forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 33 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: allow basketball-api ingress to postgres namespace (#187) #212

Merged
forgejo_admin merged 1 commit from 187-migrate-basketball-api-postgres-to-cnpg into main 2026-03-28 18:05:49 +00:00
Conversation 2 Commits 1 Files changed 1 +1
forgejo_admin commented 2026-03-28 00:18:29 +00:00
Owner
Copy link

Summary

  • Add basketball-api namespace to the CNPG postgres namespace network policy ingress allow list
  • Platform-side prerequisite for migrating basketball-api's standalone Postgres to the CNPG shared cluster
  • Without this, basketball-api pods cannot reach pal-e-postgres-rw.postgres.svc.cluster.local

Changes

  • terraform/network-policies.tf -- add basketball-api to the netpol_postgres ingress rules (1 line addition, follows existing pattern)

tofu plan Output

# kubernetes_manifest.netpol_postgres will be updated in-place
~ resource "kubernetes_manifest" "netpol_postgres" {
    ~ manifest = {
        ~ spec = {
            ~ ingress = [
                  { from = [{ ... "kubernetes.io/metadata.name" = "pal-e-docs" }] },
                + { from = [{ ... "kubernetes.io/metadata.name" = "basketball-api" }] },
                  { from = [{ ... "kubernetes.io/metadata.name" = "cnpg-system" }] },
                  { from = [{ ... "kubernetes.io/metadata.name" = "monitoring" }] },
              ]
          }
      }
  }

Plan: 0 to add, 1 to change, 0 to destroy.

Test Plan

  • tofu fmt passes
  • tofu apply this change first (network policy must be in place before basketball-api connects to CNPG)
  • Verify: kubectl get networkpolicy -n postgres -o yaml shows basketball-api in ingress rules
  • Then proceed with companion pal-e-deployments PR to switch the connection string

Review Checklist

  • Passed automated review-fix loop
  • No secrets committed
  • No unnecessary file changes
  • Commit messages are descriptive

Related Notes

  • Closes #187
  • Companion PR: forgejo_admin/pal-e-deployments branch 187-migrate-basketball-api-postgres-to-cnpg
  • Prereq resolved: pal-e-services#33 (CNPG cluster manifest restored to source control)
  • project-westside-basketball -- the project this work belongs to
## Summary - Add `basketball-api` namespace to the CNPG postgres namespace network policy ingress allow list - Platform-side prerequisite for migrating basketball-api's standalone Postgres to the CNPG shared cluster - Without this, basketball-api pods cannot reach `pal-e-postgres-rw.postgres.svc.cluster.local` ## Changes - `terraform/network-policies.tf` -- add `basketball-api` to the `netpol_postgres` ingress rules (1 line addition, follows existing pattern) ## tofu plan Output ``` # kubernetes_manifest.netpol_postgres will be updated in-place ~ resource "kubernetes_manifest" "netpol_postgres" { ~ manifest = { ~ spec = { ~ ingress = [ { from = [{ ... "kubernetes.io/metadata.name" = "pal-e-docs" }] }, + { from = [{ ... "kubernetes.io/metadata.name" = "basketball-api" }] }, { from = [{ ... "kubernetes.io/metadata.name" = "cnpg-system" }] }, { from = [{ ... "kubernetes.io/metadata.name" = "monitoring" }] }, ] } } } Plan: 0 to add, 1 to change, 0 to destroy. ``` ## Test Plan - [x] `tofu fmt` passes - [ ] `tofu apply` this change first (network policy must be in place before basketball-api connects to CNPG) - [ ] Verify: `kubectl get networkpolicy -n postgres -o yaml` shows `basketball-api` in ingress rules - [ ] Then proceed with companion pal-e-deployments PR to switch the connection string ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related Notes - Closes #187 - Companion PR: `forgejo_admin/pal-e-deployments` branch `187-migrate-basketball-api-postgres-to-cnpg` - Prereq resolved: `pal-e-services#33` (CNPG cluster manifest restored to source control) - `project-westside-basketball` -- the project this work belongs to
fix: allow basketball-api namespace ingress to postgres namespace
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/pr/woodpecker Pipeline was successful
Details
ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful
Details
96a00b4843 
Add basketball-api to the CNPG shared cluster network policy so the
app can connect after migrating off its standalone postgres instance.
This is a prerequisite for the database migration in #187.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-03-28 00:19:24 +00:00
Author
Owner
Copy link

QA Review

Diff: 1 file changed, 1 insertion, 0 deletions.

Findings

  1. Correct pattern -- the new ingress rule follows the exact HCL structure of all existing rules in netpol_postgres. No syntax issues.
  2. Namespace name verified -- basketball-api matches the namespace used in other network policies (e.g., netpol_keycloak line 149 already references basketball-api as an ingress source).
  3. Placement -- inserted between pal-e-docs (app consumer) and cnpg-system (infrastructure), consistent with the grouping pattern in this block.
  4. tofu fmt -- confirmed passing.
  5. tofu plan -- confirmed: Plan: 0 to add, 1 to change, 0 to destroy. Updates the existing netpol_postgres resource in-place.
  6. No secrets committed -- confirmed.
  7. Scope -- single-purpose change, no unnecessary files touched.

Nits

None.

VERDICT: APPROVE

## QA Review **Diff:** 1 file changed, 1 insertion, 0 deletions. ### Findings 1. **Correct pattern** -- the new ingress rule follows the exact HCL structure of all existing rules in `netpol_postgres`. No syntax issues. 2. **Namespace name verified** -- `basketball-api` matches the namespace used in other network policies (e.g., `netpol_keycloak` line 149 already references `basketball-api` as an ingress source). 3. **Placement** -- inserted between `pal-e-docs` (app consumer) and `cnpg-system` (infrastructure), consistent with the grouping pattern in this block. 4. **tofu fmt** -- confirmed passing. 5. **tofu plan** -- confirmed: `Plan: 0 to add, 1 to change, 0 to destroy.` Updates the existing `netpol_postgres` resource in-place. 6. **No secrets committed** -- confirmed. 7. **Scope** -- single-purpose change, no unnecessary files touched. ### Nits None. ### VERDICT: APPROVE
forgejo_admin commented 2026-03-28 17:42:32 +00:00
Author
Owner
Copy link

PR #212 Review

DOMAIN REVIEW

Tech stack: Terraform (OpenTofu) -- Kubernetes NetworkPolicy manifest via kubernetes_manifest resource.

Pattern compliance: The change adds one ingress rule to netpol_postgres allowing the basketball-api namespace to reach pods in the postgres namespace. The syntax exactly matches the existing pattern used by pal-e-docs, cnpg-system, and monitoring entries in the same resource. Indentation, brace structure, and namespaceSelector.matchLabels usage are identical to all other netpol resources in the file.

Insertion position: basketball-api is inserted between pal-e-docs and cnpg-system. Alphabetical ordering is not enforced across the file (other netpol resources don't sort alphabetically either), so this is fine. The grouping is logical -- application namespaces first, then system namespaces.

Terraform style: The change is tofu fmt compliant -- uses 2-space indentation consistent with the rest of network-policies.tf. No variable naming or module structure changes.

k8s security: The policy follows least-privilege -- only basketball-api namespace is being granted ingress, not a broad wildcard. The namespaceSelector with matchLabels on kubernetes.io/metadata.name is the correct, specific selector. No privileged access, no RBAC changes.

State safety: tofu plan output in the PR body shows 0 to add, 1 to change, 0 to destroy -- in-place update to the existing netpol_postgres resource. No state-breaking changes.

Scope: The change is exactly 1 line in 1 file. No scope creep. The PR correctly identifies this as a prerequisite for the companion pal-e-deployments PR that will switch the connection string.

Observation (not a blocker): Issues #189 (mcd-tracker) and #190 (pal-e-mail) are both closed, implying those services were migrated to CNPG. However, neither mcd-tracker nor pal-e-mail appear in the netpol_postgres ingress list. If they connect to CNPG via the postgres namespace, they would need similar netpol entries. This may already be tracked or handled differently (e.g., they might use a different connection path), but worth verifying.

BLOCKERS

None.

  • No new functionality requiring tests (this is a 1-line infrastructure config change to an existing NetworkPolicy).
  • No user input involved (no injection, XSS, or path traversal surface).
  • No secrets or credentials in the diff.
  • No DRY violations -- follows the established pattern exactly.

NITS

None. The change is minimal, correct, and follows the established pattern precisely.

SOP COMPLIANCE

  • Branch named after issue (187-migrate-basketball-api-postgres-to-cnpg references #187)
  • PR body has Summary, Changes, Test Plan, Related sections
  • Related section references issue #187, companion PR in pal-e-deployments, and prereq pal-e-services#33
  • tofu plan output included (per repo PR conventions)
  • tofu fmt passes (per Test Plan checklist)
  • No secrets committed
  • No unnecessary file changes (1 file, 1 line)
  • Commit messages are descriptive

PROCESS OBSERVATIONS

  • Deployment frequency: This is a clean, minimal change that should merge and apply quickly. The dependency chain is documented (this PR first, then the pal-e-deployments companion PR).
  • Change failure risk: Very low. In-place update to an existing NetworkPolicy. The tofu plan output confirms no resource creation or destruction. Rollback is trivial (remove the line).
  • Test plan: The PR correctly notes that tofu apply must happen before the companion PR switches the connection string. The verification step (kubectl get networkpolicy -n postgres -o yaml) is appropriate.

VERDICT: APPROVED

## PR #212 Review ### DOMAIN REVIEW **Tech stack**: Terraform (OpenTofu) -- Kubernetes NetworkPolicy manifest via `kubernetes_manifest` resource. **Pattern compliance**: The change adds one ingress rule to `netpol_postgres` allowing the `basketball-api` namespace to reach pods in the `postgres` namespace. The syntax exactly matches the existing pattern used by `pal-e-docs`, `cnpg-system`, and `monitoring` entries in the same resource. Indentation, brace structure, and `namespaceSelector.matchLabels` usage are identical to all other netpol resources in the file. **Insertion position**: `basketball-api` is inserted between `pal-e-docs` and `cnpg-system`. Alphabetical ordering is not enforced across the file (other netpol resources don't sort alphabetically either), so this is fine. The grouping is logical -- application namespaces first, then system namespaces. **Terraform style**: The change is `tofu fmt` compliant -- uses 2-space indentation consistent with the rest of `network-policies.tf`. No variable naming or module structure changes. **k8s security**: The policy follows least-privilege -- only `basketball-api` namespace is being granted ingress, not a broad wildcard. The `namespaceSelector` with `matchLabels` on `kubernetes.io/metadata.name` is the correct, specific selector. No privileged access, no RBAC changes. **State safety**: `tofu plan` output in the PR body shows `0 to add, 1 to change, 0 to destroy` -- in-place update to the existing `netpol_postgres` resource. No state-breaking changes. **Scope**: The change is exactly 1 line in 1 file. No scope creep. The PR correctly identifies this as a prerequisite for the companion `pal-e-deployments` PR that will switch the connection string. **Observation (not a blocker)**: Issues #189 (mcd-tracker) and #190 (pal-e-mail) are both closed, implying those services were migrated to CNPG. However, neither `mcd-tracker` nor `pal-e-mail` appear in the `netpol_postgres` ingress list. If they connect to CNPG via the postgres namespace, they would need similar netpol entries. This may already be tracked or handled differently (e.g., they might use a different connection path), but worth verifying. ### BLOCKERS None. - No new functionality requiring tests (this is a 1-line infrastructure config change to an existing NetworkPolicy). - No user input involved (no injection, XSS, or path traversal surface). - No secrets or credentials in the diff. - No DRY violations -- follows the established pattern exactly. ### NITS None. The change is minimal, correct, and follows the established pattern precisely. ### SOP COMPLIANCE - [x] Branch named after issue (`187-migrate-basketball-api-postgres-to-cnpg` references #187) - [x] PR body has Summary, Changes, Test Plan, Related sections - [x] Related section references issue #187, companion PR in pal-e-deployments, and prereq pal-e-services#33 - [x] `tofu plan` output included (per repo PR conventions) - [x] `tofu fmt` passes (per Test Plan checklist) - [x] No secrets committed - [x] No unnecessary file changes (1 file, 1 line) - [x] Commit messages are descriptive ### PROCESS OBSERVATIONS - **Deployment frequency**: This is a clean, minimal change that should merge and apply quickly. The dependency chain is documented (this PR first, then the pal-e-deployments companion PR). - **Change failure risk**: Very low. In-place update to an existing NetworkPolicy. The `tofu plan` output confirms no resource creation or destruction. Rollback is trivial (remove the line). - **Test plan**: The PR correctly notes that `tofu apply` must happen before the companion PR switches the connection string. The verification step (`kubectl get networkpolicy -n postgres -o yaml`) is appropriate. ### VERDICT: APPROVED
forgejo_admin deleted branch 187-migrate-basketball-api-postgres-to-cnpg 2026-03-28 18:05:49 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform!212
No description provided.