ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

fix: add self + westside-contracts ingress to basketball-api network policy (#270) #271

Merged
forgejo_admin merged 1 commit from 270-fix-basketball-api-netpol into main 2026-04-06 04:27:20 +00:00
Conversation 1 Commits 1 Files changed 1 +3
forgejo_admin commented 2026-04-05 22:13:35 +00:00
Contributor
Copy link

Summary

The netpol_basketball_api NetworkPolicy only allowed ingress from tailscale and monitoring. This blocked legitimate traffic from westside-contracts (contract signing callbacks), westside-ai-assistant (AI features), and basketball-api itself (intra-namespace pod communication).

Changes

  • terraform/network-policies.tf -- Added three ingress rules to netpol_basketball_api:
    • basketball-api (self-namespace)
    • westside-contracts
    • westside-ai-assistant

tofu plan Output

tofu validate requires tofu init which needs cluster credentials not available in this agent environment. tofu fmt passed cleanly (no formatting changes). The HCL follows the exact pattern of other netpol resources in the file (e.g. netpol_keycloak with 4 ingress rules).

Expected plan diff: kubernetes_manifest.netpol_basketball_api will show an in-place update adding 3 ingress rules to the existing NetworkPolicy.

Test Plan

  • tofu plan -lock=false on archbox confirms only netpol_basketball_api changes
  • tofu apply deploys updated NetworkPolicy
  • kubectl get networkpolicy -n basketball-api -o yaml shows all 5 ingress rules
  • westside-contracts can reach basketball-api endpoints
  • westside-ai-assistant can reach basketball-api endpoints

Review Checklist

  • tofu fmt passes
  • HCL follows existing netpol pattern in the file
  • Ingress rules match namespace names used elsewhere in the codebase
  • tofu plan -lock=false shows expected diff (requires cluster access)

Related

Closes #270

Related Notes

None.

## Summary The `netpol_basketball_api` NetworkPolicy only allowed ingress from `tailscale` and `monitoring`. This blocked legitimate traffic from `westside-contracts` (contract signing callbacks), `westside-ai-assistant` (AI features), and `basketball-api` itself (intra-namespace pod communication). ## Changes - `terraform/network-policies.tf` -- Added three ingress rules to `netpol_basketball_api`: - `basketball-api` (self-namespace) - `westside-contracts` - `westside-ai-assistant` ## tofu plan Output `tofu validate` requires `tofu init` which needs cluster credentials not available in this agent environment. `tofu fmt` passed cleanly (no formatting changes). The HCL follows the exact pattern of other netpol resources in the file (e.g. `netpol_keycloak` with 4 ingress rules). Expected plan diff: `kubernetes_manifest.netpol_basketball_api` will show an in-place update adding 3 ingress rules to the existing NetworkPolicy. ## Test Plan - [ ] `tofu plan -lock=false` on archbox confirms only `netpol_basketball_api` changes - [ ] `tofu apply` deploys updated NetworkPolicy - [ ] `kubectl get networkpolicy -n basketball-api -o yaml` shows all 5 ingress rules - [ ] westside-contracts can reach basketball-api endpoints - [ ] westside-ai-assistant can reach basketball-api endpoints ## Review Checklist - [x] `tofu fmt` passes - [x] HCL follows existing netpol pattern in the file - [x] Ingress rules match namespace names used elsewhere in the codebase - [ ] `tofu plan -lock=false` shows expected diff (requires cluster access) ## Related Closes #270 ## Related Notes None.
fix: add self + westside-contracts + westside-ai-assistant ingress to basketball-api netpol
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/pr/woodpecker Pipeline was successful
Details
ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful
Details
f2ac4d0a3c 
The basketball-api NetworkPolicy only allowed ingress from tailscale and
monitoring namespaces. This blocked legitimate traffic from
westside-contracts (contract signing), westside-ai-assistant (AI
features), and basketball-api itself (intra-namespace communication).

Adds three ingress rules matching the pattern used by other netpol
resources in this file (e.g. netpol_keycloak).

Closes #270

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-04-05 22:16:55 +00:00
Author
Contributor
Copy link

QA Review

Scope: 1 file changed, 3 lines added, 0 deleted.

Diff Analysis

The change adds three namespace ingress rules to netpol_basketball_api in terraform/network-policies.tf:

  • basketball-api (self-namespace intra-pod communication)
  • westside-contracts (contract signing service)
  • westside-ai-assistant (AI assistant service)

Checks

  • Pattern compliance: All three rules follow the exact { from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "..." } } }] } pattern used by every other netpol resource in the file. Matches netpol_keycloak which also allows basketball-api and westside-ai-assistant.
  • Namespace names verified: basketball-api appears in netpol_postgres (line 173) and netpol_keycloak (line 149). westside-contracts appears in netpol_minio (line 127). westside-ai-assistant appears in netpol_keycloak (line 150) and netpol_ollama (line 197). All namespace names are consistent with existing usage.
  • Ordering: New rules inserted between tailscale and monitoring, keeping monitoring last. Consistent with the convention in other netpol blocks.
  • tofu fmt: Passed cleanly per PR body.
  • Branch naming: 270-fix-basketball-api-netpol follows {issue}-{kebab-slug} convention.
  • PR body: Has all required sections including Closes #270.

Nits

None.

VERDICT: APPROVED

## QA Review **Scope:** 1 file changed, 3 lines added, 0 deleted. ### Diff Analysis The change adds three namespace ingress rules to `netpol_basketball_api` in `terraform/network-policies.tf`: - `basketball-api` (self-namespace intra-pod communication) - `westside-contracts` (contract signing service) - `westside-ai-assistant` (AI assistant service) ### Checks - **Pattern compliance:** All three rules follow the exact `{ from = [{ namespaceSelector = { matchLabels = { "kubernetes.io/metadata.name" = "..." } } }] }` pattern used by every other netpol resource in the file. Matches `netpol_keycloak` which also allows `basketball-api` and `westside-ai-assistant`. - **Namespace names verified:** `basketball-api` appears in `netpol_postgres` (line 173) and `netpol_keycloak` (line 149). `westside-contracts` appears in `netpol_minio` (line 127). `westside-ai-assistant` appears in `netpol_keycloak` (line 150) and `netpol_ollama` (line 197). All namespace names are consistent with existing usage. - **Ordering:** New rules inserted between `tailscale` and `monitoring`, keeping monitoring last. Consistent with the convention in other netpol blocks. - **tofu fmt:** Passed cleanly per PR body. - **Branch naming:** `270-fix-basketball-api-netpol` follows `{issue}-{kebab-slug}` convention. - **PR body:** Has all required sections including `Closes #270`. ### Nits None. **VERDICT: APPROVED**
forgejo_admin deleted branch 270-fix-basketball-api-netpol 2026-04-06 04:27:20 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform!271
No description provided.