1931 gitlab runner not passing control plane cidr

bc9952e3 · Matt Vasquez · 71228c9e · bc9952e3 · bc9952e3 · bc9952e3
Commit bc9952e3 authored 10 months ago by Matt Vasquez
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [0.63.0-bb.7] - 2024-05-08
+### Changed
+- Fixed bug with Control Plane CIDR for Network Policies. Refacrtored egress network policies for Gitlab Runner.
+
 ## [0.63.0-bb.6] - 2024-05-01
 ### Added
 - Added Istio Authorization Policies Support

--- a/README.md
+++ b/README.md
 # gitlab-runner

-![Version: 0.63.0-bb.6](https://img.shields.io/badge/Version-0.63.0--bb.6-informational?style=flat-square) ![AppVersion: v16.10.0](https://img.shields.io/badge/AppVersion-v16.10.0-informational?style=flat-square)
+![Version: 0.63.0-bb.7](https://img.shields.io/badge/Version-0.63.0--bb.7-informational?style=flat-square) ![AppVersion: v16.10.0](https://img.shields.io/badge/AppVersion-v16.10.0-informational?style=flat-square)

 GitLab Runner


--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: gitlab-runner
-version: 0.63.0-bb.6
+version: 0.63.0-bb.7
 appVersion: v16.10.0
 kubeVersion: ">=1.29.0-0"
 description: GitLab Runner

--- a/chart/templates/bigbang/networkpolicies/egress-runner.yaml
+++ b/chart/templates/bigbang/networkpolicies/egress-runner.yaml
@@ -2,24 +2,20 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: egress-runner-{{ .Release.Name }}
+  name: egress-runner-to-gitlab-{{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
 spec:
-  podSelector: 
+  podSelector:
    matchLabels:
-      app: gitlab-runner   # runner needs to access kube-api to start jobs
+      app: gitlab-runner
  policyTypes:
-  - Egress
+    - Egress
  egress:
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          app.kubernetes.io/name: gitlab
-    - ipBlock:
-        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
-        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
-        except:
-        # Block requests to AWS cloud metadata IP
-        - 169.254.169.254/32
-        {{- end }}
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              app.kubernetes.io/name: gitlab
+          podSelector:
+            matchLabels:
+              app: webservice
 {{- end }}
--- a/chart/templates/bigbang/networkpolicies/egress-runner-to-kube-api.yaml
+++ b/chart/templates/bigbang/networkpolicies/egress-runner-to-kube-api.yaml
+{{- if and .Values.networkPolicies.enabled (ne .Release.Namespace "gitlab") }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-runner-to-kube-api-{{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: gitlab-runner
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: {{ default "0.0.0.0/0" .Values.networkPolicies.controlPlaneCidr }}
+            {{- if eq (default "0.0.0.0/0" .Values.networkPolicies.controlPlaneCidr) "0.0.0.0/0" }}
+            except:
+              - 169.254.169.254/32
+            {{- end }}
+    - ports:
+      {{- if .Values.networkPolicies.kubeapiPort }}
+        - protocol: TCP
+          port: {{ .Values.networkPolicies.kubeapiPort }}
+      {{- else }}
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 6443
+      {{- end }}
+{{- end }}
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -7,16 +7,8 @@ runners:

 networkPolicies:
  enabled: true
-  additionalPolicies:
-  - name: egress-runner-jobs
-    spec:
-      podSelector: {}
-      policyTypes:
-      - Egress
-      egress:
-      - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
+  controlPlaneCidr: 172.20.0.0/29
+  kubeapiPort: 6443

 # Cypress testing values
 bbtests: