Create AuthorizationPolicy to allow API access for gitlab-ci-pipelines-exporter

Bug

Description

When testing the latest renovate for gitlab-ci-pipelines-exporter, I noticed that many of the required metrics were not flowing in to prometheus. This resulted in grafana dashboards not reporting any gitlab pipeline stats, and a number of gitlab_ci_pipeline_* metrics missing in prometheus.

When attempting to perform an API call from gitlab-ci-pipelines-exporter to the gitlab-webservice-default pod, I faced a 403 error provided by the Istio proxy (envoy)

2025-05-30T14:06:54.911Z] "GET /api/v4/projects/test%2Ftest1/repository/branches?page=1&per_page=100 HTTP/1.1" 403 - via_upstream - "-" 0 19 1 0 "-" "gitlab-ci-pipelines-exporter-0.5.10" "078d0439-9bc7-95cf-8bee-c01856c11a61" "gitlab-webservice-default.gitlab.svc.cluster.local:8181" "10.42.2.33:8181" outbound|8181||gitlab-webservice-default.gitlab.svc.cluster.local; 10.42.2.36:37000 10.43.103.125:8181 10.42.2.36:37274 - default traceID=d80b4cdac91ba86739217303df236e72 

BigBang Version

2.53.1

Proposed Resolution

An AuthorizationPolicy must be added to allow gitlab-ci-pipelines-exporter to access the gitlab namespace and allow API calls through.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: "allow-gitlab-ci-pipelines-exporter-namespace"
  namespace: gitlab
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        namespaces:
        - gitlab-ci-pipelines-exporter