Infra: Postgres database + NetworkPolicy for interaction logging #21

New issue

Open

opened 2026-03-29 22:36:16 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-29 22:36:16 +00:00

Owner

Copy link

Type

Feature

Lineage

Prerequisite for forgejo_admin/westside-ai-assistant#19 (interaction logging). Discovered during review-684-2026-03-28-v2.

Repo

forgejo_admin/pal-e-platform + cluster ops

User Story

As Lucas (platform operator)
I want a Postgres database provisioned for Nemo's interaction logs
So that the AI assistant can persist conversation data for analysis and improvement

Context

The westside-ai-assistant needs a database in the existing CNPG cluster (pal-e-postgres) for interaction logging. Three things needed: (1) create a database + user in the CNPG Postgres cluster, (2) add westside-ai-assistant to the postgres NetworkPolicy allowlist in pal-e-platform, (3) create a k8s secret with the database URL in the westside-ai-assistant namespace.

File Targets

Files the agent should modify:

• terraform/network-policies.tf — add westside-ai-assistant to postgres namespace NetworkPolicy allowlist (same pattern as basketball-api)

Files the agent should NOT touch:

• Any application code

Acceptance Criteria

• Database nemo created in pal-e-postgres CNPG cluster: kubectl exec -n postgres pal-e-postgres-1 -- psql -U postgres -c "CREATE DATABASE nemo;"
• Database user nemo created with password: kubectl exec -n postgres pal-e-postgres-1 -- psql -U postgres -c "CREATE USER nemo WITH PASSWORD '...'; GRANT ALL ON DATABASE nemo TO nemo;"
• NetworkPolicy updated: westside-ai-assistant in postgres allowlist
• k8s secret created: kubectl create secret generic nemo-db-secrets -n westside-ai-assistant --from-literal=database-url="postgresql://nemo:PASSWORD@pal-e-postgres-rw.postgres.svc.cluster.local:5432/nemo"
• tofu plan -lock=false shows only NetworkPolicy change

Test Expectations

• tofu validate passes
• tofu plan -lock=false output in PR
• From westside-ai-assistant pod: psql $DATABASE_URL -c "SELECT 1" connects successfully
• Run command: cd terraform && tofu validate && tofu plan -lock=false

Constraints

• Only terraform change is network-policies.tf (postgres allowlist)
• Database and user created via kubectl exec (not terraform — follows existing pattern)
• Password stored in ~/secrets/westside-ai-assistant/ for reference
• PR goes to pal-e-platform repo

Checklist

• PR opened on pal-e-platform
• Database created
• Secret created
• NetworkPolicy applied
• No unrelated changes

Related

• project-westside-ai-assistant — parent project
• forgejo_admin/westside-ai-assistant#19 — blocked by this ticket

### Type Feature ### Lineage Prerequisite for forgejo_admin/westside-ai-assistant#19 (interaction logging). Discovered during review-684-2026-03-28-v2. ### Repo `forgejo_admin/pal-e-platform` + cluster ops ### User Story As Lucas (platform operator) I want a Postgres database provisioned for Nemo's interaction logs So that the AI assistant can persist conversation data for analysis and improvement ### Context The westside-ai-assistant needs a database in the existing CNPG cluster (pal-e-postgres) for interaction logging. Three things needed: (1) create a database + user in the CNPG Postgres cluster, (2) add westside-ai-assistant to the postgres NetworkPolicy allowlist in pal-e-platform, (3) create a k8s secret with the database URL in the westside-ai-assistant namespace. ### File Targets Files the agent should modify: - `terraform/network-policies.tf` — add `westside-ai-assistant` to postgres namespace NetworkPolicy allowlist (same pattern as basketball-api) Files the agent should NOT touch: - Any application code ### Acceptance Criteria - [ ] Database `nemo` created in pal-e-postgres CNPG cluster: `kubectl exec -n postgres pal-e-postgres-1 -- psql -U postgres -c "CREATE DATABASE nemo;"` - [ ] Database user `nemo` created with password: `kubectl exec -n postgres pal-e-postgres-1 -- psql -U postgres -c "CREATE USER nemo WITH PASSWORD '...'; GRANT ALL ON DATABASE nemo TO nemo;"` - [ ] NetworkPolicy updated: westside-ai-assistant in postgres allowlist - [ ] k8s secret created: `kubectl create secret generic nemo-db-secrets -n westside-ai-assistant --from-literal=database-url="postgresql://nemo:PASSWORD@pal-e-postgres-rw.postgres.svc.cluster.local:5432/nemo"` - [ ] `tofu plan -lock=false` shows only NetworkPolicy change ### Test Expectations - [ ] `tofu validate` passes - [ ] `tofu plan -lock=false` output in PR - [ ] From westside-ai-assistant pod: `psql $DATABASE_URL -c "SELECT 1"` connects successfully - Run command: `cd terraform && tofu validate && tofu plan -lock=false` ### Constraints - Only terraform change is network-policies.tf (postgres allowlist) - Database and user created via kubectl exec (not terraform — follows existing pattern) - Password stored in ~/secrets/westside-ai-assistant/ for reference - PR goes to pal-e-platform repo ### Checklist - [ ] PR opened on pal-e-platform - [ ] Database created - [ ] Secret created - [ ] NetworkPolicy applied - [ ] No unrelated changes ### Related - `project-westside-ai-assistant` — parent project - forgejo_admin/westside-ai-assistant#19 — blocked by this ticket

forgejo_admin referenced this issue 2026-03-29 22:36:42 +00:00

Interaction logging to Postgres #19

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-ai-assistant#21

No description provided.