fix(netpols): ingress-nginx to flux webhook

Signed-off-by: JJGadgets <git@jjgadgets.tech>

kube/1-clusters/Biohazard/2-config/3-secrets.yaml

@@ -22,8 +22,8 @@ sops:
             UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
             k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-27T04:10:33Z"
-    mac: ENC[AES256_GCM,data:1tEtJGkrq20VI61pU9AlpsLEHD38oxXkNrwJpNJNQNCGfVFU/QDhNFbzX3SNIpYNd6QJx8QtReXo4832QSCMTQQsujAJ2O1sOpR3hLKmwy2Wk4WBlokfgZuWoonm/cAHR5qHS4J7fefbtDrVz4Pln6c2jaqgtpbYm4tgEN64HJs=,iv:vvCC6o1RyAap2qViyxVcSi8KkFNZm9mubv+NcPrGPRs=,tag:EFguQC77p9hMkr8Y3KmxLQ==,type:str]
+    lastmodified: "2023-05-27T04:21:43Z"
+    mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str]
     pgp:
         - created_at: "2023-02-26T18:12:43Z"
           enc: |
@@ -61,8 +61,8 @@ sops:
             UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
             k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-27T04:10:33Z"
-    mac: ENC[AES256_GCM,data:1tEtJGkrq20VI61pU9AlpsLEHD38oxXkNrwJpNJNQNCGfVFU/QDhNFbzX3SNIpYNd6QJx8QtReXo4832QSCMTQQsujAJ2O1sOpR3hLKmwy2Wk4WBlokfgZuWoonm/cAHR5qHS4J7fefbtDrVz4Pln6c2jaqgtpbYm4tgEN64HJs=,iv:vvCC6o1RyAap2qViyxVcSi8KkFNZm9mubv+NcPrGPRs=,tag:EFguQC77p9hMkr8Y3KmxLQ==,type:str]
+    lastmodified: "2023-05-27T04:21:43Z"
+    mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str]
     pgp:
         - created_at: "2023-02-26T18:12:43Z"
           enc: |
@@ -128,6 +128,9 @@ stringData:
     SECRET_GTS_PG_PASS: ENC[AES256_GCM,data:4CLtnpcvhljJe1l+OKI3Q++PN7C++9ZavFArGsuxkIW5hoE6FFsAgGngFqw2ck1LAVqdwalQedQdj0LvQmzRpGybGxFGB6/4KHuQVMIkX+HyDReItP0vEXHEaq7HitxlpI+CLmlFK4lCOUdGY5/JvhZPLo+PV5STHsNvmrVaQhTvih3p1G11coCTbo4A/VHHWUGCyQDUoHxs2Bo/iYH2kFKlw/RYGFODmk1ffVUHHRsUHREpb9f5YcRwblWFOpQvwEYINKzlwoM=,iv:3/htXyuzpDJrTFGM7Yy5wcEejXN3/Jl4oyJ1tzPih5Y=,tag:Aie4reRcph39N8mRih9lLw==,type:str]
     SECRET_HEADSCALE_PRIVKEY: ENC[AES256_GCM,data:5cwm3FpMYlCxF6g+D0S0+Ti/UVSzJop5lu0Q53oT2+Gt5UVk0yhttjqrNZs5w3dnFJ0De+EGrXhaA5vsuUU1EgRq2t93NC/M,iv:Ny9T6kobbbEn94OLF6gAymCt5h9LlY7QL2GL36yuFAw=,tag:IsdV9wXyd8yTx5urHVef4Q==,type:str]
     SECRET_HEADSCALE_NOISEKEY: ENC[AES256_GCM,data:w0LQ6auq0XPgXC6KIOuSBZ66avDH/1oM4yK1ruYK21m15A5Mw28yQc93Pp67XbT1P54JgsdUYIJMoz43+wF2Hw3w8VFK4QS0,iv:bMfM4S1UyQjhdX/0Mu2xpa/PkbuOe0eL4G8AviTb3iQ=,tag:4Rej1+iOtMd5abXFkuBiFg==,type:str]
+    SECRET_HEADSCALE_PG_DBNAME: ENC[AES256_GCM,data:Iyj7YpnEOjnuZ8W1iCYIuyxoNP0ATH6M0B/njRF8TDnjty//bHsx8Q==,iv:MfexUGI5k8BJNugTN9HkAwVbIaqTOeTCPgvsvRDgvAw=,tag:pVcBD4v7zCliXo44KG97Aw==,type:str]
+    SECRET_HEADSCALE_PG_USER: ENC[AES256_GCM,data:mu5YQK7hwKmdATLv4AsC71lo0n0JemZMPnxdJPV7HaOlMcNCsTq7AbEGrsQm9fQ9yYiJg/ZdoXMAGihCs3sLEw==,iv:ZC9is+M6KkCUkqEfxblxg4eHZn3Kgoruk0K6G/dV5N8=,tag:PdVAAZuL164zcsRHIQGwVA==,type:str]
+    SECRET_HEADSCALE_PG_PASS: ENC[AES256_GCM,data:IPXHgbtdhFhcRWyQ1u0710/8QVEG2uoPdetIRbRrPIRRhv3TpR04d6ypWos8WunqS5JJaNjm5RTr2O6+DP7ITizMIyUJaLL8jKs5u5nvr7tIB3GsrtU/qBQvZuT+yGjouuf/ezo4euno2L2VD5aKoQN6mdUfFt9K8beb3s7aSBWbMHdvB5KTwssbaMG9alir9/pZEVacsft4zNn1KpTBFQ==,iv:wKDHzaGH5azCBL8zWSt6JbSKeuZNODG5VfOWmwH1GU8=,tag:NShyDOIzSSv74WV5kvlXbw==,type:str]
     SECRET_HEADSCALE_OIDC_URL: ENC[AES256_GCM,data:+Jy+NuSGcYXi+p7uOX6lyz3OacT9WaRvY4Ywyuz7dIP/larM6iKUJPSbpql7ZQUNIT6/Lq1998HF,iv:L7MpcUPSjeMcayj1z0J4tccXXdXou+O7IHpVBWtzeqk=,tag:+4f/U3sMpE4WE4mMwTlPLQ==,type:str]
     SECRET_HEADSCALE_OIDC_ID: ENC[AES256_GCM,data:oDoZQFp5EEAqa39tMx/Kse427QmYyxUXXPU8dGlCNGtupVvAs+7rzA==,iv:1gVegFflZRsRoo93MNsNwVQT8YRWcNh06MOy5cMsb3M=,tag:1KEb+pRqd154BQdR4NhFhA==,type:str]
     SECRET_HEADSCALE_OIDC_SECRET: ENC[AES256_GCM,data:4wwV9m+XmSIGXCzojw0Va8gH1L/E1VugXQc1N3adC6JitqOB7bvdqBxE0natU1mhrCUPdUViojV/IZJ/7qdluNNTakDiWWnL6rVI4xd1giywBc5taEWlQb7081zEExWm09wuRcjYVpfLakJFbM8fJJqTHZvyP5ED9VpNglBk6XU=,iv:RzgyFgOt9TwhRCysdf+gX7jhBQgA0Oo9b7xDCaDEBG4=,tag:AyDu6lImdsJpqEIDRPZ+hQ==,type:str]
@@ -158,8 +161,8 @@ sops:
             UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
             k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-27T04:10:33Z"
-    mac: ENC[AES256_GCM,data:1tEtJGkrq20VI61pU9AlpsLEHD38oxXkNrwJpNJNQNCGfVFU/QDhNFbzX3SNIpYNd6QJx8QtReXo4832QSCMTQQsujAJ2O1sOpR3hLKmwy2Wk4WBlokfgZuWoonm/cAHR5qHS4J7fefbtDrVz4Pln6c2jaqgtpbYm4tgEN64HJs=,iv:vvCC6o1RyAap2qViyxVcSi8KkFNZm9mubv+NcPrGPRs=,tag:EFguQC77p9hMkr8Y3KmxLQ==,type:str]
+    lastmodified: "2023-05-27T04:21:43Z"
+    mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str]
     pgp:
         - created_at: "2023-02-26T18:12:43Z"
           enc: |

kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml

@@ -10,6 +10,17 @@ spec:
       app.kubernetes.io/instance: ingress-nginx
       app.kubernetes.io/name: ingress-nginx
   ingress:
+    # allow kube-apiserver for webhooks
+    - fromEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "443"
+              protocol: TCP
+            - port: "8443"
+              protocol: TCP
     # all ingress-nginx traffic
     - fromEndpoints:
         - matchLabels: