Add tag:ci-gateway to Tailscale ACL for CI builds
Some checks failed
Build Container / build (push) Failing after 13s
Some checks failed
Build Container / build (push) Failing after 13s
- Add tag:ci-gateway to tagOwners - Grant ci-gateway access to registry on port 443 - Add test for ci-gateway -> registry access Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
9f98b3007e
commit
b4b8abb2d9
1 changed files with 14 additions and 0 deletions
|
|
@ -60,6 +60,14 @@
|
|||
"ip": ["*"],
|
||||
},
|
||||
|
||||
// --- CI Gateway ---
|
||||
// Ephemeral CI containers can push images to registry
|
||||
{
|
||||
"src": ["tag:ci-gateway"],
|
||||
"dst": ["tag:registry"],
|
||||
"ip": ["tcp:443"],
|
||||
},
|
||||
|
||||
// --- Kubernetes workloads ---
|
||||
// k8s workloads (e.g., Woodpecker CI) can push/pull from registry
|
||||
{
|
||||
|
|
@ -127,6 +135,7 @@
|
|||
"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
|
||||
"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
|
||||
"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
|
||||
"tag:ci-gateway": ["autogroup:admin", "tag:blumeops"],
|
||||
},
|
||||
|
||||
// ============== ACL Tests ==============
|
||||
|
|
@ -152,5 +161,10 @@
|
|||
"src": "tag:k8s",
|
||||
"accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"],
|
||||
},
|
||||
// CI gateway can push to registry
|
||||
{
|
||||
"src": "tag:ci-gateway",
|
||||
"accept": ["tag:registry:443"],
|
||||
},
|
||||
],
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue