infra: rename pal-e-production → pal-e-app in monitoring + network policies

forgejo_admin commented

2026-04-12 18:46:40 +00:00

Contributor

Summary

Renames all pal-e-production references to pal-e-app across the platform layer -- monitoring probes, golden signals dashboard, embedding worker ServiceMonitor/Service, network policies, database namespace data source, and ops module.

Changes

terraform/modules/monitoring/main.tf -- removed duplicate pal-e-production blackbox probe (pal-e-app probe already exists), renamed dashboard ConfigMap and file reference, updated embedding worker ServiceMonitor namespace and labels
terraform/dashboards/pal-e-production-golden-signals.json → pal-e-app-golden-signals.json -- renamed file, replaced all 14 PromQL namespace references, title, uid, and tags
terraform/modules/ops/main.tf -- updated comment and embedding worker service labels/selectors
terraform/modules/ops/variables.tf -- updated variable description
terraform/modules/database/main.tf -- updated comments and namespace name from pal-e-production to pal-e-app
terraform/modules/database/outputs.tf -- updated output description
terraform/network-policies.tf -- updated postgres and ollama netpol namespace selectors
terraform/secrets.auto.tfvars.example -- updated section comment

Test Plan

grep -r pal-e-production terraform/ --include='*.tf' --include='*.json' --include='*.example' returns zero hits
tofu fmt passes with no changes
tofu plan will show ConfigMap name change, probe removal, netpol updates, and namespace data source change (requires apply coordination with pal-e-services namespace rename)

Review Checklist

grep -r pal-e-production terraform/ returns zero hits
tofu fmt -recursive clean
Terraform resource identifiers preserved (no state drift)
Dashboard JSON file renamed and all internal references updated
Network policies point to new namespace name

Cross-repo rename: pal-e-services owns the namespace resource, this PR updates platform-layer consumers

Closes forgejo_admin/pal-e-deployments#114

## Summary Renames all `pal-e-production` references to `pal-e-app` across the platform layer -- monitoring probes, golden signals dashboard, embedding worker ServiceMonitor/Service, network policies, database namespace data source, and ops module. ## Changes - `terraform/modules/monitoring/main.tf` -- removed duplicate `pal-e-production` blackbox probe (pal-e-app probe already exists), renamed dashboard ConfigMap and file reference, updated embedding worker ServiceMonitor namespace and labels - `terraform/dashboards/pal-e-production-golden-signals.json` → `pal-e-app-golden-signals.json` -- renamed file, replaced all 14 PromQL namespace references, title, uid, and tags - `terraform/modules/ops/main.tf` -- updated comment and embedding worker service labels/selectors - `terraform/modules/ops/variables.tf` -- updated variable description - `terraform/modules/database/main.tf` -- updated comments and namespace name from `pal-e-production` to `pal-e-app` - `terraform/modules/database/outputs.tf` -- updated output description - `terraform/network-policies.tf` -- updated postgres and ollama netpol namespace selectors - `terraform/secrets.auto.tfvars.example` -- updated section comment ## Test Plan - `grep -r pal-e-production terraform/ --include='*.tf' --include='*.json' --include='*.example'` returns zero hits - `tofu fmt` passes with no changes - `tofu plan` will show ConfigMap name change, probe removal, netpol updates, and namespace data source change (requires apply coordination with pal-e-services namespace rename) ## Review Checklist - [x] `grep -r pal-e-production terraform/` returns zero hits - [x] `tofu fmt -recursive` clean - [x] Terraform resource identifiers preserved (no state drift) - [x] Dashboard JSON file renamed and all internal references updated - [x] Network policies point to new namespace name ## Related Notes - Cross-repo rename: pal-e-services owns the namespace resource, this PR updates platform-layer consumers ## Related - Closes forgejo_admin/pal-e-deployments#114

forgejo_admin added 1 commit

2026-04-12 18:46:40 +00:00

infra: rename pal-e-production to pal-e-app across monitoring, ops, database, and network policies

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful

Details

2aa2d1f114

The pal-e-production namespace has been renamed to pal-e-app in pal-e-services.
This updates all platform-layer references: blackbox probes, golden signals
dashboard, embedding worker ServiceMonitor/Service, network policies, and
database namespace data source.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-04-12 18:49:12 +00:00

Author

Contributor

PR #287 Review

DOMAIN REVIEW

Tech stack: Terraform (HCL + JSON), Kubernetes manifests, Prometheus/Grafana dashboards, network policies.

Terraform style: Resource identifiers (pal_e_production_dashboard, pal_e_production, pal_e_production_namespace) are intentionally preserved to avoid state drift -- correct approach. Only the kubernetes-level metadata names and label values change. The moved block in terraform/main.tf:258-261 already references pal_e_production_dashboard, so the ConfigMap name change (pal-e-production-dashboard -> pal-e-app-dashboard) will be an in-place update on the ConfigMap resource. No state-breaking changes.

Dashboard JSON: All 14 PromQL namespace references updated. Title, uid, and tags updated. File renamed. The file() reference in monitoring/main.tf updated to match. Clean.

Network policies: Both postgres and ollama netpol namespace selectors updated from pal-e-production to pal-e-app. Consistent.

Blackbox probe removal: The old pal-e-production probe monitored pal-e-docs.pal-e-production.svc.cluster.local:8000/healthz (the pal-e-docs backend). The existing pal-e-app probe monitors pal-e-app.pal-e-app.svc.cluster.local:3000 (the SvelteKit frontend). These are different services on different ports. Removing the old probe without updating it means the pal-e-docs backend loses its blackbox health probe entirely. This could be intentional (if pal-e-docs gets its own probe via pal-e-services), but it is worth confirming. See nit below.

ServiceMonitor + Service labels: pal-e-production-embedding-worker -> pal-e-app-embedding-worker across monitoring and ops modules. The namespaceSelector.matchNames updated to pal-e-app. This requires that the pal-e-services side also updates the embedding worker deployment labels to match app: pal-e-app-embedding-worker, otherwise the ServiceMonitor will stop scraping. Cross-repo coordination noted in the PR body -- acceptable.

BLOCKERS

None.

This is a rename/refactor PR with no new functionality, so test coverage requirements do not apply. No user input handling, no secrets, no auth logic.

NITS

Lost pal-e-docs probe coverage: The removed pal-e-production probe (pal-e-docs:8000/healthz) is not replaced. The surviving pal-e-app probe targets port 3000 (SvelteKit), not port 8000 (FastAPI). If pal-e-docs should still have a blackbox probe, a new entry like { name = "pal-e-docs", url = "http://pal-e-docs.pal-e-app.svc.cluster.local:8000/healthz", labels = { service = "pal-e-docs", tier = "app" } } should be added. If this is intentionally deferred to another ticket, noting it here for traceability. (terraform/modules/monitoring/main.tf)
Terraform identifier rename deferred: The HCL resource names (pal_e_production_dashboard, pal_e_production_namespace, variable pal_e_production_namespace) still use the old naming. This is the correct choice for this PR (avoids state moves), but a follow-up to rename these with moved blocks would improve readability. Low priority.

SOP COMPLIANCE

Branch named after issue (114-rename-pal-e-production-platform matches pal-e-deployments#114)
PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related)
Related references parent issue (forgejo_admin/pal-e-deployments#114)
No secrets committed
No scope creep -- all changes are namespace rename related
No plan slug referenced (acceptable -- this is a standalone rename, not plan-driven work)

PROCESS OBSERVATIONS

Cross-repo coordination: This PR explicitly notes it depends on pal-e-services owning the namespace resource. The embedding worker label changes (pal-e-app-embedding-worker) require matching updates in the pal-e-services/deployments side. Apply order matters.
DORA impact: Dashboard UID change (pal-e-production-golden-signals -> pal-e-app-golden-signals) will break any saved Grafana bookmarks or alert rules that reference the old UID. Low risk but worth noting for ops awareness.
Change failure risk: Low. ConfigMap updates are non-destructive. Network policy changes are atomic. The only risk is the cross-repo label mismatch window between this apply and the pal-e-services apply.

VERDICT: APPROVED

## PR #287 Review ### DOMAIN REVIEW **Tech stack**: Terraform (HCL + JSON), Kubernetes manifests, Prometheus/Grafana dashboards, network policies. **Terraform style**: Resource identifiers (`pal_e_production_dashboard`, `pal_e_production`, `pal_e_production_namespace`) are intentionally preserved to avoid state drift -- correct approach. Only the kubernetes-level metadata names and label values change. The `moved` block in `terraform/main.tf:258-261` already references `pal_e_production_dashboard`, so the ConfigMap name change (`pal-e-production-dashboard` -> `pal-e-app-dashboard`) will be an in-place update on the ConfigMap resource. No state-breaking changes. **Dashboard JSON**: All 14 PromQL namespace references updated. Title, uid, and tags updated. File renamed. The `file()` reference in `monitoring/main.tf` updated to match. Clean. **Network policies**: Both postgres and ollama netpol namespace selectors updated from `pal-e-production` to `pal-e-app`. Consistent. **Blackbox probe removal**: The old `pal-e-production` probe monitored `pal-e-docs.pal-e-production.svc.cluster.local:8000/healthz` (the pal-e-docs backend). The existing `pal-e-app` probe monitors `pal-e-app.pal-e-app.svc.cluster.local:3000` (the SvelteKit frontend). These are **different services on different ports**. Removing the old probe without updating it means the pal-e-docs backend loses its blackbox health probe entirely. This could be intentional (if pal-e-docs gets its own probe via pal-e-services), but it is worth confirming. See nit below. **ServiceMonitor + Service labels**: `pal-e-production-embedding-worker` -> `pal-e-app-embedding-worker` across monitoring and ops modules. The `namespaceSelector.matchNames` updated to `pal-e-app`. This requires that the pal-e-services side also updates the embedding worker deployment labels to match `app: pal-e-app-embedding-worker`, otherwise the ServiceMonitor will stop scraping. Cross-repo coordination noted in the PR body -- acceptable. ### BLOCKERS None. This is a rename/refactor PR with no new functionality, so test coverage requirements do not apply. No user input handling, no secrets, no auth logic. ### NITS 1. **Lost pal-e-docs probe coverage**: The removed `pal-e-production` probe (`pal-e-docs:8000/healthz`) is not replaced. The surviving `pal-e-app` probe targets port 3000 (SvelteKit), not port 8000 (FastAPI). If pal-e-docs should still have a blackbox probe, a new entry like `{ name = "pal-e-docs", url = "http://pal-e-docs.pal-e-app.svc.cluster.local:8000/healthz", labels = { service = "pal-e-docs", tier = "app" } }` should be added. If this is intentionally deferred to another ticket, noting it here for traceability. (`terraform/modules/monitoring/main.tf`) 2. **Terraform identifier rename deferred**: The HCL resource names (`pal_e_production_dashboard`, `pal_e_production_namespace`, variable `pal_e_production_namespace`) still use the old naming. This is the correct choice for this PR (avoids state moves), but a follow-up to rename these with `moved` blocks would improve readability. Low priority. ### SOP COMPLIANCE - [x] Branch named after issue (`114-rename-pal-e-production-platform` matches pal-e-deployments#114) - [x] PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related) - [x] Related references parent issue (`forgejo_admin/pal-e-deployments#114`) - [x] No secrets committed - [x] No scope creep -- all changes are namespace rename related - [ ] No plan slug referenced (acceptable -- this is a standalone rename, not plan-driven work) ### PROCESS OBSERVATIONS - **Cross-repo coordination**: This PR explicitly notes it depends on pal-e-services owning the namespace resource. The embedding worker label changes (`pal-e-app-embedding-worker`) require matching updates in the pal-e-services/deployments side. Apply order matters. - **DORA impact**: Dashboard UID change (`pal-e-production-golden-signals` -> `pal-e-app-golden-signals`) will break any saved Grafana bookmarks or alert rules that reference the old UID. Low risk but worth noting for ops awareness. - **Change failure risk**: Low. ConfigMap updates are non-destructive. Network policy changes are atomic. The only risk is the cross-repo label mismatch window between this apply and the pal-e-services apply. ### VERDICT: APPROVED