forgejo_admin/pal-e-platform
1
0
Fork 0
Code Issues 31 Pull requests Projects Releases Packages Wiki Activity Actions

Add argocd namespace to Forgejo network policy #200

New issue
Closed
opened 2026-03-27 06:03:45 +00:00 by forgejo_admin · 2 comments
forgejo_admin commented 2026-03-27 06:03:45 +00:00
Owner
Copy link

Type

Bug

Lineage

Discovered during incident #184 investigation. #143 (pal-e-services, closed) already migrated ArgoCD apps to internal Forgejo URLs. This ticket completes the network policy gap left by that migration.

Repo

forgejo_admin/pal-e-platform

What Broke

ArgoCD pods in the argocd namespace cannot reach Forgejo's internal service (forgejo-http.forgejo.svc.cluster.local:80) because the Forgejo network policy (default-deny-ingress) does not include argocd in its ingress allow list.

Current allow list: tailscale, woodpecker, monitoring.
Missing: argocd.

This causes ArgoCD sync failures (EOF/connection refused) and image updater tag query failures across all 9 apps.

Already done (not in scope):

  • ArgoCD app repo_url already uses internal Forgejo URL (done in #143, pal-e-services)
  • Image updater api_url already uses internal Harbor URL (pal-e-services)
  • Harbor network policy already allows argocd namespace (line 102)

Repro Steps

  1. From an argocd namespace pod: curl http://forgejo-http.forgejo.svc.cluster.local/api/v1/version
  2. Without the netpol fix: connection refused
  3. With the netpol fix: returns {"version":"14.0.2+gitea-1.22.0"}

Expected Behavior

ArgoCD pods can reach Forgejo's internal service for git operations.

Environment

  • Forgejo network policy: terraform/network-policies.tf lines 34-56
  • ArgoCD namespace: argocd
  • Verified: adding argocd to the allow list fixes connectivity (tested via kubectl patch, now needs Terraform)

File Targets

Files to modify:

  • terraform/network-policies.tf — add argocd namespace to Forgejo ingress allow list (one rule, matching existing pattern)

Files NOT to touch:

  • terraform/main.tf — ArgoCD apps are NOT here (they're in pal-e-services)
  • pal-e-services/ — already correct

Acceptance Criteria

  • Forgejo network policy includes argocd namespace in ingress allow list (in Terraform, not kubectl patch)
  • tofu plan shows only the network policy change
  • After apply: ArgoCD syncs all apps without EOF errors
  • After apply: image updater successfully queries Harbor tags
  • kubectl band-aid patches superseded by Terraform-managed policy

Test Expectations

  • tofu validate passes
  • tofu plan -lock=false shows network policy update only
  • Post-deploy: kubectl get applications -n argocd -o custom-columns='NAME:.metadata.name,STATUS:.status.sync.status' shows Synced
  • Run command: tofu plan -lock=false in terraform/

Constraints

  • tofu plan must include -lock=false
  • Follow existing network policy pattern (same as tailscale, woodpecker, monitoring entries)
  • Blocked by #196 (tofu apply fails on MinIO refresh) unless #197 (state splitting) lands first

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • #143 (pal-e-services, closed) — ArgoCD internal URL migration (already done)
  • #184 — parent incident
  • #196 — tofu apply blocked by MinIO
  • #197 — Terraform state splitting (may affect file location)
  • project-pal-e-platform
### Type Bug ### Lineage Discovered during incident #184 investigation. #143 (pal-e-services, closed) already migrated ArgoCD apps to internal Forgejo URLs. This ticket completes the network policy gap left by that migration. ### Repo `forgejo_admin/pal-e-platform` ### What Broke ArgoCD pods in the `argocd` namespace cannot reach Forgejo's internal service (`forgejo-http.forgejo.svc.cluster.local:80`) because the Forgejo network policy (`default-deny-ingress`) does not include `argocd` in its ingress allow list. Current allow list: `tailscale`, `woodpecker`, `monitoring`. Missing: `argocd`. This causes ArgoCD sync failures (EOF/connection refused) and image updater tag query failures across all 9 apps. **Already done (not in scope):** - ArgoCD app `repo_url` already uses internal Forgejo URL (done in #143, pal-e-services) - Image updater `api_url` already uses internal Harbor URL (pal-e-services) - Harbor network policy already allows `argocd` namespace (line 102) ### Repro Steps 1. From an argocd namespace pod: `curl http://forgejo-http.forgejo.svc.cluster.local/api/v1/version` 2. Without the netpol fix: connection refused 3. With the netpol fix: returns `{"version":"14.0.2+gitea-1.22.0"}` ### Expected Behavior ArgoCD pods can reach Forgejo's internal service for git operations. ### Environment - Forgejo network policy: `terraform/network-policies.tf` lines 34-56 - ArgoCD namespace: `argocd` - Verified: adding `argocd` to the allow list fixes connectivity (tested via kubectl patch, now needs Terraform) ### File Targets Files to modify: - `terraform/network-policies.tf` — add `argocd` namespace to Forgejo ingress allow list (one rule, matching existing pattern) Files NOT to touch: - `terraform/main.tf` — ArgoCD apps are NOT here (they're in pal-e-services) - `pal-e-services/` — already correct ### Acceptance Criteria - [ ] Forgejo network policy includes `argocd` namespace in ingress allow list (in Terraform, not kubectl patch) - [ ] `tofu plan` shows only the network policy change - [ ] After apply: ArgoCD syncs all apps without EOF errors - [ ] After apply: image updater successfully queries Harbor tags - [ ] kubectl band-aid patches superseded by Terraform-managed policy ### Test Expectations - [ ] `tofu validate` passes - [ ] `tofu plan -lock=false` shows network policy update only - [ ] Post-deploy: `kubectl get applications -n argocd -o custom-columns='NAME:.metadata.name,STATUS:.status.sync.status'` shows Synced - Run command: `tofu plan -lock=false` in `terraform/` ### Constraints - `tofu plan` must include `-lock=false` - Follow existing network policy pattern (same as tailscale, woodpecker, monitoring entries) - Blocked by #196 (tofu apply fails on MinIO refresh) unless #197 (state splitting) lands first ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - #143 (pal-e-services, closed) — ArgoCD internal URL migration (already done) - #184 — parent incident - #196 — tofu apply blocked by MinIO - #197 — Terraform state splitting (may affect file location) - `project-pal-e-platform`
forgejo_admin commented 2026-03-27 06:10:44 +00:00
Author
Owner
Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-447-2026-03-26

Ticket scope is ~90% already completed or targets the wrong repo. ArgoCD app repo_url and image updater api_url are already using internal URLs (done in #143, pal-e-services). The only valid remaining work in pal-e-platform is adding argocd namespace to the Forgejo network policy in terraform/network-policies.tf.

  • File targets wrong: terraform/main.tf does not contain ArgoCD Application resources or image updater config — those are in pal-e-services
  • 5 of 8 acceptance criteria already met or reference wrong repo
  • #143 (closed) already completed the ArgoCD internal URL migration
  • Harbor netpol already allows argocd (line 102 of network-policies.tf)
  • Forgejo netpol missing argocd — this is the one valid change

Recommend: retitle, reduce scope to netpol fix, update file targets and acceptance criteria, reference #143 in lineage.

## Scope Review: NEEDS_REFINEMENT Review note: `review-447-2026-03-26` Ticket scope is ~90% already completed or targets the wrong repo. ArgoCD app `repo_url` and image updater `api_url` are already using internal URLs (done in #143, pal-e-services). The only valid remaining work in pal-e-platform is adding `argocd` namespace to the Forgejo network policy in `terraform/network-policies.tf`. - **File targets wrong:** `terraform/main.tf` does not contain ArgoCD Application resources or image updater config — those are in `pal-e-services` - **5 of 8 acceptance criteria already met** or reference wrong repo - **#143 (closed)** already completed the ArgoCD internal URL migration - **Harbor netpol already allows argocd** (line 102 of network-policies.tf) - **Forgejo netpol missing argocd** — this is the one valid change Recommend: retitle, reduce scope to netpol fix, update file targets and acceptance criteria, reference #143 in lineage.
forgejo_admin changed title from Eliminate Tailscale hairpin — ArgoCD + image updater to internal service URLs to Add argocd namespace to Forgejo network policy 2026-03-27 06:11:52 +00:00
forgejo_admin commented 2026-03-27 06:14:56 +00:00
Author
Owner
Copy link

Scope Review: READY

Review note: review-447-2026-03-26

Re-review after issue rewrite. All 6 concerns from the initial NEEDS_REFINEMENT verdict have been addressed:

  1. Scope reduced -- single network policy change only, "Already done" section prevents duplicate work
  2. File targets corrected -- network-policies.tf only, explicit "Files NOT to touch" section
  3. Acceptance criteria actionable -- 8 reduced to 5, all verifiable by an agent
  4. #143 overlap acknowledged -- Lineage documents the completed URL migration
  5. Title matches scope -- "Add argocd namespace to Forgejo network policy"
  6. Band-aid revert criterion added -- kubectl patches superseded by Terraform

All file targets verified against codebase. Forgejo netpol lines 34-56 confirmed: current allow list is tailscale, woodpecker, monitoring. Harbor netpol line 102 confirmed: already has argocd. Dependencies (#196, #197, #184, #143) all documented.

VERDICT: READY for next_up.

## Scope Review: READY Review note: `review-447-2026-03-26` Re-review after issue rewrite. All 6 concerns from the initial NEEDS_REFINEMENT verdict have been addressed: 1. **Scope reduced** -- single network policy change only, "Already done" section prevents duplicate work 2. **File targets corrected** -- `network-policies.tf` only, explicit "Files NOT to touch" section 3. **Acceptance criteria actionable** -- 8 reduced to 5, all verifiable by an agent 4. **#143 overlap acknowledged** -- Lineage documents the completed URL migration 5. **Title matches scope** -- "Add argocd namespace to Forgejo network policy" 6. **Band-aid revert criterion added** -- kubectl patches superseded by Terraform All file targets verified against codebase. Forgejo netpol lines 34-56 confirmed: current allow list is tailscale, woodpecker, monitoring. Harbor netpol line 102 confirmed: already has argocd. Dependencies (#196, #197, #184, #143) all documented. **VERDICT: READY for next_up.**
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#200
No description provided.