docs(best-practice): fix HTTP01 NetworkPolicy examples - correct port, traffic flow, and selectors

[lohitkolluri]

Fixes cert-manager#2334

Addresses all review comments from PR #2151 (karthikk022's original PR). Instead of amending that branch, this PR provides corrected examples based on review feedback and the prior art in closed PR #2110.

Root Cause of Incorrect Examples in #2151

The original NetworkPolicy examples had several errors:

1. Wrong port (8080 → 8089): cert-manager's acmesolver listens on port 8089 (acmeSolverListenPort = 8089 in pkg/issuer/acme/http/http.go:49), not 8080.
2. Incorrect traffic flow: The controller does NOT connect directly to solver pods. The self-check (testReachability) goes through port 80 via the ingress/load balancer, following the same path the ACME server uses.
3. Missing namespaceSelector: A podSelector-only rule won't match solver pods because they run in the Challenge namespace, not the cert-manager namespace.
4. Wrong ingress source: Ingress should come from the ingress controller's namespace (e.g. ingress-nginx), not the cert-manager namespace.
5. Incorrect egress rule in values.yaml: The added HTTP01 egress rule used the wrong port (8080), wrong selector (podSelector-only, won't match solver pods in other namespaces), and wrong flow (controller doesn't connect directly to solver pods). The existing port-80 egress rule already covers the controller's self-check.

What Changed

content/docs/installation/best-practice.md

• New ### NetworkPolicy Examples for HTTP01 Challenges section with:
  • Correct port (8089) for the acmesolver
  • Accurate description of the traffic flow: ACME server → ingress → ingress controller → solver pod (port 8089)
  • Clarification that the controller's self-check uses port 80 via the ingress (same path as ACME server)
  • A correct NetworkPolicy ingress example that allows the ingress controller (via namespaceSelector) to reach solver pods on port 8089
  • No egress-from-controller-to-solver-pods example (it is incorrect)

public/docs/installation/best-practice/values.best-practice.yaml

• Updated the comment on the port-80 egress rule to accurately describe what it does: allow the controller to reach the challenge URL via the ingress, not "access to the HTTP01 solver pod"

What Was NOT Added (vs. Original #2151)

• The incorrect egress rule from controller to solver pods (wrong port, wrong selector, wrong flow)
• The redundant API server port section (already documented in the Network Requirements list and covered by default egress rules)

Testing

• Only documentation and YAML comments were changed
• No functional code changes

Signed-off-by: Lohit Kolluri lohitkolluri@gmail.com

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign erikgb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for cert-manager ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	8c0fc2c
🔍 Latest deploy log	https://app.netlify.com/projects/cert-manager/deploys/6a3189e0fec6b20008b67841
😎 Deploy Preview	https://deploy-preview-2158--cert-manager.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.