feat: allow pal-e-mail namespace ingress to MinIO

forgejo_admin commented

2026-03-22 18:21:16 +00:00

Owner

Summary

Adds pal-e-mail namespace to MinIO's default-deny-ingress network policy allow list
Unblocks pal-e-mail Phase 2 template mode: fetch_template() calls httpx.get() to minio.minio.svc.cluster.local:9000 for CDN-hosted email templates

Changes

One line in terraform/network-policies.tf: new namespaceSelector entry in netpol_minio ingress rules.

+ { from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "pal-e-mail" } } }] },

Test Plan

tofu validate passes
tofu fmt -check clean
tofu plan -lock=false shows only MinIO network policy change
After apply: kubectl exec -n pal-e-mail <pod> -- wget -qO- http://minio.minio.svc.cluster.local:9000/minio/health/live returns 200

Review Checklist

No secrets committed
No unnecessary file changes
Commit message is descriptive
Single-purpose change (1 namespace added to 1 network policy)

Closes #144
plan-pal-e-mail — Phase 2 discovered scope
forgejo_admin/pal-e-mail#3 — Phase 2 Core Send API (merged)

## Summary - Adds `pal-e-mail` namespace to MinIO's default-deny-ingress network policy allow list - Unblocks pal-e-mail Phase 2 template mode: `fetch_template()` calls `httpx.get()` to `minio.minio.svc.cluster.local:9000` for CDN-hosted email templates ## Changes One line in `terraform/network-policies.tf`: new `namespaceSelector` entry in `netpol_minio` ingress rules. ```diff + { from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "pal-e-mail" } } }] }, ``` ## Test Plan - [x] `tofu validate` passes - [x] `tofu fmt -check` clean - [ ] `tofu plan -lock=false` shows only MinIO network policy change - [ ] After apply: `kubectl exec -n pal-e-mail <pod> -- wget -qO- http://minio.minio.svc.cluster.local:9000/minio/health/live` returns 200 ## Review Checklist - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit message is descriptive - [x] Single-purpose change (1 namespace added to 1 network policy) ## Related - Closes #144 - `plan-pal-e-mail` — Phase 2 discovered scope - `forgejo_admin/pal-e-mail#3` — Phase 2 Core Send API (merged)

forgejo_admin added 1 commit

2026-03-22 18:21:16 +00:00

feat: allow pal-e-mail namespace ingress to MinIO

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful

Details

a76628abe4

pal-e-mail Phase 2 fetches email templates from MinIO CDN via
httpx.get(). Without this network policy rule, the default-deny-ingress
on the minio namespace blocks the request from pal-e-mail pods.

Closes #144

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-03-22 18:22:21 +00:00

Author

Owner

PR #145 Review

DOMAIN REVIEW

Tech stack: Terraform (OpenTofu) / Kubernetes NetworkPolicy

The change adds a single namespaceSelector entry to netpol_minio's ingress allow list, permitting pods in the pal-e-mail namespace to reach MinIO. Review of /home/ldraney/pal-e-platform/terraform/network-policies.tf:

Pattern consistency: The new line at line 113 uses the identical { from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "pal-e-mail" } } }] } structure as all other entries in this file (lines 23-24, 43-45, 63-67, 86-89, 108-112, 132-134, 153-155, 173, 193-194). No deviation.
Label correctness: kubernetes.io/metadata.name is the auto-applied immutable namespace label in k8s 1.21+. Correct selector for namespace-level ingress rules.
Scope: Only network-policies.tf modified. 1 addition, 0 deletions. No changes to any other policy or resource.
Least privilege: Only MinIO ingress is opened to pal-e-mail. No blanket allows. The justification (template fetching via httpx.get() to MinIO S3 endpoint) is sound -- email templates stored as MinIO objects need HTTP GET access.
No tofu fmt issues: The indentation and trailing comma are consistent with the existing entries.

BLOCKERS

None.

This is a 1-line declarative addition to a namespace allow-list. No application code, no user input handling, no auth logic, no secrets. The "new functionality must have tests" blocker does not apply to declarative network policy changes -- the Test Plan's kubectl exec validation and tofu plan output are the appropriate verification methods.

NITS

None. Clean single-purpose change.

SOP COMPLIANCE

Branch named after issue (144-add-pal-e-mail-namespace-to-minio-networ references #144)
PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related)
Related references plan slug (plan-pal-e-mail)
Related references cross-repo issue (forgejo_admin/pal-e-mail#3)
No secrets committed
No unnecessary file changes (1 file, 1 line)
Commit message is descriptive

PROCESS OBSERVATIONS

Change failure risk: Minimal. Additive network policy change. If the namespace label is wrong, the only consequence is that pal-e-mail pods cannot reach MinIO -- no impact on existing traffic.
Deployment frequency: Unblocks pal-e-mail Phase 2 template mode. Good example of discovered scope tracked properly (issue #144 from plan phase work).
Rollback: Trivial -- revert the single line to restore previous deny posture.

VERDICT: APPROVED

## PR #145 Review ### DOMAIN REVIEW **Tech stack:** Terraform (OpenTofu) / Kubernetes NetworkPolicy The change adds a single `namespaceSelector` entry to `netpol_minio`'s ingress allow list, permitting pods in the `pal-e-mail` namespace to reach MinIO. Review of `/home/ldraney/pal-e-platform/terraform/network-policies.tf`: - **Pattern consistency:** The new line at line 113 uses the identical `{ from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "pal-e-mail" } } }] }` structure as all other entries in this file (lines 23-24, 43-45, 63-67, 86-89, 108-112, 132-134, 153-155, 173, 193-194). No deviation. - **Label correctness:** `kubernetes.io/metadata.name` is the auto-applied immutable namespace label in k8s 1.21+. Correct selector for namespace-level ingress rules. - **Scope:** Only `network-policies.tf` modified. 1 addition, 0 deletions. No changes to any other policy or resource. - **Least privilege:** Only MinIO ingress is opened to `pal-e-mail`. No blanket allows. The justification (template fetching via `httpx.get()` to MinIO S3 endpoint) is sound -- email templates stored as MinIO objects need HTTP GET access. - **No `tofu fmt` issues:** The indentation and trailing comma are consistent with the existing entries. ### BLOCKERS None. This is a 1-line declarative addition to a namespace allow-list. No application code, no user input handling, no auth logic, no secrets. The "new functionality must have tests" blocker does not apply to declarative network policy changes -- the Test Plan's `kubectl exec` validation and `tofu plan` output are the appropriate verification methods. ### NITS None. Clean single-purpose change. ### SOP COMPLIANCE - [x] Branch named after issue (`144-add-pal-e-mail-namespace-to-minio-networ` references #144) - [x] PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related) - [x] Related references plan slug (`plan-pal-e-mail`) - [x] Related references cross-repo issue (`forgejo_admin/pal-e-mail#3`) - [x] No secrets committed - [x] No unnecessary file changes (1 file, 1 line) - [x] Commit message is descriptive ### PROCESS OBSERVATIONS - **Change failure risk:** Minimal. Additive network policy change. If the namespace label is wrong, the only consequence is that `pal-e-mail` pods cannot reach MinIO -- no impact on existing traffic. - **Deployment frequency:** Unblocks `pal-e-mail` Phase 2 template mode. Good example of discovered scope tracked properly (issue #144 from plan phase work). - **Rollback:** Trivial -- revert the single line to restore previous deny posture. ### VERDICT: APPROVED