From 9e39d59aface1ab3ade9463af09d305d3e5340a1 Mon Sep 17 00:00:00 2001
From: Celes Renata <celes@frameshift.net>
Date: Sun, 19 Apr 2026 03:00:06 +0000
Subject: [PATCH] ci: add woodpecker Kyverno proxy CA policy with NO_PROXY for
 gRPC

---
 pipelines/runmefirst.sh                    |  5 ++-
 pipelines/woodpecker/kyverno-proxy-ca.yaml | 43 ++++++++++++++++++++++
 pipelines/woodpecker/values.yaml           |  3 +-
 3 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 pipelines/woodpecker/kyverno-proxy-ca.yaml

diff --git a/pipelines/runmefirst.sh b/pipelines/runmefirst.sh
index 137f309..4950f0b 100755
--- a/pipelines/runmefirst.sh
+++ b/pipelines/runmefirst.sh
@@ -115,9 +115,10 @@ echo ""
 # -------------------------------------------------------
 # 5. Apply Woodpecker agent RBAC
 # -------------------------------------------------------
-echo "--- Step 5: Applying Woodpecker agent RBAC ---"
+echo "--- Step 5: Applying Woodpecker agent RBAC and Kyverno policy ---"
 kubectl apply -f woodpecker/agent-rbac.yaml
-echo "  ✓ Agent RBAC applied"
+kubectl apply -f woodpecker/kyverno-proxy-ca.yaml
+echo "  ✓ Agent RBAC and Kyverno proxy CA policy applied"
 echo ""
 
 # -------------------------------------------------------
diff --git a/pipelines/woodpecker/kyverno-proxy-ca.yaml b/pipelines/woodpecker/kyverno-proxy-ca.yaml
new file mode 100644
index 0000000..caff10d
--- /dev/null
+++ b/pipelines/woodpecker/kyverno-proxy-ca.yaml
@@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: woodpecker-proxy-ca
+  annotations:
+    policies.kyverno.io/title: "Woodpecker Proxy CA Injection"
+    policies.kyverno.io/category: "Networking"
+    policies.kyverno.io/subject: "Pod"
+spec:
+  rules:
+    - name: inject-ca-cert
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+              namespaces:
+                - woodpecker
+      mutate:
+        patchStrategicMerge:
+          spec:
+            containers:
+              - (name): "*"
+                env:
+                  - name: HTTP_PROXY
+                    value: "http://192.168.42.1:3128"
+                  - name: HTTPS_PROXY
+                    value: "http://192.168.42.1:3128"
+                  - name: NO_PROXY
+                    value: "10.0.0.0/8,192.168.0.0/16,127.0.0.1,localhost,.svc,.cluster.local,woodpecker-server"
+                  - name: no_proxy
+                    value: "10.0.0.0/8,192.168.0.0/16,127.0.0.1,localhost,.svc,.cluster.local,woodpecker-server"
+                  - name: SSL_CERT_FILE
+                    value: "/etc/ssl/certs/proxy-ca.crt"
+                volumeMounts:
+                  - name: proxy-ca
+                    mountPath: /etc/ssl/certs/proxy-ca.crt
+                    subPath: ca.crt
+                    readOnly: true
+            volumes:
+              - name: proxy-ca
+                configMap:
+                  name: proxy-ca-cert
diff --git a/pipelines/woodpecker/values.yaml b/pipelines/woodpecker/values.yaml
index 90eb52d..46edda4 100644
--- a/pipelines/woodpecker/values.yaml
+++ b/pipelines/woodpecker/values.yaml
@@ -48,8 +48,7 @@ agent:
   enabled: true
   replicaCount: 2
 
-  # No proxy CA injection for agents — they only talk to the server internally
-  # Pipeline step pods spawned by the agent inherit the node's proxy config
+  # CA injection handled by woodpecker-proxy-ca Kyverno policy (matches all pods in namespace)
 
   env:
     WOODPECKER_SERVER: "woodpecker-server:9000"