Add landscaping-assistant to MinIO NetworkPolicy

ldraney commented

2026-05-25 12:32:29 +00:00

Owner

Summary

Add landscaping-assistant namespace to MinIO default-deny-ingress NetworkPolicy allowlist
Fixes 500 on photo uploads — pod can't reach MinIO due to missing ingress rule

Changes

terraform/network-policies.tf: Add landscaping-assistant to netpol_minio ingress rules (line 129)

Test Plan

tofu plan shows only the NetworkPolicy change (no other drift)
tofu apply (Lucas approval)
Verify: kubectl exec from landscaping-assistant pod can reach minio.minio.svc.cluster.local:9000
Verify: photo upload succeeds in prod
No regressions in other MinIO consumers

Review Checklist

Passed automated review-fix loop
No secrets committed
No unnecessary file changes
Commit messages are descriptive

ldraney/pal-e-platform #383 — the Forgejo issue this PR implements
project-landscaping-assistant — the project this work belongs to
ldraney/landscaping-assistant #33 — original upload feature issue

Closes #383

## Summary - Add `landscaping-assistant` namespace to MinIO `default-deny-ingress` NetworkPolicy allowlist - Fixes 500 on photo uploads — pod can't reach MinIO due to missing ingress rule ## Changes - `terraform/network-policies.tf`: Add `landscaping-assistant` to `netpol_minio` ingress rules (line 129) ## Test Plan - [ ] `tofu plan` shows only the NetworkPolicy change (no other drift) - [ ] `tofu apply` (Lucas approval) - [ ] Verify: `kubectl exec` from landscaping-assistant pod can reach `minio.minio.svc.cluster.local:9000` - [ ] Verify: photo upload succeeds in prod - [ ] No regressions in other MinIO consumers ## Review Checklist - [ ] Passed automated review-fix loop - [ ] No secrets committed - [ ] No unnecessary file changes - [ ] Commit messages are descriptive ## Related Notes - `ldraney/pal-e-platform #383` — the Forgejo issue this PR implements - `project-landscaping-assistant` — the project this work belongs to - `ldraney/landscaping-assistant #33` — original upload feature issue Closes #383

ldraney added 1 commit

2026-05-25 12:32:29 +00:00

Add landscaping-assistant to MinIO NetworkPolicy allowlist

ci/woodpecker/push/terraform Pipeline was successful

Details

ci/woodpecker/pr/terraform Pipeline was successful

Details

ci/woodpecker/pull_request_closed/terraform Pipeline was successful

Details

87f5f3bf2f

Closes #383

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ldraney commented

2026-05-25 12:33:29 +00:00

Author

Owner

PR #384 Review

DOMAIN REVIEW

Stack: Terraform (kubernetes_manifest resource for NetworkPolicy)

This is a single-line addition to terraform/network-policies.tf, appending landscaping-assistant to the MinIO default-deny-ingress NetworkPolicy ingress allowlist.

Terraform/k8s checks:

Pattern consistency: The new line exactly matches the structure of the three existing entries (tofu-state, pal-e-mail, westside-contracts) -- same namespaceSelector.matchLabels with kubernetes.io/metadata.name. Correct.
State safety: Additive change only (+1 line, 0 deletions). No resource renames, no moves, no state-breaking operations. tofu plan should show an in-place update to the existing netpol_minio resource. Safe.
tofu fmt compliance: Indentation and spacing are consistent with surrounding lines. No formatting issues visible.
k8s security: The rule is scoped to a single namespace (landscaping-assistant), not a broad selector. This follows least-privilege. The namespace is already known to the platform (PR #376 previously granted it postgres access).
No secrets or credentials: No sensitive values in the diff.
RBAC/privilege scope: This grants ingress to MinIO from the landscaping-assistant namespace only. No overly permissive selectors.

No domain issues found.

BLOCKERS

None.

This is a one-line, pattern-consistent, additive Terraform change. No new functionality requiring tests (infrastructure NetworkPolicy allowlist entry). No user input. No secrets. No auth logic duplication.

NITS

None. The change is minimal and follows established patterns exactly.

SOP COMPLIANCE

Branch named after issue (383-add-landscaping-assistant-to-minio-netwo -- truncated but follows {issue-number}-{kebab-case-purpose})
PR body follows template (Summary, Changes, Test Plan, Related sections all present)
Related section references project slug (project-landscaping-assistant)
No secrets committed
No unnecessary file changes (1 file, 1 line, exactly scoped to the issue)
Commit message is descriptive (PR title matches intent)
Closes #383 present in PR body

PROCESS OBSERVATIONS

Clean one-line infra fix with a well-structured test plan (tofu plan, kubectl exec verification, end-to-end photo upload test, regression check).
This follows the same pattern as PR #376 (postgres NetworkPolicy) and PR #359 (pal-enterprises). The NetworkPolicy allowlist pattern is well-established in this repo.
Low change failure risk -- additive-only, single resource update, no cascading effects.

VERDICT: APPROVED

## PR #384 Review ### DOMAIN REVIEW **Stack:** Terraform (kubernetes_manifest resource for NetworkPolicy) This is a single-line addition to `terraform/network-policies.tf`, appending `landscaping-assistant` to the MinIO `default-deny-ingress` NetworkPolicy ingress allowlist. **Terraform/k8s checks:** - **Pattern consistency:** The new line exactly matches the structure of the three existing entries (`tofu-state`, `pal-e-mail`, `westside-contracts`) -- same `namespaceSelector.matchLabels` with `kubernetes.io/metadata.name`. Correct. - **State safety:** Additive change only (+1 line, 0 deletions). No resource renames, no moves, no state-breaking operations. `tofu plan` should show an in-place update to the existing `netpol_minio` resource. Safe. - **tofu fmt compliance:** Indentation and spacing are consistent with surrounding lines. No formatting issues visible. - **k8s security:** The rule is scoped to a single namespace (`landscaping-assistant`), not a broad selector. This follows least-privilege. The namespace is already known to the platform (PR #376 previously granted it postgres access). - **No secrets or credentials:** No sensitive values in the diff. - **RBAC/privilege scope:** This grants ingress to MinIO from the `landscaping-assistant` namespace only. No overly permissive selectors. No domain issues found. ### BLOCKERS None. This is a one-line, pattern-consistent, additive Terraform change. No new functionality requiring tests (infrastructure NetworkPolicy allowlist entry). No user input. No secrets. No auth logic duplication. ### NITS None. The change is minimal and follows established patterns exactly. ### SOP COMPLIANCE - [x] Branch named after issue (`383-add-landscaping-assistant-to-minio-netwo` -- truncated but follows `{issue-number}-{kebab-case-purpose}`) - [x] PR body follows template (Summary, Changes, Test Plan, Related sections all present) - [x] Related section references project slug (`project-landscaping-assistant`) - [x] No secrets committed - [x] No unnecessary file changes (1 file, 1 line, exactly scoped to the issue) - [x] Commit message is descriptive (PR title matches intent) - [x] `Closes #383` present in PR body ### PROCESS OBSERVATIONS - Clean one-line infra fix with a well-structured test plan (tofu plan, kubectl exec verification, end-to-end photo upload test, regression check). - This follows the same pattern as PR #376 (postgres NetworkPolicy) and PR #359 (pal-enterprises). The NetworkPolicy allowlist pattern is well-established in this repo. - Low change failure risk -- additive-only, single resource update, no cascading effects. ### VERDICT: APPROVED