ci: add woodpecker Kyverno proxy CA policy with NO_PROXY for gRPC

pipelines/woodpecker/kyverno-proxy-ca.yaml

@@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: woodpecker-proxy-ca
+  annotations:
+    policies.kyverno.io/title: "Woodpecker Proxy CA Injection"
+    policies.kyverno.io/category: "Networking"
+    policies.kyverno.io/subject: "Pod"
+spec:
+  rules:
+    - name: inject-ca-cert
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+              namespaces:
+                - woodpecker
+      mutate:
+        patchStrategicMerge:
+          spec:
+            containers:
+              - (name): "*"
+                env:
+                  - name: HTTP_PROXY
+                    value: "http://192.168.42.1:3128"
+                  - name: HTTPS_PROXY
+                    value: "http://192.168.42.1:3128"
+                  - name: NO_PROXY
+                    value: "10.0.0.0/8,192.168.0.0/16,127.0.0.1,localhost,.svc,.cluster.local,woodpecker-server"
+                  - name: no_proxy
+                    value: "10.0.0.0/8,192.168.0.0/16,127.0.0.1,localhost,.svc,.cluster.local,woodpecker-server"
+                  - name: SSL_CERT_FILE
+                    value: "/etc/ssl/certs/proxy-ca.crt"
+                volumeMounts:
+                  - name: proxy-ca
+                    mountPath: /etc/ssl/certs/proxy-ca.crt
+                    subPath: ca.crt
+                    readOnly: true
+            volumes:
+              - name: proxy-ca
+                configMap:
+                  name: proxy-ca-cert

pipelines/woodpecker/values.yaml

@@ -48,8 +48,7 @@ agent:
   enabled: true
   replicaCount: 2
 
-  # No proxy CA injection for agents — they only talk to the server internally
-  # Pipeline step pods spawned by the agent inherit the node's proxy config
+  # CA injection handled by woodpecker-proxy-ca Kyverno policy (matches all pods in namespace)
 
   env:
     WOODPECKER_SERVER: "woodpecker-server:9000"