From a1b637e3808cef2d0f1231903177138fb03a70aa Mon Sep 17 00:00:00 2001
From: Steve Shipway <steve@steveshipway.org>
Date: Thu, 18 Jan 2024 15:15:41 +1300
Subject: [PATCH 1/2] Add optional network policy object for deploy of
 step-certificates

---
 step-certificates/README.md             |  3 ++
 step-certificates/templates/policy.yaml | 39 +++++++++++++++++++++++++
 step-certificates/values.yaml           | 12 +++++++-
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 step-certificates/templates/policy.yaml

diff --git a/step-certificates/README.md b/step-certificates/README.md
index 63ba7fc..d91a16b 100644
--- a/step-certificates/README.md
+++ b/step-certificates/README.md
@@ -302,6 +302,9 @@ chart and their default values.
 | `existingSecrets.certsAsSecret`           | When `true`use existing secret for certs instead of ConfigMap                                   | `false`                                  |
 | `existingSecrets.configAsSecret`          | When `true`use existing secret for configuration instead of ConfigMap                           | `false`                                  |
 | `podSecurityContext`                      | Set SecurityContext on POD level for STEP CA and STEP CA bootstrap job                          | See [values.yaml](./values.yaml)         |
+| `networkpolicy.enabled`       | When `true` create the NetworkPolicy definition                                                             | `false`                                  |
+| `networkpolicy.annotations`   | Additional annotations to add to the NetworkPolicy definition                                               | `{}`                                     |
+| `networkpolicy.allow`         | If defined, restrict policy allow rule to only these CIDR subnets                                           | `[]`                                     |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm
 install`. For example,
diff --git a/step-certificates/templates/policy.yaml b/step-certificates/templates/policy.yaml
new file mode 100644
index 0000000..56aaee6
--- /dev/null
+++ b/step-certificates/templates/policy.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.networkpolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "step-certificates.fullname" . }}-policy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "step-certificates.labels" . | nindent 4 }}
+  {{- with .Values.networkpolicy.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector: 
+    matchLabels:
+      app.kubernetes.io/name: {{ include "step-certificates.name" . }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: {{ .Values.service.targetPort }}
+    - protocol: TCP
+      port: {{ .Values.service.port }}
+      {{- if .Values.networkpolicy.allow }}
+    from:
+    {{- range .Values.networkpolicy.allow }}
+    - ipBlock:
+        cidr: {{ . | quote }}
+    {{- end }}
+    {{- end }}
+  egress:
+  - ports:
+    - protocol: TCP
+      port: 443
+    - protocol: TCP
+      port: 80
+{{- end }}
diff --git a/step-certificates/values.yaml b/step-certificates/values.yaml
index 1a7cda7..4dc2a22 100644
--- a/step-certificates/values.yaml
+++ b/step-certificates/values.yaml
@@ -1,3 +1,4 @@
+---
 # Default values for step-certificates.
 
 # kind is the type of object to use when deploying the CA.
@@ -278,7 +279,7 @@ ca:
     # existingClaim: ""
     # accessModes defines the Persistent Volume Access Mode.
     accessModes:
-    - ReadWriteOnce
+      - ReadWriteOnce
     # size is the Persistent Volume size.
     size: 10Gi
   # Whether to enable ssh support for step-ca
@@ -387,3 +388,12 @@ podSecurityContext:
   fsGroup: 1000
   # seccompProfile:
   #   type: RuntimeDefault
+
+# Set up a network policy to allow incoming connections to the service
+# This is useful if your cluster has a default:deny policy set
+networkpolicy:
+  enabled: false
+  annotations: {}
+# Subnets to allow incoming access in CIDR format (eg: "10.0.0.0/8")
+# If not defined, allow all
+#  allow: []

From 10f44064898e924c50ae95c6fb8cd37f98753f2d Mon Sep 17 00:00:00 2001
From: Steve Shipway <steve@steveshipway.org>
Date: Tue, 30 Jan 2024 21:16:29 +1300
Subject: [PATCH 2/2] Update to further restrict egress rule

---
 step-certificates/templates/policy.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/step-certificates/templates/policy.yaml b/step-certificates/templates/policy.yaml
index 56aaee6..e2c41e2 100644
--- a/step-certificates/templates/policy.yaml
+++ b/step-certificates/templates/policy.yaml
@@ -11,7 +11,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  podSelector: 
+  podSelector:
     matchLabels:
       app.kubernetes.io/name: {{ include "step-certificates.name" . }}
   policyTypes:
@@ -36,4 +36,11 @@ spec:
       port: 443
     - protocol: TCP
       port: 80
+      {{- if .Values.networkpolicy.allow }}
+    to:
+    {{- range .Values.networkpolicy.allow }}
+    - ipBlock:
+        cidr: {{ . | quote }}
+    {{- end }}
+    {{- end }}
 {{- end }}