add pac
Some checks are pending
Pipelines as Code CI / homelab-ci CI has Started

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-06-28 17:56:19 -04:00
parent ef827b2c69
commit e507515766
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
43 changed files with 895 additions and 128 deletions

View file

@ -41,7 +41,7 @@ spec:
- name: FORGEJO__ssh__START_SSH_SERVER
value: "false"
- name: FORGEJO__webhook__ALLOWED_HOST_LIST
value: "ci.gwg313.xyz"
value: "ci.gwg313.xyz,pipelines-as-code-controller.pipelines-as-code.svc.cluster.local"
- name: FORGEJO__migrations__ALLOWED_DOMAINS
value: "github.com,*.github.com"
volumeMounts:

View file

@ -18,6 +18,21 @@ spec:
- ports:
- port: "3000"
protocol: TCP
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: pipelines-as-code
app: pipelines-as-code-controller
toPorts:
- ports:
- port: "3000"
protocol: TCP
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: cicd
toPorts:
- ports:
- port: "3000"
protocol: TCP
# ---
# # ----------------------------------------------------
# # CI runner access (in-cluster service)
@ -43,6 +58,29 @@ spec:
# - port: "443"
# protocol: TCP
#
---
# ----------------------------------------------------
# PAC controller webhook delivery (in-cluster)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-pac-egress
namespace: forgejo
spec:
endpointSelector:
matchLabels:
app: forgejo
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: pipelines-as-code
app: pipelines-as-code-controller
toPorts:
- ports:
- port: "8082"
protocol: TCP
---
# ----------------------------------------------------
# External git providers (FQDN restricted)
@ -72,22 +110,22 @@ spec:
# OPTIONAL: unrestricted egress (disabled by default)
# Enable ONLY when required for troubleshooting or apps
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-all-egress
namespace: forgejo
spec:
endpointSelector:
matchLabels:
app: forgejo
egress:
- toEntities:
- world
toPorts:
- ports:
- port: "443"
protocol: TCP
- port: "80"
protocol: TCP
# apiVersion: cilium.io/v2
# kind: CiliumNetworkPolicy
# metadata:
# name: allow-all-egress
# namespace: forgejo
# spec:
# endpointSelector:
# matchLabels:
# app: forgejo
#
# egress:
# - toEntities:
# - world
# toPorts:
# - ports:
# - port: "443"
# protocol: TCP
# - port: "80"
# protocol: TCP