Add westside-admin to basketball-api network policy (declarative) #354

New issue

Open

opened 2026-05-06 04:10:35 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-05-06 04:10:35 +00:00

Contributor

Type

Bug

Lineage

Story: admin-row-crud
Discovered in: validation of westside-admin#4 (PR #36 merge, 2026-05-05)
SOP: sop-network-security

Repo

ldraney/pal-e-platform

What Broke

westside-admin pod could not connect to Postgres at postgres.basketball-api.svc.cluster.local:5432. The basketball-api namespace NetworkPolicy allows ingress from tailscale, basketball-api, westside-contracts, westside-ai-assistant, and monitoring — but not westside-admin.

Quick-fixed manually: kubectl apply to add westside-admin namespace to the allow list. This is ephemeral — next tofu apply will revert it.

Repro Steps

Deploy westside-admin with DATABASE_URL pointing to basketball-api Postgres
App loads /players route
Drizzle query fails with ECONNREFUSED on port 5432

Expected Behavior

westside-admin namespace is in the basketball-api NetworkPolicy ingress allow list, managed declaratively via Terraform.

Acceptance Criteria

terraform/network-policies.tf includes westside-admin in the basketball-api namespace allow list
tofu plan shows the policy change
tofu apply succeeds
westside-admin pod can query basketball-api Postgres after apply

Environment

k3s cluster, basketball-api namespace, NetworkPolicy default-deny-ingress

westside-admin#4 (parent validation failure)
sop-network-security (governing SOP)
Quick-fix applied 2026-05-05: manual kubectl apply

### Type Bug ### Lineage - Story: admin-row-crud - Discovered in: validation of westside-admin#4 (PR #36 merge, 2026-05-05) - SOP: sop-network-security ### Repo ldraney/pal-e-platform ### What Broke westside-admin pod could not connect to Postgres at `postgres.basketball-api.svc.cluster.local:5432`. The `basketball-api` namespace NetworkPolicy allows ingress from tailscale, basketball-api, westside-contracts, westside-ai-assistant, and monitoring — but not `westside-admin`. Quick-fixed manually: `kubectl apply` to add `westside-admin` namespace to the allow list. This is ephemeral — next `tofu apply` will revert it. ### Repro Steps 1. Deploy westside-admin with DATABASE_URL pointing to basketball-api Postgres 2. App loads `/players` route 3. Drizzle query fails with `ECONNREFUSED` on port 5432 ### Expected Behavior westside-admin namespace is in the basketball-api NetworkPolicy ingress allow list, managed declaratively via Terraform. ### Acceptance Criteria - [ ] `terraform/network-policies.tf` includes `westside-admin` in the basketball-api namespace allow list - [ ] `tofu plan` shows the policy change - [ ] `tofu apply` succeeds - [ ] westside-admin pod can query basketball-api Postgres after apply ### Environment k3s cluster, basketball-api namespace, NetworkPolicy `default-deny-ingress` ### Related - westside-admin#4 (parent validation failure) - sop-network-security (governing SOP) - Quick-fix applied 2026-05-05: manual kubectl apply