Gitaly Network Policies Block Repo Mirroring

The current network policy set does not allow Gitaly access to external resources. This prohibits the use of the repository mirroring feature within Gitlab. It fails with an SSL Connect error.

Deeper digging revealed that the TCP handshake was failing as it tried to reach out to the external repo.

Recommend adding the following policy to the templates:

spec:
  egress:
  - ports:
    - port: 443
      protocol: TCP
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 169.254.169.254/32
  podSelector:
    matchLabels:
      app: gitaly
  policyTypes:
  - Egress

Edited Oct 19, 2022 by Michael Szewil

Admin message

Gitaly Network Policies Block Repo Mirroring