ci: sync esnixi changes - CA download, dockerhub auth, local-path storage, proxy exclusions, pod annotations

pipelines/woodpecker/kyverno-proxy-ca.yaml

@@ -16,6 +16,16 @@ spec:
                 - Pod
               namespaces:
                 - woodpecker
+      exclude:
+        any:
+          - resources:
+              selector:
+                matchLabels:
+                  app.kubernetes.io/name: server
+          - resources:
+              selector:
+                matchLabels:
+                  app.kubernetes.io/name: agent
       mutate:
         patchStrategicMerge:
           spec:

pipelines/woodpecker/values.yaml

@@ -48,7 +48,10 @@ agent:
   enabled: true
   replicaCount: 2
 
-  # CA injection handled by woodpecker-proxy-ca Kyverno policy (matches all pods in namespace)
+  # Agents must NOT have proxy/CA injection — they communicate with server via gRPC
+  # and the proxy blocks port 9000. Builder pods get injection via Kyverno policy
+  # matching WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS.
+  podAnnotations: {}
 
   env:
     WOODPECKER_SERVER: "woodpecker-server:9000"
@@ -56,4 +59,6 @@ agent:
     WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker
     WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 5Gi
     WOODPECKER_BACKEND_K8S_STORAGE_RWX: "false"
+    WOODPECKER_BACKEND_K8S_STORAGE_CLASS: local-path
+    WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: "celestium.life/inject-ca:true"
     WOODPECKER_MAX_WORKFLOWS: "16"