eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add tag:ci-gateway to Tailscale ACL for CI builds
Some checks failed
Build Container / build (push) Failing after 13s
Details

Browse source 
- Add tag:ci-gateway to tagOwners
- Grant ci-gateway access to registry on port 443
- Add test for ci-gateway -> registry access

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-01-24 19:38:02 -08:00
commit b4b8abb2d9
1 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
pulumi/policy.hujson
View file

@ -60,6 +60,14 @@
"ip": ["*"], "ip": ["*"],
}, },
// --- CI Gateway ---
// Ephemeral CI containers can push images to registry
{
"src": ["tag:ci-gateway"],
"dst": ["tag:registry"],
"ip": ["tcp:443"],
},
// --- Kubernetes workloads --- // --- Kubernetes workloads ---
// k8s workloads (e.g., Woodpecker CI) can push/pull from registry // k8s workloads (e.g., Woodpecker CI) can push/pull from registry
{ {
@ -127,6 +135,7 @@
"tag:k8s-api": ["autogroup:admin", "tag:blumeops"], "tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"], "tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"], "tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
"tag:ci-gateway": ["autogroup:admin", "tag:blumeops"],
}, },
// ============== ACL Tests ============== // ============== ACL Tests ==============
@ -152,5 +161,10 @@
"src": "tag:k8s", "src": "tag:k8s",
"accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"], "accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"],
}, },
// CI gateway can push to registry
{
"src": "tag:ci-gateway",
"accept": ["tag:registry:443"],
},
], ],
} }