forgejo_admin/pal-e-platform
1
0
Fork 0
Code Issues 33 Pull requests Projects Releases Packages Wiki Activity Actions

feat: allow westside-contracts namespace ingress to MinIO #150

Merged
forgejo_admin merged 1 commit from 149-minio-westside-contracts-netpol into main 2026-03-24 09:03:15 +00:00
Conversation 2 Commits 1 Files changed 1 +1
forgejo_admin commented 2026-03-24 09:01:11 +00:00
Owner
Copy link

Summary

Add westside-contracts namespace to the MinIO NetworkPolicy ingress allow list so the contracts service can reach MinIO for document storage.

Changes

  • terraform/network-policies.tf -- added one ingress rule to netpol_minio allowing traffic from westside-contracts namespace

Test Plan

  • tofu fmt -- no formatting changes needed
  • tofu validate -- passed
  • tofu plan -lock=false -- cannot run from worktree (Kubernetes backend requires cluster access); will run on archbox after merge
  • Verify westside-contracts pods can reach MinIO S3 endpoint post-apply

Review Checklist

  • Passed automated review-fix loop
  • No secrets committed
  • No unnecessary file changes -- single line addition
  • Commit messages are descriptive

Related

  • Closes #149
  • Pattern follows existing entries (tailscale, postgres, woodpecker, monitoring, tofu-state, pal-e-mail)
## Summary Add `westside-contracts` namespace to the MinIO NetworkPolicy ingress allow list so the contracts service can reach MinIO for document storage. ## Changes - `terraform/network-policies.tf` -- added one ingress rule to `netpol_minio` allowing traffic from `westside-contracts` namespace ## Test Plan - [x] `tofu fmt` -- no formatting changes needed - [x] `tofu validate` -- passed - [ ] `tofu plan -lock=false` -- cannot run from worktree (Kubernetes backend requires cluster access); will run on archbox after merge - [ ] Verify westside-contracts pods can reach MinIO S3 endpoint post-apply ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes -- single line addition - [x] Commit messages are descriptive ## Related - Closes #149 - Pattern follows existing entries (tailscale, postgres, woodpecker, monitoring, tofu-state, pal-e-mail)
feat: allow westside-contracts namespace ingress to MinIO
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/pr/woodpecker Pipeline was successful
Details
ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful
Details
d7bd999fef 
Add westside-contracts to the MinIO NetworkPolicy ingress allow list
so the contracts service can access MinIO for document storage.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-03-24 09:01:27 +00:00
Author
Owner
Copy link

Review complete. No issues found.

  • 1 file changed, 1 line added, 0 deleted
  • Change is a single ingress rule addition to netpol_minio, following the exact pattern of the 6 existing entries
  • No secrets, no unrelated changes, no formatting drift
  • tofu fmt and tofu validate both passed
  • PR is mergeable
Review complete. No issues found. - 1 file changed, 1 line added, 0 deleted - Change is a single ingress rule addition to `netpol_minio`, following the exact pattern of the 6 existing entries - No secrets, no unrelated changes, no formatting drift - `tofu fmt` and `tofu validate` both passed - PR is mergeable
forgejo_admin commented 2026-03-24 09:02:39 +00:00
Author
Owner
Copy link

PR #150 Review

DOMAIN REVIEW

Tech stack: Terraform (OpenTofu) / Kubernetes NetworkPolicy

This is a single-line addition to terraform/network-policies.tf adding westside-contracts to the netpol_minio ingress allow list. The change follows the exact structural pattern used by all other entries in this resource (tailscale, postgres, woodpecker, monitoring, tofu-state, pal-e-mail).

Terraform/k8s checklist:

  • tofu fmt compliance: PR body confirms no formatting changes needed. The new line matches the indentation and structure of adjacent entries -- verified in the full file.
  • tofu validate: PR body confirms passed.
  • State safety: Additive change only (1 addition, 0 deletions). Appends a new ingress rule to an existing list. No state-breaking risk.
  • k8s security: The namespaceSelector uses kubernetes.io/metadata.name which is an immutable label auto-applied by Kubernetes. This is the correct and secure pattern -- it cannot be spoofed by workloads. Least-privilege principle is maintained: only the specific namespace is granted ingress, not a broad selector.
  • Secrets handling: No secrets involved. Clean.
  • Namespace existence: westside-contracts is not a namespace managed by this repo, which is consistent with the pattern -- basketball-api, pal-e-docs, and tofu-state are also referenced as external namespaces in other NetworkPolicies here. The selector will match once the namespace exists in the cluster.

No domain concerns.

BLOCKERS

None.

This is a one-line additive NetworkPolicy change. No new functionality requiring tests (infrastructure NetworkPolicy rules are validated by tofu validate + post-apply verification). No user input. No secrets. No auth logic.

NITS

  1. tofu plan output missing from PR body: PR conventions say "Include tofu plan output for any Terraform changes." The PR body explains this cannot be run from the worktree (requires cluster access), which is a known constraint. Acceptable given the circumstances, but worth noting the convention gap.

  2. Related section does not reference plan slug: The Related section references the parent issue (#149) and the pattern precedent, but does not include a reference to plan-pal-e-platform. For a standalone board-level ticket this is minor.

SOP COMPLIANCE

  • Branch named after issue: 149-minio-westside-contracts-netpol references issue #149
  • PR body has Summary, Changes, Test Plan, Related sections
  • Related references plan slug: Missing plan-pal-e-platform reference (minor -- standalone ticket)
  • No secrets committed
  • No unnecessary file changes: 1 file, 1 line added -- zero scope creep
  • Commit messages are descriptive

PROCESS OBSERVATIONS

  • Deployment frequency: This follows the established pattern from PR #145 (pal-e-mail) and PR #120 (basketball-api to keycloak). The NetworkPolicy ingress allow-list is becoming a recurring touchpoint as new services come online. No concern for now, but if the list grows significantly, consider whether a variable-driven approach (a list of allowed namespaces per policy) would reduce per-service PRs to config changes.
  • Change failure risk: Extremely low. Additive-only, follows proven pattern, no state migration required. The only failure mode is the westside-contracts namespace not existing yet at apply time, which would be a no-op (selector matches nothing) rather than an error.
  • Test plan: Post-apply verification (connectivity test from westside-contracts pods to MinIO) is the correct validation strategy for NetworkPolicy changes. Unit tests are not applicable here.

VERDICT: APPROVED

## PR #150 Review ### DOMAIN REVIEW **Tech stack**: Terraform (OpenTofu) / Kubernetes NetworkPolicy This is a single-line addition to `terraform/network-policies.tf` adding `westside-contracts` to the `netpol_minio` ingress allow list. The change follows the exact structural pattern used by all other entries in this resource (tailscale, postgres, woodpecker, monitoring, tofu-state, pal-e-mail). **Terraform/k8s checklist:** - **tofu fmt compliance**: PR body confirms no formatting changes needed. The new line matches the indentation and structure of adjacent entries -- verified in the full file. - **tofu validate**: PR body confirms passed. - **State safety**: Additive change only (1 addition, 0 deletions). Appends a new ingress rule to an existing list. No state-breaking risk. - **k8s security**: The `namespaceSelector` uses `kubernetes.io/metadata.name` which is an immutable label auto-applied by Kubernetes. This is the correct and secure pattern -- it cannot be spoofed by workloads. Least-privilege principle is maintained: only the specific namespace is granted ingress, not a broad selector. - **Secrets handling**: No secrets involved. Clean. - **Namespace existence**: `westside-contracts` is not a namespace managed by this repo, which is consistent with the pattern -- `basketball-api`, `pal-e-docs`, and `tofu-state` are also referenced as external namespaces in other NetworkPolicies here. The selector will match once the namespace exists in the cluster. No domain concerns. ### BLOCKERS None. This is a one-line additive NetworkPolicy change. No new functionality requiring tests (infrastructure NetworkPolicy rules are validated by `tofu validate` + post-apply verification). No user input. No secrets. No auth logic. ### NITS 1. **tofu plan output missing from PR body**: PR conventions say "Include `tofu plan` output for any Terraform changes." The PR body explains this cannot be run from the worktree (requires cluster access), which is a known constraint. Acceptable given the circumstances, but worth noting the convention gap. 2. **Related section does not reference plan slug**: The Related section references the parent issue (#149) and the pattern precedent, but does not include a reference to `plan-pal-e-platform`. For a standalone board-level ticket this is minor. ### SOP COMPLIANCE - [x] Branch named after issue: `149-minio-westside-contracts-netpol` references issue #149 - [x] PR body has Summary, Changes, Test Plan, Related sections - [ ] Related references plan slug: Missing `plan-pal-e-platform` reference (minor -- standalone ticket) - [x] No secrets committed - [x] No unnecessary file changes: 1 file, 1 line added -- zero scope creep - [x] Commit messages are descriptive ### PROCESS OBSERVATIONS - **Deployment frequency**: This follows the established pattern from PR #145 (pal-e-mail) and PR #120 (basketball-api to keycloak). The NetworkPolicy ingress allow-list is becoming a recurring touchpoint as new services come online. No concern for now, but if the list grows significantly, consider whether a variable-driven approach (a list of allowed namespaces per policy) would reduce per-service PRs to config changes. - **Change failure risk**: Extremely low. Additive-only, follows proven pattern, no state migration required. The only failure mode is the `westside-contracts` namespace not existing yet at apply time, which would be a no-op (selector matches nothing) rather than an error. - **Test plan**: Post-apply verification (connectivity test from westside-contracts pods to MinIO) is the correct validation strategy for NetworkPolicy changes. Unit tests are not applicable here. ### VERDICT: APPROVED
forgejo_admin deleted branch 149-minio-westside-contracts-netpol 2026-03-24 09:03:15 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform!150
No description provided.