feat: allow basketball-api → keycloak ingress in NetworkPolicy #119

New issue

Closed

opened 2026-03-19 01:26:14 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-19 01:26:14 +00:00

Owner

Type

Feature

Lineage

plan-wkq → Phase 2 (NetworkPolicy — Allow basketball-api → Keycloak)

Repo

forgejo_admin/pal-e-platform

User Story

As basketball-api
I want to reach Keycloak via internal cluster URL
So that auto-account creation works without routing through the external Tailscale funnel

Context

basketball-api needs to call Keycloak's admin API to auto-create accounts on paid registration. The default-deny-ingress NetworkPolicy in the keycloak namespace currently only allows ingress from the tailscale namespace. basketball-api pods in the basketball-api namespace are blocked. The external Tailscale funnel URL (keycloak.tail5b443a.ts.net) TLS-EOFs when accessed from inside the cluster — a known pattern already fixed for Woodpecker→Forgejo.

File Targets

Files to modify:

terraform/network-policies.tf — add basketball-api to keycloak ingress allowlist (line ~131)

Files NOT to touch:

Any other NetworkPolicy resources — scoped to keycloak only

Acceptance Criteria

tofu plan shows keycloak NetworkPolicy updated with basketball-api ingress rule
tofu apply succeeds
kubectl exec -n basketball-api deploy/basketball-api -- python3 -c "import httpx; print(httpx.get('http://keycloak.keycloak.svc.cluster.local/', timeout=5).status_code)" returns 200 or 303

Test Expectations

tofu fmt passes
tofu validate passes
tofu plan -lock=false shows expected change
Run command: cd terraform && tofu fmt -check && tofu validate

Constraints

Follow existing pattern: each namespace gets its own from entry (not combined selectors)
Must run tofu plan -lock=false to avoid blocking CI

Checklist

PR opened
Tests pass
No unrelated changes

westside-basketball — project
Phase 3 (plan-wkq) depends on this — internal Keycloak URL won't work until this NetworkPolicy is applied

### Type Feature ### Lineage `plan-wkq` → Phase 2 (NetworkPolicy — Allow basketball-api → Keycloak) ### Repo `forgejo_admin/pal-e-platform` ### User Story As basketball-api I want to reach Keycloak via internal cluster URL So that auto-account creation works without routing through the external Tailscale funnel ### Context basketball-api needs to call Keycloak's admin API to auto-create accounts on paid registration. The `default-deny-ingress` NetworkPolicy in the keycloak namespace currently only allows ingress from the `tailscale` namespace. basketball-api pods in the `basketball-api` namespace are blocked. The external Tailscale funnel URL (`keycloak.tail5b443a.ts.net`) TLS-EOFs when accessed from inside the cluster — a known pattern already fixed for Woodpecker→Forgejo. ### File Targets Files to modify: - `terraform/network-policies.tf` — add `basketball-api` to keycloak ingress allowlist (line ~131) Files NOT to touch: - Any other NetworkPolicy resources — scoped to keycloak only ### Acceptance Criteria - [ ] `tofu plan` shows keycloak NetworkPolicy updated with basketball-api ingress rule - [ ] `tofu apply` succeeds - [ ] `kubectl exec -n basketball-api deploy/basketball-api -- python3 -c "import httpx; print(httpx.get('http://keycloak.keycloak.svc.cluster.local/', timeout=5).status_code)"` returns 200 or 303 ### Test Expectations - [ ] `tofu fmt` passes - [ ] `tofu validate` passes - [ ] `tofu plan -lock=false` shows expected change - Run command: `cd terraform && tofu fmt -check && tofu validate` ### Constraints - Follow existing pattern: each namespace gets its own `from` entry (not combined selectors) - Must run `tofu plan -lock=false` to avoid blocking CI ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `westside-basketball` — project - Phase 3 (plan-wkq) depends on this — internal Keycloak URL won't work until this NetworkPolicy is applied