Add pal-e-mail namespace to MinIO network policy ingress #144

New issue

Closed

opened 2026-03-22 17:48:56 +00:00 by forgejo_admin · 1 comment

forgejo_admin commented

2026-03-22 17:48:56 +00:00

Owner

Type

Feature

Lineage

plan-pal-e-mail → Phase 2 → discovered scope (infrastructure prerequisite)

Repo

forgejo_admin/pal-e-platform

User Story

As pal-e-mail service
I want to reach MinIO's internal service endpoint from inside the cluster
So that template fetching via http://minio.minio.svc.cluster.local:9000 works without hitting the DERP hairpin issue on the external Tailscale URL

Context

pal-e-mail Phase 2 (PR #4, forgejo_admin/pal-e-mail) added POST /send with CDN template fetching. Templates are stored on MinIO at assets/email-templates/{project}/. The service uses httpx.get() to fetch templates at send time. Without a network policy allowing ingress from pal-e-mail namespace to minio namespace, this request is blocked by the default-deny-ingress policy in terraform/network-policies.tf. This is a production blocker for template mode sends.

The config setting PAL_E_MAIL_MINIO_CDN_BASE_URL in the deployment-patch should also be overridden from the external Tailscale URL to the internal MinIO service URL to avoid the DERP hairpin issue (same class of bug as ArgoCD #143).

File Targets

Files to modify:

terraform/network-policies.tf — add pal-e-mail namespace to netpol_minio ingress list

Files NOT to touch:

Any other network policies — only MinIO needs the new ingress rule

Acceptance Criteria

pal-e-mail namespace can reach minio.minio.svc.cluster.local:9000 from inside the cluster
tofu plan shows only the MinIO network policy change
tofu validate passes

Test Expectations

tofu plan -lock=false shows expected diff (one new ingress rule on netpol_minio)
tofu validate clean
tofu fmt -check clean
Run command: cd ~/pal-e-platform/terraform && tofu plan -lock=false

Constraints

Follow existing network policy pattern (namespace selector with kubernetes.io/metadata.name label)
Must include -lock=false in any tofu plan commands to avoid blocking CI

Checklist

PR opened
Tests pass
No unrelated changes

project-pal-e-platform — this repo
plan-pal-e-mail — Phase 2 dependency
forgejo_admin/pal-e-mail#3 — Phase 2 Core Send API issue
pal-e-platform#143 — ArgoCD DERP hairpin (same class of issue)

### Type Feature ### Lineage `plan-pal-e-mail` → Phase 2 → discovered scope (infrastructure prerequisite) ### Repo `forgejo_admin/pal-e-platform` ### User Story As pal-e-mail service I want to reach MinIO's internal service endpoint from inside the cluster So that template fetching via `http://minio.minio.svc.cluster.local:9000` works without hitting the DERP hairpin issue on the external Tailscale URL ### Context pal-e-mail Phase 2 (PR #4, `forgejo_admin/pal-e-mail`) added `POST /send` with CDN template fetching. Templates are stored on MinIO at `assets/email-templates/{project}/`. The service uses `httpx.get()` to fetch templates at send time. Without a network policy allowing ingress from `pal-e-mail` namespace to `minio` namespace, this request is blocked by the default-deny-ingress policy in `terraform/network-policies.tf`. This is a production blocker for template mode sends. The config setting `PAL_E_MAIL_MINIO_CDN_BASE_URL` in the deployment-patch should also be overridden from the external Tailscale URL to the internal MinIO service URL to avoid the DERP hairpin issue (same class of bug as ArgoCD #143). ### File Targets Files to modify: - `terraform/network-policies.tf` — add `pal-e-mail` namespace to `netpol_minio` ingress list Files NOT to touch: - Any other network policies — only MinIO needs the new ingress rule ### Acceptance Criteria - [ ] `pal-e-mail` namespace can reach `minio.minio.svc.cluster.local:9000` from inside the cluster - [ ] `tofu plan` shows only the MinIO network policy change - [ ] `tofu validate` passes ### Test Expectations - [ ] `tofu plan -lock=false` shows expected diff (one new ingress rule on netpol_minio) - [ ] `tofu validate` clean - [ ] `tofu fmt -check` clean - Run command: `cd ~/pal-e-platform/terraform && tofu plan -lock=false` ### Constraints - Follow existing network policy pattern (namespace selector with `kubernetes.io/metadata.name` label) - Must include `-lock=false` in any tofu plan commands to avoid blocking CI ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` — this repo - `plan-pal-e-mail` — Phase 2 dependency - `forgejo_admin/pal-e-mail#3` — Phase 2 Core Send API issue - `pal-e-platform#143` — ArgoCD DERP hairpin (same class of issue)

forgejo_admin commented

2026-03-22 18:12:01 +00:00

Author

Owner

Scope Review: READY

Review note: review-284-2026-03-22
Scope is solid — single file target verified, pattern matches existing netpol convention, all acceptance criteria are machine-verifiable. CDN URL override mentioned in Context is correctly excluded from File Targets (belongs in pal-e-deployments, not this repo).

## Scope Review: READY Review note: `review-284-2026-03-22` Scope is solid — single file target verified, pattern matches existing netpol convention, all acceptance criteria are machine-verifiable. CDN URL override mentioned in Context is correctly excluded from File Targets (belongs in pal-e-deployments, not this repo).