First policy draft

Author: YuryHrytsuk

charts/cert-manager/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cert-manager/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: cert-manager
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.15.3
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.15.3"
+
+dependencies:
+  - name: cert-manager
+    version: 1.15.3
+    repository: "https://charts.jetstack.io"

charts/cert-manager/README.md

@@ -0,0 +1 @@
+## Network policy

charts/cert-manager/templates/NOTES.txt

@@ -0,0 +1 @@
+This is a wrap around the cert-manager Helm chart.

charts/cert-manager/templates/networkpolicy.yaml

@@ -0,0 +1,43 @@
+# https://cert-manager.io/docs/installation/best-practice/#network-requirements
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: cert-manager-network-policy
+spec:
+  ingress:
+    # 2. TCP: Kubernetes (API server) -> cert-manager (webhook)
+    - action: Allow
+      protocol: TCP
+      source:
+        selector: 'component == "kube-apiserver"'
+      destination:
+        selector: 'app.kubernetes.io/component == "webhook"'
+        ports:
+          - {{ .Values.cert-manager.webhook.securePort }}
+  egress:
+    # 3. TCP: cert-manager (webhook, controller, cainjector, startupapicheck) -> Kubernetes API server
+    - action: Allow
+      protocol: TCP
+      destination:
+        nets:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+        ports:
+          - 6443
+    # 6. TCP: cert-manager (controller) -> DNS API endpoints (for ACME DNS01)
+    - action: Allow
+      protocol: TCP
+      source:
+        selector: 'app.kubernetes.io/component == "controller"'
+      destination:
+        ports:
+          - 443
+    # 7. UDP / TCP: cert-manager (controller) -> External DNS
+    - action: Allow
+      protocol: UDP
+      source:
+        selector: 'app.kubernetes.io/component == "controller"'
+      destination:
+        ports:
+          - 53

charts/cert-manager/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "cert-manager.fullname" . }}-test-connection"
+  labels:
+    {{- include "cert-manager.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "cert-manager.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

charts/cert-manager/values.common.yaml.gotmpl

@@ -1,6 +1,10 @@
-crds:
-  enabled: true
-  keep: true
+cert-manager:
+  crds:
+    enabled: true
+    keep: true
 
-nodeSelector:
-  ops: "true"
+  nodeSelector:
+    ops: "true"
+
+  webhook:
+    securePort: 10250

charts/cert-manager/values.rfc2136.yaml.gotmpl

@@ -1,35 +1,36 @@
-extraObjects:
-- |
-  apiVersion: v1
-  kind: Secret
-  metadata:
-    name: rfc2136-credentials
-    namespace: {{ .Release.Namespace }}  # secret must be in same namespace as Cert Manager deployment
-  type: Opaque
-  data:
-    tsig-secret-key: {{ requiredEnv "RFC2136_TSIG_SECRET" | b64enc }}  # Base64 encoded Secret Access Key
-- |
-  apiVersion: cert-manager.io/v1
-  kind: ClusterIssuer
-  metadata:
-    name: cert-issuer
-    namespace: {{ .Release.Namespace }}
-    annotations:
-      # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
-      "helm.sh/hook": post-install,post-upgrade
-      "helm.sh/hook-weight": "1"
-  spec:
-    acme:
-      email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
-      server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }}
-      privateKeySecretRef:
-        name: cert-manager-acme-private-key
-      solvers:
-        - dns01:
-            rfc2136:
-                nameserver:  {{ requiredEnv "RFC2136_NAMESERVER" }}
-                tsigKeyName: {{ requiredEnv "RFC2136_TSIG_KEY" }}
-                tsigAlgorithm: {{ requiredEnv "RFC2136_TSIG_ALGORITHM_CERT_MANAGER" }}
-                tsigSecretSecretRef:
-                    name: rfc2136-credentials
-                    key: tsig-secret-key
+cert-manager:
+  extraObjects:
+  - |
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: rfc2136-credentials
+      namespace: {{ .Release.Namespace }}  # secret must be in same namespace as Cert Manager deployment
+    type: Opaque
+    data:
+      tsig-secret-key: {{ requiredEnv "RFC2136_TSIG_SECRET" | b64enc }}  # Base64 encoded Secret Access Key
+  - |
+    apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: cert-issuer
+      namespace: {{ .Release.Namespace }}
+      annotations:
+        # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+    spec:
+      acme:
+        email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
+        server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }}
+        privateKeySecretRef:
+          name: cert-manager-acme-private-key
+        solvers:
+          - dns01:
+              rfc2136:
+                  nameserver:  {{ requiredEnv "RFC2136_NAMESERVER" }}
+                  tsigKeyName: {{ requiredEnv "RFC2136_TSIG_KEY" }}
+                  tsigAlgorithm: {{ requiredEnv "RFC2136_TSIG_ALGORITHM_CERT_MANAGER" }}
+                  tsigSecretSecretRef:
+                      name: rfc2136-credentials
+                      key: tsig-secret-key

charts/cert-manager/values.route53.yaml.gotmpl

@@ -1,37 +1,38 @@
-extraObjects:
-- |
-  apiVersion: v1
-  kind: Secret
-  metadata:
-    name: route53-credentials
-    namespace: {{ .Release.Namespace }}  # secret must be in same namespace as Cert Manager deployment
-  type: Opaque
-  data:
-    access-key-id: {{ requiredEnv "DNS_CHALLENGE_AWS_ACCESS_KEY_ID" | b64enc }}
-    secret-access-key: {{ requiredEnv "DNS_CHALLENGE_AWS_SECRET_ACCESS_KEY" | b64enc }}
-- |
-  apiVersion: cert-manager.io/v1
-  kind: ClusterIssuer
-  metadata:
-    name: cert-issuer
-    namespace: {{ .Release.Namespace }}
-    annotations:
-      # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
-      "helm.sh/hook": post-install,post-upgrade
-      "helm.sh/hook-weight": "1"
-  spec:
-    acme:
-      email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
-      server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }}
-      privateKeySecretRef:
-        name: cert-manager-acme-private-key
-      solvers:
-        - dns01:
-            route53:
-              region: {{ requiredEnv "DNS_CHALLENGE_AWS_REGION" }}
-              accessKeyIDSecretRef:
-                name: route53-credentials
-                key: access-key-id
-              secretAccessKeySecretRef:
-                name: route53-credentials
-                key: secret-access-key
+cert-manager:
+  extraObjects:
+  - |
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: route53-credentials
+      namespace: {{ .Release.Namespace }}  # secret must be in same namespace as Cert Manager deployment
+    type: Opaque
+    data:
+      access-key-id: {{ requiredEnv "DNS_CHALLENGE_AWS_ACCESS_KEY_ID" | b64enc }}
+      secret-access-key: {{ requiredEnv "DNS_CHALLENGE_AWS_SECRET_ACCESS_KEY" | b64enc }}
+  - |
+    apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: cert-issuer
+      namespace: {{ .Release.Namespace }}
+      annotations:
+        # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+    spec:
+      acme:
+        email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
+        server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }}
+        privateKeySecretRef:
+          name: cert-manager-acme-private-key
+        solvers:
+          - dns01:
+              route53:
+                region: {{ requiredEnv "DNS_CHALLENGE_AWS_REGION" }}
+                accessKeyIDSecretRef:
+                  name: route53-credentials
+                  key: access-key-id
+                secretAccessKeySecretRef:
+                  name: route53-credentials
+                  key: secret-access-key

charts/cert-manager/values.selfsigned.yaml.gotmpl

@@ -1,56 +1,57 @@
-extraObjects:
-- |
-  apiVersion: cert-manager.io/v1
-  kind: ClusterIssuer
-  metadata:
-    name: selfsigned-issuer
-    namespace: {{ .Release.Namespace }}
-    annotations:
-      # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
-      "helm.sh/hook": post-install,post-upgrade
-      "helm.sh/hook-weight": "1"
-  spec:
-    selfSigned: {}
-- |
-  apiVersion: cert-manager.io/v1
-  kind: Certificate
-  metadata:
-    name: local-ca
-    namespace: {{ .Release.Namespace }}
-    annotations:
-      # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
-      "helm.sh/hook": post-install,post-upgrade
-      "helm.sh/hook-weight": "1"
-  spec:
-    secretTemplate:
-      annotations:
-        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-        reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""  # Control destination namespaces: emptystring means all
-        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
-        reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" # Control auto-reflection namespaces
-    isCA: true
-    commonName: local-ca
-    subject:
-      organizations:
-        - Z43
-    secretName: local-ca-secret
-    privateKey:
-      algorithm: ECDSA
-      size: 256
-    issuerRef:
+cert-manager:
+  extraObjects:
+  - |
+    apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
       name: selfsigned-issuer
-      kind: ClusterIssuer
-      group: cert-manager.io
-- |
-  apiVersion: cert-manager.io/v1
-  kind: ClusterIssuer
-  metadata:
-    name: cert-issuer
-    namespace: {{ .Release.Namespace }}
-    annotations:
-      # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
-      "helm.sh/hook": post-install,post-upgrade
-      "helm.sh/hook-weight": "1"
-  spec:
-    ca:
+      namespace: {{ .Release.Namespace }}
+      annotations:
+        # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+    spec:
+      selfSigned: {}
+  - |
+    apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: local-ca
+      namespace: {{ .Release.Namespace }}
+      annotations:
+        # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+    spec:
+      secretTemplate:
+        annotations:
+          reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+          reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""  # Control destination namespaces: emptystring means all
+          reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
+          reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" # Control auto-reflection namespaces
+      isCA: true
+      commonName: local-ca
+      subject:
+        organizations:
+          - Z43
       secretName: local-ca-secret
+      privateKey:
+        algorithm: ECDSA
+        size: 256
+      issuerRef:
+        name: selfsigned-issuer
+        kind: ClusterIssuer
+        group: cert-manager.io
+  - |
+    apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: cert-issuer
+      namespace: {{ .Release.Namespace }}
+      annotations:
+        # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+    spec:
+      ca:
+        secretName: local-ca-secret