp`
+    - `0.0.0.0/0:443/tcp`
+
+    To allow it to perform any DNS-01 or HTTP-01 challenge by default.
+    If you have previously overridden it you can remove the overrides to opt into the new defaults, and if you want to restrict it you need to configure the network policies manually.
+
+    To remove previous overrides:
+
+    ```bash
+    yq4 -i 'del(.networkPolicies.certManager)' "${CK8S_CONFIG_PATH}/common-config.yaml"
+    yq4 -i 'del(.networkPolicies.certManager)' "${CK8S_CONFIG_PATH}/sc-config.yaml"
+    yq4 -i 'del(.networkPolicies.certManager)' "${CK8S_CONFIG_PATH}/wc-config.yaml"
+    ```
+
 1. If Tekton is enabled, ensure to add appropriate network policies for the pipeline.
 
   To check if the tekton is enabled, run the following command

diff --git a/tests/unit/general/bin-conditional-set-me.bats b/tests/unit/general/bin-conditional-set-me.bats
@@ -11,7 +11,7 @@ setup_file() {
   gpg.setup
   env.setup
 
-  env.init baremetal kubespray dev --skip-issuers --skip-network-policies
+  env.init baremetal kubespray air-gapped --skip-issuers --skip-network-policies
 }
 
 teardown_file() {
@@ -101,11 +101,11 @@ _refute_condition_and_warn() {
 # bats test_tags=conditional_set_me_slack_alerts
 @test "conditional-set-me - singular conditions: slack alerts" {
 
-  yq.set common .alerts.alertTo \"slack\"
+  yq.set sc .alerts.alertTo \"slack\"
   run _apply_normalise_sc
   _assert_condition_and_warn .\"alerts\".\"slack\".\"channel\"
 
-  yq.set common .alerts.alertTo \"\"
+  yq.set sc .alerts.alertTo \"\"
   run _apply_normalise_sc
   _refute_condition_and_warn .\"alerts\".\"slack\".\"channel\"
 }