ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

fix: add basketball-api network policy to terraform with self + westside-contracts ingress #270

New issue
Closed
opened 2026-04-05 21:58:15 +00:00 by forgejo_admin · 2 comments
forgejo_admin commented 2026-04-05 21:58:15 +00:00
Contributor
Copy link

Type

Bug

Lineage

Standalone — discovered during contract email send session (2026-04-05).

Repo

forgejo_admin/pal-e-platform

What Broke

tofu apply created a default-deny-ingress NetworkPolicy on the basketball-api namespace that only allowed ingress from tailscale and monitoring. This blocked:

  • basketball-api pod → postgres pod (same namespace, ECONNREFUSED 10.43.53.53:5432)
  • westside-contracts pod → postgres pod (cross-namespace, same error)

Result: basketball-api CrashLoopBackOff, westside-contracts contract pages returning 500.

Repro Steps

  1. Run tofu apply on pal-e-platform (applies network-policies.tf)
  2. Visit any contract page: https://westside-contracts.tail5b443a.ts.net/contract/{token}
  3. Observe: 500 error, logs show connect ECONNREFUSED to postgres

Expected Behavior

basketball-api app pod should reach postgres pod within the same namespace. westside-contracts should reach basketball-api postgres cross-namespace. Both should work after tofu apply.

Environment

  • Cluster/namespace: prod, basketball-api
  • NetworkPolicy created: 2026-04-05T20:07:59Z
  • Manually patched via kubectl to unblock — will be overwritten next tofu apply

Acceptance Criteria

  • terraform/network-policies.tf has a netpol_basketball_api resource
  • Policy allows: self-namespace (basketball-api), tailscale, monitoring, westside-contracts, westside-ai-assistant
  • tofu apply does not break basketball-api→postgres connectivity
  • westside-contracts can query basketball-api postgres after apply

Related

  • pal-e-platform — this repo
  • westside-basketball — affected project
  • sop-network-security — network policy SOP
### Type Bug ### Lineage Standalone — discovered during contract email send session (2026-04-05). ### Repo `forgejo_admin/pal-e-platform` ### What Broke `tofu apply` created a `default-deny-ingress` NetworkPolicy on the basketball-api namespace that only allowed ingress from `tailscale` and `monitoring`. This blocked: - basketball-api pod → postgres pod (same namespace, `ECONNREFUSED 10.43.53.53:5432`) - westside-contracts pod → postgres pod (cross-namespace, same error) Result: basketball-api CrashLoopBackOff, westside-contracts contract pages returning 500. ### Repro Steps 1. Run `tofu apply` on pal-e-platform (applies network-policies.tf) 2. Visit any contract page: `https://westside-contracts.tail5b443a.ts.net/contract/{token}` 3. Observe: 500 error, logs show `connect ECONNREFUSED` to postgres ### Expected Behavior basketball-api app pod should reach postgres pod within the same namespace. westside-contracts should reach basketball-api postgres cross-namespace. Both should work after `tofu apply`. ### Environment - Cluster/namespace: prod, basketball-api - NetworkPolicy created: 2026-04-05T20:07:59Z - Manually patched via kubectl to unblock — will be overwritten next `tofu apply` ### Acceptance Criteria - [ ] `terraform/network-policies.tf` has a `netpol_basketball_api` resource - [ ] Policy allows: self-namespace (basketball-api), tailscale, monitoring, westside-contracts, westside-ai-assistant - [ ] `tofu apply` does not break basketball-api→postgres connectivity - [ ] westside-contracts can query basketball-api postgres after apply ### Related - `pal-e-platform` — this repo - `westside-basketball` — affected project - `sop-network-security` — network policy SOP
forgejo_admin commented 2026-04-05 22:11:47 +00:00
Author
Contributor
Copy link

Scope Review: READY

Review note: review-843-2026-04-03
Ticket is fully scoped, file target verified, single-file fix following established patterns. Ready for agent dispatch.

  • [LABEL] story:PLAT-S1 is not a recognized story key on project-pal-e-platform. Consider changing to story:superuser-deploy.
## Scope Review: READY Review note: `review-843-2026-04-03` Ticket is fully scoped, file target verified, single-file fix following established patterns. Ready for agent dispatch. - **[LABEL]** `story:PLAT-S1` is not a recognized story key on `project-pal-e-platform`. Consider changing to `story:superuser-deploy`.
forgejo_admin commented 2026-04-05 22:12:33 +00:00
Author
Contributor
Copy link

Agent picked up this ticket.

Agent picked up this ticket.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-gem-bin-path
netpol-westside-ror
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
spec-board-centric-renderer
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#270
No description provided.