fix: add pal-e-docs namespace to postgres NetworkPolicy #284

New issue

Open

opened 2026-04-12 17:56:31 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-04-12 17:56:31 +00:00

Contributor

Copy link

Type

Bug

Lineage

Discovered during CORS fix deployment. pal-e-docs API pods cannot connect to postgres after restart.

Repo

forgejo_admin/pal-e-platform

What Broke

The postgres default-deny-ingress NetworkPolicy in terraform/network-policies.tf allows ingress from pal-e-production, basketball-api, cnpg-system, and monitoring — but NOT from pal-e-docs. The pal-e-docs API pod was surviving on a 14-day-old persistent TCP connection. When the pod restarted with the CORS fix, new connections were refused. Patched manually with kubectl patch.

Repro Steps

1. Restart pal-e-docs pod (any reason — deploy, crash, ArgoCD sync)
2. Pod runs alembic upgrade head at startup, tries to connect to postgres
3. Connection refused — NetworkPolicy blocks ingress from pal-e-docs namespace
4. Pod enters CrashLoopBackOff

Expected Behavior

pal-e-docs pods can connect to postgres after restart.

Environment

• Cluster/namespace: prod / postgres
• File: terraform/network-policies.tf line 172
• Manual fix applied: kubectl patch networkpolicy — will be reverted by next tofu apply

Acceptance Criteria

• pal-e-docs namespace added to postgres NetworkPolicy ingress rules in network-policies.tf
• tofu plan -lock=false shows the expected change
• After tofu apply, pal-e-docs pods can connect to postgres

Related

• project-pal-e-platform — platform project
• forgejo_admin/pal-e-api #258 — CORS fix that triggered the pod restart

### Type Bug ### Lineage Discovered during CORS fix deployment. pal-e-docs API pods cannot connect to postgres after restart. ### Repo `forgejo_admin/pal-e-platform` ### What Broke The postgres `default-deny-ingress` NetworkPolicy in `terraform/network-policies.tf` allows ingress from `pal-e-production`, `basketball-api`, `cnpg-system`, and `monitoring` — but NOT from `pal-e-docs`. The pal-e-docs API pod was surviving on a 14-day-old persistent TCP connection. When the pod restarted with the CORS fix, new connections were refused. Patched manually with `kubectl patch`. ### Repro Steps 1. Restart pal-e-docs pod (any reason — deploy, crash, ArgoCD sync) 2. Pod runs `alembic upgrade head` at startup, tries to connect to postgres 3. Connection refused — NetworkPolicy blocks ingress from pal-e-docs namespace 4. Pod enters CrashLoopBackOff ### Expected Behavior pal-e-docs pods can connect to postgres after restart. ### Environment - Cluster/namespace: prod / postgres - File: `terraform/network-policies.tf` line 172 - Manual fix applied: `kubectl patch networkpolicy` — will be reverted by next `tofu apply` ### Acceptance Criteria - [ ] `pal-e-docs` namespace added to postgres NetworkPolicy ingress rules in `network-policies.tf` - [ ] `tofu plan -lock=false` shows the expected change - [ ] After `tofu apply`, pal-e-docs pods can connect to postgres ### Related - `project-pal-e-platform` — platform project - `forgejo_admin/pal-e-api #258` — CORS fix that triggered the pod restart

forgejo_admin referenced this issue from a commit 2026-04-12 17:58:19 +00:00

fix: add pal-e-docs to postgres NetworkPolicy ingress

forgejo_admin referenced this issue from a pull request that will close it, 2026-04-12 17:58:33 +00:00

fix: add pal-e-docs to postgres NetworkPolicy ingress #285

forgejo_admin referenced this issue from a commit 2026-04-12 17:59:58 +00:00

fix: add pal-e-docs to postgres NetworkPolicy ingress

forgejo_admin referenced this issue from a pull request that will close it, 2026-04-12 18:00:14 +00:00

fix: add pal-e-docs to postgres NetworkPolicy ingress #286

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix-dashboard-metric-names

netpol-westside-ror

spec-board-centric-renderer

457-add-dns-and-caddy-config-for-myvibes-wor

411-remove-deprecated-pal-e-app-references-f

412-remove-deprecated-westside-admin-referen

fix-gem-bin-path

fix-woodpecker-multi-pipeline

345-harbor-mobile-css

290-payment-pipeline-observability

284-fix-add-pal-e-docs-namespace-to-postgres

284-add-pal-e-docs-postgres-netpol

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/pal-e-platform#284

No description provided.