Add tag:ci-gateway for Forgejo runner Tailscale sidecar

- Add ci-gateway tag owner (admin and blumeops can assign) - Grant ci-gateway access to forge:443 for git operations - Grant ci-gateway access to registry:443 for container push/pull - Add ACL test for ci-gateway access Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-24 11:03:02 -08:00 · 2026-01-24 11:03:02 -08:00 · 018b44186f
commit 018b44186f
parent 476b80e985
1 changed files with 20 additions and 0 deletions
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@ -74,6 +74,20 @@
 			"dst": ["tag:homelab"],
 			"ip":  ["tcp:3001", "tcp:2200"],
 		},
+
+		// --- CI Gateway (Tailscale sidecar for Forgejo runner jobs) ---
+		// Can reach Forge for git clone operations
+		{
+			"src": ["tag:ci-gateway"],
+			"dst": ["tag:forge"],
+			"ip":  ["tcp:443"],
+		},
+		// Can reach registry to push/pull container images
+		{
+			"src": ["tag:ci-gateway"],
+			"dst": ["tag:registry"],
+			"ip":  ["tcp:443"],
+		},
 		// Homelab can reach k8s services: PostgreSQL, CNPG metrics, Prometheus/Loki
 		{
 			"src": ["tag:homelab"],
@ -126,6 +140,7 @@
 		"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
+		"tag:ci-gateway": ["autogroup:admin", "tag:blumeops"],
 	},

 	// ============== ACL Tests ==============
@ -151,5 +166,10 @@
 			"src":    "tag:k8s",
 			"accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"],
 		},
+		// CI gateway can reach forge and registry
+		{
+			"src":    "tag:ci-gateway",
+			"accept": ["tag:forge:443", "tag:registry:443"],
+		},
 	],
 }