Bug: NetworkPolicy field manager conflicts block tofu apply #152

New issue

Closed

opened 2026-03-24 20:05:35 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-24 20:05:35 +00:00

Owner

Type

Bug

Lineage

standalone — discovered during pipeline failure investigation (session 2026-03-24)

Repo

forgejo_admin/pal-e-platform

What Broke

All 9 kubernetes_manifest resources in network-policies.tf lack a field_manager block. When anyone runs kubectl patch on a NetworkPolicy during an incident (which is normal incident response), field ownership transfers from Terraform to kubectl-patch. Subsequent tofu apply fails with:

Error: field manager conflict for "forgejo/default-deny-ingress"
conflict with "kubectl-patch" using networking.k8s.io/v1: .spec.ingress

This blocks ALL merges to main until the conflict is manually resolved.

Repro Steps

Manually patch any NetworkPolicy: kubectl patch netpol default-deny-ingress -n forgejo ...
Merge a PR that touches any terraform resource
Observe: apply fails with field manager conflict on the patched netpol

Expected Behavior

Terraform should reclaim field ownership on apply, overwriting manual patches. Manual patches during incidents are expected — they should be temporary and reconciled by the next apply, not permanent blockers.

Environment

Cluster/namespace: all platform namespaces (monitoring, forgejo, woodpecker, harbor, minio, keycloak, postgres, ollama, cnpg-system)
Service version/commit: current main (HEAD)
Related alerts: Pipelines #235, #239 both fail on netpol_forgejo

Acceptance Criteria

All 9 kubernetes_manifest netpol resources have field_manager { force_conflicts = true }
tofu validate passes
Manual kubectl patch during incidents no longer permanently breaks CI

project-pal-e-platform — platform infrastructure
forgejo_admin/pal-e-platform #109 — platform cleanup meta-issue
sop-network-security — NetworkPolicy management

### Type Bug ### Lineage standalone — discovered during pipeline failure investigation (session 2026-03-24) ### Repo `forgejo_admin/pal-e-platform` ### What Broke All 9 `kubernetes_manifest` resources in `network-policies.tf` lack a `field_manager` block. When anyone runs `kubectl patch` on a NetworkPolicy during an incident (which is normal incident response), field ownership transfers from Terraform to `kubectl-patch`. Subsequent `tofu apply` fails with: ``` Error: field manager conflict for "forgejo/default-deny-ingress" conflict with "kubectl-patch" using networking.k8s.io/v1: .spec.ingress ``` This blocks ALL merges to main until the conflict is manually resolved. ### Repro Steps 1. Manually patch any NetworkPolicy: `kubectl patch netpol default-deny-ingress -n forgejo ...` 2. Merge a PR that touches any terraform resource 3. Observe: apply fails with field manager conflict on the patched netpol ### Expected Behavior Terraform should reclaim field ownership on apply, overwriting manual patches. Manual patches during incidents are expected — they should be temporary and reconciled by the next apply, not permanent blockers. ### Environment - Cluster/namespace: all platform namespaces (monitoring, forgejo, woodpecker, harbor, minio, keycloak, postgres, ollama, cnpg-system) - Service version/commit: current main (HEAD) - Related alerts: Pipelines #235, #239 both fail on `netpol_forgejo` ### Acceptance Criteria - [ ] All 9 `kubernetes_manifest` netpol resources have `field_manager { force_conflicts = true }` - [ ] `tofu validate` passes - [ ] Manual `kubectl patch` during incidents no longer permanently breaks CI ### Related - `project-pal-e-platform` — platform infrastructure - `forgejo_admin/pal-e-platform #109` — platform cleanup meta-issue - `sop-network-security` — NetworkPolicy management