From e435f0f6c2c09e37cbb300c081a5af618c7e3c90 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Tue, 21 Feb 2023 03:03:01 +0100
Subject: [PATCH] fix(uptime-kuma): Add network policy for HTTP challenge

---
 apps/base/uptime-kuma/kustomization.yaml      |  2 ++
 .../allow-from-http-challenge.yaml            | 14 +++++++++++
 .../allow-to-public-web-http-challenge.yaml   | 24 +++++++++++++++++++
 3 files changed, 40 insertions(+)
 create mode 100644 shared/networkpolicies/allow-from-http-challenge.yaml
 create mode 100644 shared/networkpolicies/allow-to-public-web-http-challenge.yaml

diff --git a/apps/base/uptime-kuma/kustomization.yaml b/apps/base/uptime-kuma/kustomization.yaml
index 849d7d55c..ef00bae08 100644
--- a/apps/base/uptime-kuma/kustomization.yaml
+++ b/apps/base/uptime-kuma/kustomization.yaml
@@ -7,7 +7,9 @@ resources:
   - release.yaml
   - ../../../shared/networkpolicies/allow-from-same-namespace.yaml
   - ../../../shared/networkpolicies/allow-from-ingress.yaml
+  - ../../../shared/networkpolicies/allow-from-http-challenge.yaml
   - ../../../shared/networkpolicies/allow-to-kubedns.yaml
   - ../../../shared/networkpolicies/allow-to-public-web.yaml
+  - ../../../shared/networkpolicies/allow-to-public-web-http-challenge.yaml
 patchesStrategicMerge:
   - networkpolicy.yaml
diff --git a/shared/networkpolicies/allow-from-http-challenge.yaml b/shared/networkpolicies/allow-from-http-challenge.yaml
new file mode 100644
index 000000000..ab9b1a37a
--- /dev/null
+++ b/shared/networkpolicies/allow-from-http-challenge.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-ingress
+spec:
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          ingress.shivering-isles.com/network-access-required: "true"
+  podSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
\ No newline at end of file
diff --git a/shared/networkpolicies/allow-to-public-web-http-challenge.yaml b/shared/networkpolicies/allow-to-public-web-http-challenge.yaml
new file mode 100644
index 000000000..12eef6c6f
--- /dev/null
+++ b/shared/networkpolicies/allow-to-public-web-http-challenge.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-public-web
+spec:
+  egress:
+  - to:
+    - ipBlock:
+        except:
+          - "192.168.0.0/16"
+          - "172.16.0.0/12"
+          - "10.0.0.0/8"
+          - "169.254.0.0/16"
+          - "100.64.0.0/10"
+        cidr: 0.0.0.0/0
+    ports:
+      - protocol: TCP
+        port: 80
+  policyTypes:
+  - Egress
+  podSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
\ No newline at end of file
-- 
GitLab