feat: allow westside-ai-assistant ingress to Ollama #246

Merged

forgejo_admin merged 1 commit from 14-ollama-netpol into main

2026-03-29 03:26:05 +00:00

forgejo_admin commented

2026-03-29 03:18:29 +00:00

Owner

Summary

Add westside-ai-assistant namespace to the Ollama NetworkPolicy ingress allowlist so the AI assistant service can reach the Ollama LLM endpoint.

Changes

terraform/network-policies.tf -- added westside-ai-assistant namespace selector to netpol_ollama ingress rules, following the same pattern used for other namespace allowlist entries

tofu plan Output

# kubernetes_manifest.netpol_ollama will be updated in-place
~  manifest.spec.ingress = [
       { from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "pal-e-docs" } } }] },
     + { from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "westside-ai-assistant" } } }] },
   ]

Plan: 0 to add, 1 to change, 0 to destroy.

Test Plan

tofu validate passes
tofu plan -lock=false -target=kubernetes_manifest.netpol_ollama shows exactly 1 resource updated in-place
After apply, verify from a pod in westside-ai-assistant namespace that it can reach Ollama

Review Checklist

tofu fmt run
tofu validate passes
tofu plan -lock=false output reviewed
Single file changed (network-policies.tf)
Pattern matches existing allowlist entries (e.g., keycloak netpol)

None.

Closes forgejo_admin/westside-ai-assistant#14

## Summary Add `westside-ai-assistant` namespace to the Ollama NetworkPolicy ingress allowlist so the AI assistant service can reach the Ollama LLM endpoint. ## Changes - `terraform/network-policies.tf` -- added `westside-ai-assistant` namespace selector to `netpol_ollama` ingress rules, following the same pattern used for other namespace allowlist entries ## tofu plan Output ``` # kubernetes_manifest.netpol_ollama will be updated in-place ~ manifest.spec.ingress = [ { from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "pal-e-docs" } } }] }, + { from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "westside-ai-assistant" } } }] }, ] Plan: 0 to add, 1 to change, 0 to destroy. ``` ## Test Plan - `tofu validate` passes - `tofu plan -lock=false -target=kubernetes_manifest.netpol_ollama` shows exactly 1 resource updated in-place - After apply, verify from a pod in `westside-ai-assistant` namespace that it can reach Ollama ## Review Checklist - [x] `tofu fmt` run - [x] `tofu validate` passes - [x] `tofu plan -lock=false` output reviewed - [x] Single file changed (`network-policies.tf`) - [x] Pattern matches existing allowlist entries (e.g., keycloak netpol) ## Related Notes None. ## Related - Closes forgejo_admin/westside-ai-assistant#14

forgejo_admin added 1 commit

2026-03-29 03:18:29 +00:00

feat: allow westside-ai-assistant namespace ingress to Ollama

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful

Details

9914a90599

Add westside-ai-assistant to the Ollama NetworkPolicy allowlist so the
AI assistant service can reach the Ollama LLM endpoint.

Refs: forgejo_admin/westside-ai-assistant#14

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-03-29 03:18:59 +00:00

Author

Owner

QA Review -- PR #246

Scope

Single-line addition to terraform/network-policies.tf: adds westside-ai-assistant namespace to the Ollama NetworkPolicy ingress allowlist.

Findings

Diff correctness:

The new line follows the exact pattern of every other namespace allowlist entry in the file (namespaceSelector with kubernetes.io/metadata.name matchLabel).
Placement is correct -- appended after pal-e-docs within the netpol_ollama ingress block.
No trailing comma issues; HCL list syntax is consistent with the rest of the file.

Validation:

tofu fmt -- passed (no formatting diff)
tofu validate -- passed
tofu plan -lock=false -target=kubernetes_manifest.netpol_ollama -- 0 to add, 1 to change, 0 to destroy. Only the expected ingress rule addition.

PR hygiene:

Branch naming 14-ollama-netpol follows {issue-number}-{kebab-case} convention.
PR body includes tofu plan output, test plan, review checklist, and Closes reference.
Cross-repo reference Closes forgejo_admin/westside-ai-assistant#14 is correct.

No issues found. This is a clean, minimal infrastructure change.

VERDICT: APPROVED

## QA Review -- PR #246 ### Scope Single-line addition to `terraform/network-policies.tf`: adds `westside-ai-assistant` namespace to the Ollama NetworkPolicy ingress allowlist. ### Findings **Diff correctness:** - The new line follows the exact pattern of every other namespace allowlist entry in the file (namespaceSelector with `kubernetes.io/metadata.name` matchLabel). - Placement is correct -- appended after `pal-e-docs` within the `netpol_ollama` ingress block. - No trailing comma issues; HCL list syntax is consistent with the rest of the file. **Validation:** - `tofu fmt` -- passed (no formatting diff) - `tofu validate` -- passed - `tofu plan -lock=false -target=kubernetes_manifest.netpol_ollama` -- 0 to add, 1 to change, 0 to destroy. Only the expected ingress rule addition. **PR hygiene:** - Branch naming `14-ollama-netpol` follows `{issue-number}-{kebab-case}` convention. - PR body includes tofu plan output, test plan, review checklist, and `Closes` reference. - Cross-repo reference `Closes forgejo_admin/westside-ai-assistant#14` is correct. **No issues found.** This is a clean, minimal infrastructure change. --- **VERDICT: APPROVED**