Merge branch '1931-gitlab-runner-not-passing-control-plane-cidr' into 'main'

1931 gitlab runner not passing control plane cidr

See merge request !156

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.63.0-bb.7] - 2024-05-08
+### Changed
+- Fixed bug with Control Plane CIDR for Network Policies. Refacrtored egress network policies for Gitlab Runner.
+
 ## [0.63.0-bb.6] - 2024-05-01
 ### Added
 - Added Istio Authorization Policies Support

README.md

 # gitlab-runner
 
-![Version: 0.63.0-bb.6](https://img.shields.io/badge/Version-0.63.0--bb.6-informational?style=flat-square) ![AppVersion: v16.10.0](https://img.shields.io/badge/AppVersion-v16.10.0-informational?style=flat-square)
+![Version: 0.63.0-bb.7](https://img.shields.io/badge/Version-0.63.0--bb.7-informational?style=flat-square) ![AppVersion: v16.10.0](https://img.shields.io/badge/AppVersion-v16.10.0-informational?style=flat-square)
 
 GitLab Runner
 

chart/Chart.yaml

 apiVersion: v2
 name: gitlab-runner
-version: 0.63.0-bb.6
+version: 0.63.0-bb.7
 appVersion: v16.10.0
 kubeVersion: ">=1.29.0-0"
 description: GitLab Runner

chart/templates/bigbang/networkpolicies/egress-runner.yaml → chart/templates/bigbang/networkpolicies/egress-runner-to-gitlab.yaml

@@ -2,24 +2,20 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: egress-runner-{{ .Release.Name }}
+  name: egress-runner-to-gitlab-{{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
 spec:
-  podSelector: 
+  podSelector:
     matchLabels:
-      app: gitlab-runner   # runner needs to access kube-api to start jobs
+      app: gitlab-runner
   policyTypes:
-  - Egress
+    - Egress
   egress:
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          app.kubernetes.io/name: gitlab
-    - ipBlock:
-        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
-        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
-        except:
-        # Block requests to AWS cloud metadata IP
-        - 169.254.169.254/32
-        {{- end }}
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              app.kubernetes.io/name: gitlab
+          podSelector:
+            matchLabels:
+              app: webservice
 {{- end }}

chart/templates/bigbang/networkpolicies/egress-runner-to-kube-api.yaml

+{{- if and .Values.networkPolicies.enabled (ne .Release.Namespace "gitlab") }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-runner-to-kube-api-{{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: gitlab-runner
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: {{ default "0.0.0.0/0" .Values.networkPolicies.controlPlaneCidr }}
+            {{- if eq (default "0.0.0.0/0" .Values.networkPolicies.controlPlaneCidr) "0.0.0.0/0" }}
+            except:
+              - 169.254.169.254/32
+            {{- end }}
+    - ports:
+      {{- if .Values.networkPolicies.kubeapiPort }}
+        - protocol: TCP
+          port: {{ .Values.networkPolicies.kubeapiPort }}
+      {{- else }}
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 6443
+      {{- end }}
+{{- end }}

tests/test-values.yml

@@ -7,16 +7,8 @@ runners:
 
 networkPolicies:
   enabled: true
-  additionalPolicies:
-  - name: egress-runner-jobs
-    spec:
-      podSelector: {}
-      policyTypes:
-      - Egress
-      egress:
-      - to:
-        - ipBlock:
-            cidr: 0.0.0.0/0
+  controlPlaneCidr: 172.20.0.0/29
+  kubeapiPort: 6443
 
 # Cypress testing values
 bbtests: