From f7f992bb2d22bebac7d4602be70110ce667b6ce2 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Tue, 3 Sep 2024 04:19:29 +0800
Subject: [PATCH] fix(ingress-nginx): allow Let's Encrypt egress traffic

---
 kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
index ea931ecf..4ffd3208 100644
--- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
@@ -104,6 +104,10 @@ spec:
     - toFQDNs:
         - matchPattern: "*.${DNS_MAIN}"
         - matchPattern: "*.${DNS_SHORT}"
+    # allow Let's Encrypt traffic for e.g. OCSP or CRLs
+    - toFQDNs:
+        - matchPattern: "*.lencr.org"
+        - matchPattern: "*.*.lencr.org"
     # DNS proxy to kube-dns, DNS L7 visibility
     - toEndpoints:
         - matchLabels: