Allow westside-contracts namespace ingress to MinIO #149

New issue

Closed

opened 2026-03-24 08:57:23 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-24 08:57:23 +00:00

Owner

Type

Feature

Lineage

plan-pal-e-platform → discovered scope from westside-contracts deploy

Repo

forgejo_admin/pal-e-platform

User Story

As the westside-contracts service
I want to upload signature images to MinIO
So that signed contracts have their drawn signatures stored as assets

Context

westside-contracts (namespace: westside-contracts) uploads drawn signature PNGs to MinIO during contract signing. The MinIO NetworkPolicy (default-deny-ingress in namespace minio) blocks ingress from westside-contracts — connection refused on port 9000.

Current allow list: tailscale, postgres, woodpecker, monitoring, tofu-state, pal-e-mail. Same pattern as pal-e-mail PR #132 which added pal-e-mail to this list.

File Targets

terraform/network-policies.tf — add westside-contracts to MinIO ingress allow list

Files NOT to touch:

Everything else

Acceptance Criteria

westside-contracts can reach minio.minio.svc.cluster.local:9000
tofu plan -lock=false shows only the NetworkPolicy change
Existing MinIO access from other namespaces unaffected

Test Expectations

kubectl exec -n westside-contracts deploy/westside-contracts -- wget -q -O /dev/null http://minio.minio.svc.cluster.local:9000/minio/health/live returns 0
Run command: tofu plan -lock=false

Constraints

Follow existing pattern in network-policies.tf
Single namespace addition, no other changes

Checklist

PR opened
tofu plan clean
No unrelated changes

project-pal-e-platform
westside-app #72 — blocked by this for signature upload
pal-e-platform PR #132 — precedent (pal-e-mail MinIO access)

### Type Feature ### Lineage `plan-pal-e-platform` → discovered scope from westside-contracts deploy ### Repo `forgejo_admin/pal-e-platform` ### User Story As the westside-contracts service I want to upload signature images to MinIO So that signed contracts have their drawn signatures stored as assets ### Context westside-contracts (namespace: `westside-contracts`) uploads drawn signature PNGs to MinIO during contract signing. The MinIO NetworkPolicy (`default-deny-ingress` in namespace `minio`) blocks ingress from `westside-contracts` — connection refused on port 9000. Current allow list: tailscale, postgres, woodpecker, monitoring, tofu-state, pal-e-mail. Same pattern as pal-e-mail PR #132 which added `pal-e-mail` to this list. ### File Targets - `terraform/network-policies.tf` — add `westside-contracts` to MinIO ingress allow list Files NOT to touch: - Everything else ### Acceptance Criteria - [ ] westside-contracts can reach minio.minio.svc.cluster.local:9000 - [ ] `tofu plan -lock=false` shows only the NetworkPolicy change - [ ] Existing MinIO access from other namespaces unaffected ### Test Expectations - [ ] `kubectl exec -n westside-contracts deploy/westside-contracts -- wget -q -O /dev/null http://minio.minio.svc.cluster.local:9000/minio/health/live` returns 0 - Run command: `tofu plan -lock=false` ### Constraints - Follow existing pattern in network-policies.tf - Single namespace addition, no other changes ### Checklist - [ ] PR opened - [ ] tofu plan clean - [ ] No unrelated changes ### Related - `project-pal-e-platform` - westside-app #72 — blocked by this for signature upload - pal-e-platform PR #132 — precedent (pal-e-mail MinIO access)