NetworkPolicy update in pal-e-platform #3

New issue

Closed

opened 2026-03-28 19:14:40 +00:00 by forgejo_admin · 3 comments

forgejo_admin commented 2026-03-28 19:14:40 +00:00

Owner

Copy link

Type

Feature

Lineage

Standalone — scoped from westside-ai-assistant design spec (2026-03-28).

Repo

forgejo_admin/pal-e-platform

User Story

As Marcus (admin)
I want the AI assistant to reach Keycloak inside the cluster
So that it can authenticate via client credentials flow

Context

NetworkPolicies in pal-e-platform restrict cross-namespace traffic to platform services. The westside-ai-assistant pod needs to reach keycloak for client credentials token exchange. basketball-api does NOT have a NetworkPolicy (traffic to it is already unrestricted from all namespaces — confirmed by westside-app reaching it without any allowlist entry). Only the keycloak NetworkPolicy needs modification. The pattern is already established: basketball-api is already in the keycloak allowlist (see netpol_keycloak resource in network-policies.tf, approx line 133-154).

File Targets

Files the agent should modify:

• terraform/network-policies.tf — add westside-ai-assistant namespace to the keycloak ingress NetworkPolicy (kubernetes_manifest.netpol_keycloak) namespaceSelector list

Files the agent should NOT touch:

• Any other terraform file
• Any other NetworkPolicy (basketball-api has no NetworkPolicy — do not create one)

Acceptance Criteria

• westside-ai-assistant namespace listed in keycloak NetworkPolicy namespaceSelector (same pattern as basketball-api entry)
• tofu plan -lock=false shows only the keycloak NetworkPolicy change
• No other namespaces added or removed
• No new NetworkPolicy resources created

Test Expectations

• tofu validate passes
• tofu plan -lock=false output in PR showing single resource change
• Run command: cd terraform && tofu validate && tofu plan -lock=false

Constraints

• Only modify the keycloak NetworkPolicy in network-policies.tf
• Follow existing namespaceSelector pattern (see how basketball-api is listed)
• Do NOT create a basketball-api NetworkPolicy (that's separate discovered scope)
• Do NOT run tofu apply
• PR goes to pal-e-platform repo, not westside-ai-assistant

Checklist

• PR opened on pal-e-platform
• tofu plan output in PR
• No unrelated changes

Related

• project-westside-ai-assistant — parent project
• service-onboarding-sop — step 4: NetworkPolicy

### Type Feature ### Lineage Standalone — scoped from westside-ai-assistant design spec (2026-03-28). ### Repo `forgejo_admin/pal-e-platform` ### User Story As Marcus (admin) I want the AI assistant to reach Keycloak inside the cluster So that it can authenticate via client credentials flow ### Context NetworkPolicies in pal-e-platform restrict cross-namespace traffic to platform services. The westside-ai-assistant pod needs to reach keycloak for client credentials token exchange. basketball-api does NOT have a NetworkPolicy (traffic to it is already unrestricted from all namespaces — confirmed by westside-app reaching it without any allowlist entry). Only the keycloak NetworkPolicy needs modification. The pattern is already established: basketball-api is already in the keycloak allowlist (see `netpol_keycloak` resource in network-policies.tf, approx line 133-154). ### File Targets Files the agent should modify: - `terraform/network-policies.tf` — add `westside-ai-assistant` namespace to the keycloak ingress NetworkPolicy (`kubernetes_manifest.netpol_keycloak`) namespaceSelector list Files the agent should NOT touch: - Any other terraform file - Any other NetworkPolicy (basketball-api has no NetworkPolicy — do not create one) ### Acceptance Criteria - [ ] `westside-ai-assistant` namespace listed in keycloak NetworkPolicy namespaceSelector (same pattern as basketball-api entry) - [ ] `tofu plan -lock=false` shows only the keycloak NetworkPolicy change - [ ] No other namespaces added or removed - [ ] No new NetworkPolicy resources created ### Test Expectations - [ ] `tofu validate` passes - [ ] `tofu plan -lock=false` output in PR showing single resource change - Run command: `cd terraform && tofu validate && tofu plan -lock=false` ### Constraints - Only modify the keycloak NetworkPolicy in network-policies.tf - Follow existing namespaceSelector pattern (see how basketball-api is listed) - Do NOT create a basketball-api NetworkPolicy (that's separate discovered scope) - Do NOT run `tofu apply` - PR goes to pal-e-platform repo, not westside-ai-assistant ### Checklist - [ ] PR opened on pal-e-platform - [ ] tofu plan output in PR - [ ] No unrelated changes ### Related - `project-westside-ai-assistant` — parent project - `service-onboarding-sop` — step 4: NetworkPolicy

forgejo_admin referenced this issue 2026-03-28 19:15:51 +00:00

GroupMe bot registration + secrets + go-live validation #7

forgejo_admin commented 2026-03-28 19:21:11 +00:00

Author

Owner

Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-595-2026-03-28

basketball-api has no NetworkPolicy in pal-e-platform. The file contains 9 policies for platform namespaces; basketball-api is an application namespace with no default-deny. Only the keycloak policy needs modification.

• [BODY] Remove "basketball-api ingress policy" from File Targets — it does not exist. Only keycloak policy (netpol_keycloak, line ~148) needs the westside-ai-assistant entry.
• [BODY] Remove AC1 ("namespace listed in basketball-api NetworkPolicy allowlist") — untestable, policy doesn't exist. Replace with note that basketball-api is already reachable.
• [BODY] Update Context to clarify only keycloak needs modification.
• [SCOPE] Decision needed: should a default-deny NetworkPolicy be created for basketball-api? Currently accepts traffic from all namespaces. If yes, separate ticket.

## Scope Review: NEEDS_REFINEMENT Review note: `review-595-2026-03-28` **basketball-api has no NetworkPolicy in pal-e-platform.** The file contains 9 policies for platform namespaces; basketball-api is an application namespace with no default-deny. Only the keycloak policy needs modification. - `[BODY]` Remove "basketball-api ingress policy" from File Targets — it does not exist. Only keycloak policy (`netpol_keycloak`, line ~148) needs the westside-ai-assistant entry. - `[BODY]` Remove AC1 ("namespace listed in basketball-api NetworkPolicy allowlist") — untestable, policy doesn't exist. Replace with note that basketball-api is already reachable. - `[BODY]` Update Context to clarify only keycloak needs modification. - `[SCOPE]` Decision needed: should a default-deny NetworkPolicy be created for basketball-api? Currently accepts traffic from all namespaces. If yes, separate ticket.

forgejo_admin commented 2026-03-28 19:26:06 +00:00

Author

Owner

Copy link

Scope refinement (review-595-2026-03-28):

1. Removed basketball-api NetworkPolicy references — basketball-api has NO NetworkPolicy (traffic already unrestricted)
2. Scoped to keycloak NetworkPolicy modification only
3. basketball-api default-deny NetworkPolicy tracked as discovered scope in #9

**Scope refinement (review-595-2026-03-28):** 1. Removed basketball-api NetworkPolicy references — basketball-api has NO NetworkPolicy (traffic already unrestricted) 2. Scoped to keycloak NetworkPolicy modification only 3. basketball-api default-deny NetworkPolicy tracked as discovered scope in #9

forgejo_admin commented 2026-03-28 19:30:52 +00:00

Author

Owner

Copy link

Scope Review: READY

Review note: review-595-2026-03-28-r2

Re-review after refinement. All 4 recommendations from review-595-2026-03-28 have been addressed:

• File Targets scoped to keycloak NetworkPolicy only (basketball-api references removed)
• All 4 AC are testable and keycloak-scoped
• Context clearly explains basketball-api has no NetworkPolicy
• Discovered scope (basketball-api default-deny) tracked as #9

File targets verified against codebase: netpol_keycloak at lines 133-154, basketball-api pattern at line 149 confirmed as the template to follow. Single-line addition, ~2 min agent work. Ready for dispatch.

## Scope Review: READY Review note: `review-595-2026-03-28-r2` Re-review after refinement. All 4 recommendations from `review-595-2026-03-28` have been addressed: - File Targets scoped to keycloak NetworkPolicy only (basketball-api references removed) - All 4 AC are testable and keycloak-scoped - Context clearly explains basketball-api has no NetworkPolicy - Discovered scope (basketball-api default-deny) tracked as #9 File targets verified against codebase: `netpol_keycloak` at lines 133-154, basketball-api pattern at line 149 confirmed as the template to follow. Single-line addition, ~2 min agent work. Ready for dispatch.

forgejo_admin referenced this issue from a pull request from forgejo_admin/pal-e-platform that will close it, 2026-03-28 21:49:38 +00:00

feat: allow westside-ai-assistant to reach keycloak #238

forgejo_admin closed this issue 2026-03-28 22:35:35 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-ai-assistant#3

No description provided.