Add paldocs to Postgres NetworkPolicy allowlist #397

New issue

Closed

opened 2026-06-03 03:40:35 +00:00 by ldraney · 0 comments

ldraney commented 2026-06-03 03:40:35 +00:00

Owner

Copy link

Type

Bug

Lineage

Discovered during paldocs deployment investigation. paldocs was onboarded via pal-e-services Terraform but the NetworkPolicy update in pal-e-platform was missed.

Repo

ldraney/pal-e-platform

What Broke

paldocs pod crashes with PG::ConnectionBad: connection refused when trying to reach Postgres. The paldocs namespace is not in the default-deny-ingress NetworkPolicy allowlist for the postgres namespace in terraform/network-policies.tf.

Repro Steps

1. Deploy paldocs pod in the paldocs namespace
2. Pod runs Rails server boot connecting to pal-e-postgres-rw.postgres.svc.cluster.local:5432
3. Connection refused — NetworkPolicy blocks ingress from paldocs namespace

Expected Behavior

paldocs namespace should be in the Postgres NetworkPolicy allowlist, same as other services that connect to the shared paledocs database (pal-e-docs, pal-e-ror, palinks, etc.).

Environment

• Cluster: archbox k3s
• NetworkPolicy: default-deny-ingress in postgres namespace
• Terraform resource: kubernetes_manifest.netpol_postgres in network-policies.tf

Acceptance Criteria

• paldocs added to netpol_postgres ingress rules in network-policies.tf
• tofu plan shows only the expected netpol diff

Related

• service-onboarding-sop step 4: "Update NetworkPolicy for dependent services"

### Type Bug ### Lineage Discovered during paldocs deployment investigation. paldocs was onboarded via pal-e-services Terraform but the NetworkPolicy update in pal-e-platform was missed. ### Repo `ldraney/pal-e-platform` ### What Broke paldocs pod crashes with `PG::ConnectionBad: connection refused` when trying to reach Postgres. The `paldocs` namespace is not in the `default-deny-ingress` NetworkPolicy allowlist for the `postgres` namespace in `terraform/network-policies.tf`. ### Repro Steps 1. Deploy paldocs pod in the `paldocs` namespace 2. Pod runs Rails server boot connecting to `pal-e-postgres-rw.postgres.svc.cluster.local:5432` 3. Connection refused — NetworkPolicy blocks ingress from `paldocs` namespace ### Expected Behavior paldocs namespace should be in the Postgres NetworkPolicy allowlist, same as other services that connect to the shared paledocs database (pal-e-docs, pal-e-ror, palinks, etc.). ### Environment - Cluster: archbox k3s - NetworkPolicy: `default-deny-ingress` in `postgres` namespace - Terraform resource: `kubernetes_manifest.netpol_postgres` in `network-policies.tf` ### Acceptance Criteria - [ ] `paldocs` added to `netpol_postgres` ingress rules in `network-policies.tf` - [ ] `tofu plan` shows only the expected netpol diff ### Related - service-onboarding-sop step 4: "Update NetworkPolicy for dependent services"

ldraney referenced this issue from a pull request that will close it, 2026-06-03 03:41:41 +00:00

Add paldocs to Postgres NetworkPolicy allowlist (#397) #398

ldraney 2026-06-05 03:55:46 +00:00

• closed this issue
• added the
  status:approved
  label

ldraney referenced this issue from a commit 2026-06-05 04:07:08 +00:00

Add paldocs to Postgres NetworkPolicy allowlist (#397) (#398)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix-dashboard-metric-names

netpol-westside-ror

spec-board-centric-renderer

457-add-dns-and-caddy-config-for-myvibes-wor

411-remove-deprecated-pal-e-app-references-f

412-remove-deprecated-westside-admin-referen

fix-gem-bin-path

fix-woodpecker-multi-pipeline

345-harbor-mobile-css

290-payment-pipeline-observability

284-fix-add-pal-e-docs-namespace-to-postgres

284-add-pal-e-docs-postgres-netpol

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/pal-e-platform#397

No description provided.