Kubernetes: add cert-manager network policy

charts/calico-configuration/templates/globalpolicy.yaml

@@ -8,7 +8,7 @@ spec:
   # "calico-system", "calico-apiserver", "tigera-operator" -- calico namespaces (when installed via scripts [local deployment])
   # TODO: other namespaces are to be removed from this list (once appropriate network policies are created)
   namespaceSelector:
-    kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "cert-manager", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage", "longhorn"}
+    kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage", "longhorn"}
   types:
     - Ingress
     - Egress

charts/cert-manager/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cert-manager/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.15.3
+digest: sha256:47142c9b5a4892f942219774d3a7c45368941163d17e56c577fb981da2abad0a
+generated: "2025-08-11T14:55:17.254100391+02:00"

charts/cert-manager/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: cert-manager
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.15.3
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.15.3"
+
+dependencies:
+  - name: cert-manager
+    version: 1.15.3
+    repository: "https://charts.jetstack.io"

charts/cert-manager/README.md

@@ -0,0 +1,5 @@
+## Network policy
+
+Read more https://cert-manager.io/docs/installation/best-practice/#network-requirements
+
+Be aware that this might have an affect on cert manager webhook application that is called during installation of the cert manager helm chart. If network policy is misconfigured, this will affect installation (e.g. `certissuers` might be missing as they are installed via helm hooks that apparently require cert manager webhook to be reachable)

charts/cert-manager/templates/NOTES.txt

@@ -0,0 +1,3 @@
+This is a wrap around the cert-manager Helm chart.
+
+NOTE: on network policy change, manual restart of the cert-manager pods might be necessary to apply new rules.

charts/cert-manager/templates/networkpolicy.yaml

@@ -0,0 +1,50 @@
+# https://cert-manager.io/docs/installation/best-practice/#network-requirements
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: cert-manager-network-policy
+spec:
+  ingress:
+    # 2. TCP: Kubernetes (API server) -> cert-manager (webhook)
+    - action: Allow
+      protocol: TCP
+      source:
+        # both selectors below did not work
+        # selector: 'component == "kube-apiserver"'
+        # namespaceSelector: kubernetes.io/metadata.name == "kube-system"
+        nets:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+      destination:
+        selector: 'app.kubernetes.io/component == "webhook"'
+        ports:
+          # https://stackoverflow.com/a/63863410/12124525
+          - {{ index .Values "cert-manager" "webhook" "securePort" }}
+  egress:
+    # 3. TCP: cert-manager (webhook, controller, cainjector, startupapicheck) -> Kubernetes API server
+    - action: Allow
+      protocol: TCP
+      destination:
+        nets:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+        ports:
+          - 6443
+    # 6. TCP: cert-manager (controller) -> DNS API endpoints (for ACME DNS01)
+    - action: Allow
+      protocol: TCP
+      source:
+        selector: 'app.kubernetes.io/component == "controller"'
+      destination:
+        ports:
+          - 443
+    # 7. UDP / TCP: cert-manager (controller) -> External DNS
+    - action: Allow
+      protocol: UDP
+      source:
+        selector: 'app.kubernetes.io/component == "controller"'
+      destination:
+        ports:
+          - 53

charts/cert-manager/values.common.yaml.gotmpl

@@ -1,6 +1,10 @@
-crds:
-  enabled: true
-  keep: true
+cert-manager:
+  crds:
+    enabled: true
+    keep: true
 
-nodeSelector:
-  ops: "true"
+  nodeSelector:
+    ops: "true"
+
+  webhook:
+    securePort: 10250

charts/cert-manager/values.rfc2136.yaml.gotmpl

@@ -1,35 +1,36 @@
-extraObjects:
-- |
-  apiVersion: v1
-  kind: Secret
-  metadata:
-    name: rfc2136-credentials
-    namespace: {{ .Release.Namespace }}  # secret must be in same namespace as Cert Manager deployment
-  type: Opaque
-  data:
-    tsig-secret-key: {{ requiredEnv "RFC2136_TSIG_SECRET" | b64enc }}  # Base64 encoded Secret Access Key
-- |
-  apiVersion: cert-manager.io/v1
-  kind: ClusterIssuer
-  metadata:
-    name: cert-issuer
-    namespace: {{ .Release.Namespace }}
-    annotations:
-      # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
-      "helm.sh/hook": post-install,post-upgrade
-      "helm.sh/hook-weight": "1"
-  spec:
-    acme:
-      email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
-      server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }}
-      privateKeySecretRef:
-        name: cert-manager-acme-private-key
-      solvers:
-        - dns01:
-            rfc2136:
-                nameserver:  {{ requiredEnv "RFC2136_NAMESERVER" }}
-                tsigKeyName: {{ requiredEnv "RFC2136_TSIG_KEY" }}
-                tsigAlgorithm: {{ requiredEnv "RFC2136_TSIG_ALGORITHM_CERT_MANAGER" }}
-                tsigSecretSecretRef:
-                    name: rfc2136-credentials
-                    key: tsig-secret-key
+cert-manager:
+  extraObjects:
+  - |
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: rfc2136-credentials
+      namespace: {{ .Release.Namespace }}  # secret must be in same namespace as Cert Manager deployment
+    type: Opaque
+    data:
+      tsig-secret-key: {{ requiredEnv "RFC2136_TSIG_SECRET" | b64enc }}  # Base64 encoded Secret Access Key
+  - |
+    apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: cert-issuer
+      namespace: {{ .Release.Namespace }}
+      annotations:
+        # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+    spec:
+      acme:
+        email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
+        server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }}
+        privateKeySecretRef:
+          name: cert-manager-acme-private-key
+        solvers:
+          - dns01:
+              rfc2136:
+                  nameserver:  {{ requiredEnv "RFC2136_NAMESERVER" }}
+                  tsigKeyName: {{ requiredEnv "RFC2136_TSIG_KEY" }}
+                  tsigAlgorithm: {{ requiredEnv "RFC2136_TSIG_ALGORITHM_CERT_MANAGER" }}
+                  tsigSecretSecretRef:
+                      name: rfc2136-credentials
+                      key: tsig-secret-key

charts/cert-manager/values.route53.yaml.gotmpl

@@ -1,37 +1,38 @@
-extraObjects:
-- |
-  apiVersion: v1
-  kind: Secret
-  metadata:
-    name: route53-credentials
-    namespace: {{ .Release.Namespace }}  # secret must be in same namespace as Cert Manager deployment
-  type: Opaque
-  data:
-    access-key-id: {{ requiredEnv "DNS_CHALLENGE_AWS_ACCESS_KEY_ID" | b64enc }}
-    secret-access-key: {{ requiredEnv "DNS_CHALLENGE_AWS_SECRET_ACCESS_KEY" | b64enc }}
-- |
-  apiVersion: cert-manager.io/v1
-  kind: ClusterIssuer
-  metadata:
-    name: cert-issuer
-    namespace: {{ .Release.Namespace }}
-    annotations:
-      # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
-      "helm.sh/hook": post-install,post-upgrade
-      "helm.sh/hook-weight": "1"
-  spec:
-    acme:
-      email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
-      server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }}
-      privateKeySecretRef:
-        name: cert-manager-acme-private-key
-      solvers:
-        - dns01:
-            route53:
-              region: {{ requiredEnv "DNS_CHALLENGE_AWS_REGION" }}
-              accessKeyIDSecretRef:
-                name: route53-credentials
-                key: access-key-id
-              secretAccessKeySecretRef:
-                name: route53-credentials
-                key: secret-access-key
+cert-manager:
+  extraObjects:
+  - |
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: route53-credentials
+      namespace: {{ .Release.Namespace }}  # secret must be in same namespace as Cert Manager deployment
+    type: Opaque
+    data:
+      access-key-id: {{ requiredEnv "DNS_CHALLENGE_AWS_ACCESS_KEY_ID" | b64enc }}
+      secret-access-key: {{ requiredEnv "DNS_CHALLENGE_AWS_SECRET_ACCESS_KEY" | b64enc }}
+  - |
+    apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: cert-issuer
+      namespace: {{ .Release.Namespace }}
+      annotations:
+        # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+    spec:
+      acme:
+        email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
+        server: {{ requiredEnv "DNS_CHALLENGE_ACME_SERVER" }}
+        privateKeySecretRef:
+          name: cert-manager-acme-private-key
+        solvers:
+          - dns01:
+              route53:
+                region: {{ requiredEnv "DNS_CHALLENGE_AWS_REGION" }}
+                accessKeyIDSecretRef:
+                  name: route53-credentials
+                  key: access-key-id
+                secretAccessKeySecretRef:
+                  name: route53-credentials
+                  key: secret-access-key