feat: allow westside-ai-assistant to reach keycloak

forgejo_admin commented

2026-03-28 21:49:38 +00:00

Owner

Summary

Add westside-ai-assistant namespace to the keycloak NetworkPolicy ingress allowlist so the AI assistant pod can authenticate via client credentials flow.

Changes

terraform/network-policies.tf -- added westside-ai-assistant namespaceSelector entry to netpol_keycloak ingress list, following the existing basketball-api pattern

tofu plan Output

# kubernetes_manifest.netpol_keycloak will be updated in-place
~  resource "kubernetes_manifest" "netpol_keycloak" {
    ~  manifest = {
        ~  spec = {
            ~  ingress = [
                  # (1 unchanged element hidden)
                  {
                      from = [
                          {
                              namespaceSelector = {
                                  matchLabels = {
                                      "kubernetes.io/metadata.name" = "basketball-api"
                                  }
                              }
                          },
                      ]
                  },
                ~  {
                    ~  from = [
                        ~  {
                            ~  namespaceSelector = {
                                ~  matchLabels = {
                                    ~  "kubernetes.io/metadata.name" = "monitoring" -> "westside-ai-assistant"
                                  }
                              }
                          },
                      ]
                  },
                +  {
                    +  from = [
                        +  {
                            +  namespaceSelector = {
                                +  matchLabels = {
                                    +  "kubernetes.io/metadata.name" = "monitoring"
                                  }
                              }
                          },
                      ]
                  },
              ]
          }
      }
  }

Plan: 0 to add, 1 to change, 0 to destroy.

Test Plan

tofu validate passes
tofu plan -lock=false -target=kubernetes_manifest.netpol_keycloak shows single resource update (1 to change)
No new resources created, no resources destroyed
Only network-policies.tf modified (1 line added)

Review Checklist

tofu fmt run
tofu validate passes
tofu plan output included
Single file changed, single line added
No unrelated changes
Follows existing namespaceSelector pattern

Forgejo issue: forgejo_admin/westside-ai-assistant#3
Parent: westside-ai-assistant project

Closes forgejo_admin/westside-ai-assistant#3

## Summary Add `westside-ai-assistant` namespace to the keycloak NetworkPolicy ingress allowlist so the AI assistant pod can authenticate via client credentials flow. ## Changes - `terraform/network-policies.tf` -- added `westside-ai-assistant` namespaceSelector entry to `netpol_keycloak` ingress list, following the existing `basketball-api` pattern ## tofu plan Output ``` # kubernetes_manifest.netpol_keycloak will be updated in-place ~ resource "kubernetes_manifest" "netpol_keycloak" { ~ manifest = { ~ spec = { ~ ingress = [ # (1 unchanged element hidden) { from = [ { namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "basketball-api" } } }, ] }, ~ { ~ from = [ ~ { ~ namespaceSelector = { ~ matchLabels = { ~ "kubernetes.io/metadata.name" = "monitoring" -> "westside-ai-assistant" } } }, ] }, + { + from = [ + { + namespaceSelector = { + matchLabels = { + "kubernetes.io/metadata.name" = "monitoring" } } }, ] }, ] } } } Plan: 0 to add, 1 to change, 0 to destroy. ``` ## Test Plan - `tofu validate` passes - `tofu plan -lock=false -target=kubernetes_manifest.netpol_keycloak` shows single resource update (1 to change) - No new resources created, no resources destroyed - Only `network-policies.tf` modified (1 line added) ## Review Checklist - [x] `tofu fmt` run - [x] `tofu validate` passes - [x] `tofu plan` output included - [x] Single file changed, single line added - [x] No unrelated changes - [x] Follows existing namespaceSelector pattern ## Related Notes - Forgejo issue: forgejo_admin/westside-ai-assistant#3 - Parent: westside-ai-assistant project Closes forgejo_admin/westside-ai-assistant#3

forgejo_admin added 1 commit

2026-03-28 21:49:38 +00:00

feat: allow westside-ai-assistant namespace to reach keycloak

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful

Details

5ab2291819

Add westside-ai-assistant to the keycloak NetworkPolicy ingress
allowlist so the AI assistant can authenticate via client credentials
flow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-03-28 21:50:11 +00:00

Author

Owner

QA Review

Diff: 1 file changed, 1 insertion, 0 deletions

Acceptance Criteria (from westside-ai-assistant#3)

westside-ai-assistant namespace listed in keycloak NetworkPolicy namespaceSelector
tofu plan shows only the keycloak NetworkPolicy change (0 to add, 1 to change, 0 to destroy)
No other namespaces added or removed
No new NetworkPolicy resources created

SOP Compliance

tofu fmt run
tofu validate passes
tofu plan -lock=false output included in PR body
Branch naming follows convention: 3-westside-ai-assistant-netpol
Closes keyword references parent issue
No unrelated file changes

Pattern Verification

The added line follows the exact same namespaceSelector pattern as the existing basketball-api entry. Insertion position (between basketball-api and monitoring) is correct.

VERDICT: APPROVED

## QA Review **Diff:** 1 file changed, 1 insertion, 0 deletions ### Acceptance Criteria (from westside-ai-assistant#3) - [x] `westside-ai-assistant` namespace listed in keycloak NetworkPolicy namespaceSelector - [x] `tofu plan` shows only the keycloak NetworkPolicy change (0 to add, 1 to change, 0 to destroy) - [x] No other namespaces added or removed - [x] No new NetworkPolicy resources created ### SOP Compliance - [x] `tofu fmt` run - [x] `tofu validate` passes - [x] `tofu plan -lock=false` output included in PR body - [x] Branch naming follows convention: `3-westside-ai-assistant-netpol` - [x] `Closes` keyword references parent issue - [x] No unrelated file changes ### Pattern Verification The added line follows the exact same namespaceSelector pattern as the existing `basketball-api` entry. Insertion position (between `basketball-api` and `monitoring`) is correct. **VERDICT: APPROVED**

forgejo_admin commented

2026-03-28 22:24:27 +00:00

Author

Owner

PR #238 Review

DOMAIN REVIEW

Tech stack: Terraform (OpenTofu) / Kubernetes NetworkPolicy

network-policies.tf (line 150) -- Single line added to netpol_keycloak ingress list:

{ from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "westside-ai-assistant" } } }] },

Terraform/k8s checklist:

tofu fmt compliance: The new line exactly matches the surrounding basketball-api and monitoring entries in indentation and structure. Passes.
tofu validate: PR body confirms it passes.
tofu plan: Included. Shows single resource update (netpol_keycloak), 0 add, 1 change, 0 destroy. Clean.
State safety: In-place update to an existing kubernetes_manifest. No state-breaking changes. No migration needed.
k8s security (RBAC/NetworkPolicy): The change grants ingress from westside-ai-assistant namespace to the keycloak namespace. This is the minimum-privilege change needed for client credentials flow (Keycloak token endpoint). The namespace selector uses the standard kubernetes.io/metadata.name label which is immutable and set by k8s itself -- correct and not spoofable.
Insertion ordering: New entry placed between basketball-api and monitoring, which keeps the list logically grouped (service consumers before infra namespaces). Good.
No secrets: No credentials, tokens, or sensitive values in the diff.
No hardcoded values: Namespace name westside-ai-assistant is the actual k8s namespace name, matching the project naming convention. Appropriate to use as a literal here since all other entries follow the same pattern.

BLOCKERS

None.

This is a 1-line infrastructure change to an ingress allowlist. The BLOCKER criteria do not apply:

No new functionality requiring test coverage (this is a declarative NetworkPolicy entry; the tofu plan output is the test).
No user input to validate.
No secrets in code.
No DRY violation (follows the existing pattern exactly).

NITS

None. The change is minimal, correct, and follows the established pattern precisely.

SOP COMPLIANCE

Branch named after issue: 3-westside-ai-assistant-netpol references westside-ai-assistant#3
PR body follows template: Summary, Changes, tofu plan Output, Test Plan, Review Checklist, Related Notes all present
Related references parent: links to forgejo_admin/westside-ai-assistant#3 and notes the westside-ai-assistant project
No secrets committed
No unnecessary file changes (1 file, 1 line, exact scope)
tofu plan output included per PR conventions
tofu fmt and tofu validate confirmed
Commit message is descriptive
Closes forgejo_admin/westside-ai-assistant#3 present for auto-close

Note: Branch is in a cross-repo context (issue lives in westside-ai-assistant, PR is in pal-e-platform). The branch prefix 3- refers to the remote issue number, which is documented in the PR body. This is acceptable for cross-repo work.

PROCESS OBSERVATIONS

Change failure risk: Minimal. Single ingress rule addition to an existing NetworkPolicy. The tofu plan confirms no destructive changes. Rollback is trivial (remove the line).
Deployment frequency: This unblocks the westside-ai-assistant service from authenticating against Keycloak. Should be applied promptly so downstream work (issues #4-#6 in westside-ai-assistant) can proceed.
Documentation: PR body is thorough. No additional documentation needed for a NetworkPolicy allowlist entry.

VERDICT: APPROVED

## PR #238 Review ### DOMAIN REVIEW **Tech stack**: Terraform (OpenTofu) / Kubernetes NetworkPolicy **network-policies.tf (line 150)** -- Single line added to `netpol_keycloak` ingress list: ```hcl { from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "westside-ai-assistant" } } }] }, ``` Terraform/k8s checklist: - **tofu fmt compliance**: The new line exactly matches the surrounding `basketball-api` and `monitoring` entries in indentation and structure. Passes. - **tofu validate**: PR body confirms it passes. - **tofu plan**: Included. Shows single resource update (`netpol_keycloak`), 0 add, 1 change, 0 destroy. Clean. - **State safety**: In-place update to an existing `kubernetes_manifest`. No state-breaking changes. No migration needed. - **k8s security (RBAC/NetworkPolicy)**: The change grants ingress from `westside-ai-assistant` namespace to the `keycloak` namespace. This is the minimum-privilege change needed for client credentials flow (Keycloak token endpoint). The namespace selector uses the standard `kubernetes.io/metadata.name` label which is immutable and set by k8s itself -- correct and not spoofable. - **Insertion ordering**: New entry placed between `basketball-api` and `monitoring`, which keeps the list logically grouped (service consumers before infra namespaces). Good. - **No secrets**: No credentials, tokens, or sensitive values in the diff. - **No hardcoded values**: Namespace name `westside-ai-assistant` is the actual k8s namespace name, matching the project naming convention. Appropriate to use as a literal here since all other entries follow the same pattern. ### BLOCKERS None. This is a 1-line infrastructure change to an ingress allowlist. The BLOCKER criteria do not apply: - No new functionality requiring test coverage (this is a declarative NetworkPolicy entry; the `tofu plan` output is the test). - No user input to validate. - No secrets in code. - No DRY violation (follows the existing pattern exactly). ### NITS None. The change is minimal, correct, and follows the established pattern precisely. ### SOP COMPLIANCE - [x] Branch named after issue: `3-westside-ai-assistant-netpol` references westside-ai-assistant#3 - [x] PR body follows template: Summary, Changes, tofu plan Output, Test Plan, Review Checklist, Related Notes all present - [x] Related references parent: links to `forgejo_admin/westside-ai-assistant#3` and notes the westside-ai-assistant project - [x] No secrets committed - [x] No unnecessary file changes (1 file, 1 line, exact scope) - [x] `tofu plan` output included per PR conventions - [x] `tofu fmt` and `tofu validate` confirmed - [x] Commit message is descriptive - [x] `Closes forgejo_admin/westside-ai-assistant#3` present for auto-close Note: Branch is in a cross-repo context (issue lives in westside-ai-assistant, PR is in pal-e-platform). The branch prefix `3-` refers to the remote issue number, which is documented in the PR body. This is acceptable for cross-repo work. ### PROCESS OBSERVATIONS - **Change failure risk**: Minimal. Single ingress rule addition to an existing NetworkPolicy. The `tofu plan` confirms no destructive changes. Rollback is trivial (remove the line). - **Deployment frequency**: This unblocks the westside-ai-assistant service from authenticating against Keycloak. Should be applied promptly so downstream work (issues #4-#6 in westside-ai-assistant) can proceed. - **Documentation**: PR body is thorough. No additional documentation needed for a NetworkPolicy allowlist entry. ### VERDICT: APPROVED