ldraney/pal-e-platform
1
0
Fork 0
Code Issues 104 Pull requests 7 Projects Releases Packages Wiki Activity Actions

Fix 413 on Docker push, add palinks to postgres NetworkPolicy #382

Merged
ldraney merged 1 commit from fix/harbor-body-size into main 2026-05-24 17:45:39 +00:00
Conversation 1 Commits 1 Files changed 2 +2
ldraney commented 2026-05-24 17:38:57 +00:00
Owner
Copy link

Summary

  • Set client_max_body_size 0 on Harbor portal proxy nginx — the missing limit defaulted to 1MB, blocking Kaniko image pushes through the Tailscale funnel
  • Add palinks namespace to postgres NetworkPolicy ingress list

Changes

  • terraform/modules/harbor/main.tf: Added client_max_body_size 0 to portal proxy nginx server block
  • terraform/network-policies.tf: Added palinks namespace to postgres NetworkPolicy ingress rules

Test Plan

  • tofu apply succeeded (targeted apply on cluster)
  • Kaniko push to Harbor completed (landscaping-assistant pipeline #16, #17 green)
  • Post-merge tofu plan shows no drift

Review Checklist

  • No secrets committed
  • No unnecessary file changes
  • Commit messages are descriptive

Related Notes

## Summary - Set `client_max_body_size 0` on Harbor portal proxy nginx — the missing limit defaulted to 1MB, blocking Kaniko image pushes through the Tailscale funnel - Add palinks namespace to postgres NetworkPolicy ingress list ## Changes - `terraform/modules/harbor/main.tf`: Added `client_max_body_size 0` to portal proxy nginx server block - `terraform/network-policies.tf`: Added palinks namespace to postgres NetworkPolicy ingress rules ## Test Plan - [x] `tofu apply` succeeded (targeted apply on cluster) - [x] Kaniko push to Harbor completed (landscaping-assistant pipeline #16, #17 green) - [ ] Post-merge `tofu plan` shows no drift ## Review Checklist - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related Notes - Closes #381
Fix 413 on Docker push, add palinks to postgres NetworkPolicy
All checks were successful
ci/woodpecker/push/terraform Pipeline was successful
Details
ci/woodpecker/pr/terraform Pipeline was successful
Details
ci/woodpecker/pull_request_closed/terraform Pipeline was successful
Details
1360f3556f 
Set client_max_body_size 0 on Harbor portal proxy nginx — the missing
limit defaulted to 1MB, blocking Kaniko image pushes through the
Tailscale funnel. Also adds palinks namespace to the postgres
NetworkPolicy ingress list.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ldraney commented 2026-05-24 17:40:11 +00:00
Author
Owner
Copy link

PR #382 Review

DOMAIN REVIEW

Tech stack: OpenTofu/Terraform managing Kubernetes resources (ConfigMap for nginx, NetworkPolicy manifests).

Change 1 -- terraform/modules/harbor/main.tf: Adds client_max_body_size 0; to the Harbor portal proxy nginx server block. This removes the default 1MB body size limit that was blocking Kaniko image pushes through the Tailscale funnel. Setting to 0 disables the limit entirely, which is the standard nginx approach for container registries where image layers can be arbitrarily large. Correct fix for 413 errors on Docker push.

Change 2 -- terraform/network-policies.tf: Adds palinks namespace to the postgres NetworkPolicy ingress rules. Follows the exact same pattern as the existing entries for pal-e-docs, pal-e-ror, and landscaping-assistant. Consistent with the namespace-selector approach used throughout this file. This is a well-established pattern in this repo (see prior PRs #376, #378, #366 for identical-pattern changes).

Terraform-specific checks:

  • No state-breaking changes -- both are additive modifications to existing resources (ConfigMap content, NetworkPolicy spec). Safe for tofu apply.
  • Style is consistent with surrounding code (indentation, HCL structure).
  • No new variables, modules, or outputs introduced -- minimal blast radius.
  • No secrets or sensitive values in the diff.

k8s-specific checks:

  • client_max_body_size 0 is appropriate for a container registry proxy. Upstream Harbor components enforce their own limits, so this nginx proxy layer is not the right place to restrict body size.
  • NetworkPolicy addition is namespace-scoped with matchLabels on the standard kubernetes.io/metadata.name label -- correct and least-privilege.

BLOCKERS

None.

This is a 2-line infrastructure fix. No new functionality requiring tests -- these are declarative Terraform resource modifications validated by tofu apply and pipeline runs. The test plan (tofu apply succeeded, pipelines #16 and #17 green) is appropriate for infrastructure changes of this scope.

NITS

None. Both additions are minimal, follow established patterns, and are correctly placed.

SOP COMPLIANCE

  • Branch named after issue -- Branch is fix/harbor-body-size, not 381-harbor-body-size-palinks-netpol. Convention calls for {issue-number}-{kebab-case-purpose}.
  • PR body follows template -- Summary, Changes, Test Plan, Review Checklist, Related all present.
  • Related references plan slug -- No plan slug referenced (noted as "No plan slug" in the review request, so this may be intentional for a quick infra fix).
  • No secrets committed -- Confirmed, diff is clean.
  • No unnecessary file changes -- Both changes map directly to the issue title.
  • Commit messages are descriptive -- PR title clearly describes both changes.

PROCESS OBSERVATIONS

  • Low change failure risk: Both changes are additive, pattern-consistent, and already validated via tofu apply + green pipelines. The post-merge tofu plan check (unchecked in the test plan) is the correct follow-up to confirm no drift.
  • Branch naming: The fix/ prefix convention diverges from the {issue-number}-{kebab-case} SOP. Non-blocking for a 2-line fix, but worth maintaining consistency.
  • Bundled scope: Two logically separate fixes (Harbor 413 + palinks netpol) in one PR. Acceptable given the small size, but for traceability, separate issues/PRs per fix is cleaner.

VERDICT: APPROVED

## PR #382 Review ### DOMAIN REVIEW **Tech stack**: OpenTofu/Terraform managing Kubernetes resources (ConfigMap for nginx, NetworkPolicy manifests). **Change 1 -- `terraform/modules/harbor/main.tf`**: Adds `client_max_body_size 0;` to the Harbor portal proxy nginx server block. This removes the default 1MB body size limit that was blocking Kaniko image pushes through the Tailscale funnel. Setting to `0` disables the limit entirely, which is the standard nginx approach for container registries where image layers can be arbitrarily large. Correct fix for 413 errors on Docker push. **Change 2 -- `terraform/network-policies.tf`**: Adds `palinks` namespace to the postgres NetworkPolicy ingress rules. Follows the exact same pattern as the existing entries for `pal-e-docs`, `pal-e-ror`, and `landscaping-assistant`. Consistent with the namespace-selector approach used throughout this file. This is a well-established pattern in this repo (see prior PRs #376, #378, #366 for identical-pattern changes). **Terraform-specific checks**: - No state-breaking changes -- both are additive modifications to existing resources (ConfigMap content, NetworkPolicy spec). Safe for `tofu apply`. - Style is consistent with surrounding code (indentation, HCL structure). - No new variables, modules, or outputs introduced -- minimal blast radius. - No secrets or sensitive values in the diff. **k8s-specific checks**: - `client_max_body_size 0` is appropriate for a container registry proxy. Upstream Harbor components enforce their own limits, so this nginx proxy layer is not the right place to restrict body size. - NetworkPolicy addition is namespace-scoped with `matchLabels` on the standard `kubernetes.io/metadata.name` label -- correct and least-privilege. ### BLOCKERS None. This is a 2-line infrastructure fix. No new functionality requiring tests -- these are declarative Terraform resource modifications validated by `tofu apply` and pipeline runs. The test plan (tofu apply succeeded, pipelines #16 and #17 green) is appropriate for infrastructure changes of this scope. ### NITS None. Both additions are minimal, follow established patterns, and are correctly placed. ### SOP COMPLIANCE - [ ] Branch named after issue -- Branch is `fix/harbor-body-size`, not `381-harbor-body-size-palinks-netpol`. Convention calls for `{issue-number}-{kebab-case-purpose}`. - [x] PR body follows template -- Summary, Changes, Test Plan, Review Checklist, Related all present. - [ ] Related references plan slug -- No plan slug referenced (noted as "No plan slug" in the review request, so this may be intentional for a quick infra fix). - [x] No secrets committed -- Confirmed, diff is clean. - [x] No unnecessary file changes -- Both changes map directly to the issue title. - [x] Commit messages are descriptive -- PR title clearly describes both changes. ### PROCESS OBSERVATIONS - **Low change failure risk**: Both changes are additive, pattern-consistent, and already validated via `tofu apply` + green pipelines. The post-merge `tofu plan` check (unchecked in the test plan) is the correct follow-up to confirm no drift. - **Branch naming**: The `fix/` prefix convention diverges from the `{issue-number}-{kebab-case}` SOP. Non-blocking for a 2-line fix, but worth maintaining consistency. - **Bundled scope**: Two logically separate fixes (Harbor 413 + palinks netpol) in one PR. Acceptable given the small size, but for traceability, separate issues/PRs per fix is cleaner. ### VERDICT: APPROVED
ldraney deleted branch fix/harbor-body-size 2026-05-24 17:45:39 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform!382
No description provided.