Add pal-enterprises to NetworkPolicy allowlist #357

New issue

Closed

opened 2026-05-09 18:02:20 +00:00 by forgejo_admin · 1 comment

forgejo_admin commented

2026-05-09 18:02:20 +00:00

Contributor

Type

Feature

Lineage

Standalone — service onboarding step 4 for pal-enterprises.

Repo

ldraney/pal-e-platform

User Story

As the platform owner
I want pal-enterprises added to the NetworkPolicy allowlist
So that the Rails app can connect to Postgres and Keycloak in production

Context

pal-enterprises needs access to Postgres (pal-e-postgres-rw.postgres.svc.cluster.local) for its database and Keycloak for OIDC auth. Without NetworkPolicy entries, the pod gets connection refused at runtime. Must be merged before first production deploy.

File Targets

Files to modify:

terraform/network-policies.tf — add pal-enterprises namespace to Postgres and Keycloak allowlists

Files NOT to touch:

Any other network policy rules

Acceptance Criteria

pal-enterprises namespace in Postgres NetworkPolicy allowlist
pal-enterprises namespace in Keycloak NetworkPolicy allowlist
tofu plan -lock=false shows clean diff (only new namespace entries)

Test Expectations

tofu plan -lock=false shows expected diff
Run command: tofu plan -lock=false

Constraints

Must be merged before first prod deploy of pal-enterprises
Follow existing pattern for other services in network-policies.tf
Requires Lucas approval before tofu apply

Checklist

PR opened
tofu plan reviewed
No unrelated changes

project-pal-enterprises
service-onboarding-sop step 4

### Type Feature ### Lineage Standalone — service onboarding step 4 for pal-enterprises. ### Repo `ldraney/pal-e-platform` ### User Story As the platform owner I want pal-enterprises added to the NetworkPolicy allowlist So that the Rails app can connect to Postgres and Keycloak in production ### Context pal-enterprises needs access to Postgres (`pal-e-postgres-rw.postgres.svc.cluster.local`) for its database and Keycloak for OIDC auth. Without NetworkPolicy entries, the pod gets `connection refused` at runtime. Must be merged before first production deploy. ### File Targets Files to modify: - `terraform/network-policies.tf` — add `pal-enterprises` namespace to Postgres and Keycloak allowlists Files NOT to touch: - Any other network policy rules ### Acceptance Criteria - [ ] `pal-enterprises` namespace in Postgres NetworkPolicy allowlist - [ ] `pal-enterprises` namespace in Keycloak NetworkPolicy allowlist - [ ] `tofu plan -lock=false` shows clean diff (only new namespace entries) ### Test Expectations - [ ] `tofu plan -lock=false` shows expected diff - Run command: `tofu plan -lock=false` ### Constraints - Must be merged before first prod deploy of pal-enterprises - Follow existing pattern for other services in `network-policies.tf` - Requires Lucas approval before `tofu apply` ### Checklist - [ ] PR opened - [ ] tofu plan reviewed - [ ] No unrelated changes ### Related - `project-pal-enterprises` - `service-onboarding-sop` step 4

forgejo_admin commented

2026-05-09 18:57:04 +00:00

Author

Contributor

Scope Review: NEEDS_REFINEMENT

Review note: review-1183-2026-05-09
Template complete, file targets verified, scope is solid -- single blocker is a missing backing note.

[SCOPE] Architecture note arch-rails-app does not exist in pal-e-docs. Referenced by arch:rails-app label on this and 8 other board items. Create it, or consider whether arch:platform-infra is more accurate for this Terraform-only ticket.

## Scope Review: NEEDS_REFINEMENT Review note: `review-1183-2026-05-09` Template complete, file targets verified, scope is solid -- single blocker is a missing backing note. - `[SCOPE]` Architecture note `arch-rails-app` does not exist in pal-e-docs. Referenced by `arch:rails-app` label on this and 8 other board items. Create it, or consider whether `arch:platform-infra` is more accurate for this Terraform-only ticket.