ldraney/pal-e-platform
1
0
Fork 0
Code Issues 104 Pull requests 7 Projects Releases Packages Wiki Activity Actions

Add paldocs to Postgres NetworkPolicy allowlist (#397) #398

Merged
ldraney merged 1 commit from 397-add-paldocs-to-postgres-networkpolicy-al into main 2026-06-05 04:07:06 +00:00
Conversation 2 Commits 1 Files changed 1 +1
ldraney commented 2026-06-03 03:41:41 +00:00
Owner
Copy link

Summary

Adds the paldocs namespace to the Postgres NetworkPolicy ingress allowlist so the paldocs service can reach the database.

Changes

  • terraform/network-policies.tf: Added paldocs namespace selector to netpol_postgres ingress rules, after the existing palinks entry.

Test Plan

  • After tofu apply, verify paldocs pods can connect to Postgres.
  • Confirm no other services are affected by reviewing the NetworkPolicy with kubectl get networkpolicy -n postgres -o yaml.

Review Checklist

  • Code change is minimal and scoped to the issue
  • Follows existing pattern in the ingress list
  • No tofu plan included per instructions (not run)

Related Notes

None.

Related

Closes #397

## Summary Adds the `paldocs` namespace to the Postgres NetworkPolicy ingress allowlist so the paldocs service can reach the database. ## Changes - `terraform/network-policies.tf`: Added `paldocs` namespace selector to `netpol_postgres` ingress rules, after the existing `palinks` entry. ## Test Plan - After `tofu apply`, verify paldocs pods can connect to Postgres. - Confirm no other services are affected by reviewing the NetworkPolicy with `kubectl get networkpolicy -n postgres -o yaml`. ## Review Checklist - [x] Code change is minimal and scoped to the issue - [x] Follows existing pattern in the ingress list - [x] No `tofu plan` included per instructions (not run) ## Related Notes None. ## Related Closes #397
Add paldocs to Postgres NetworkPolicy allowlist
All checks were successful
ci/woodpecker/push/terraform Pipeline was successful
Details
ci/woodpecker/pr/terraform Pipeline was successful
Details
ci/woodpecker/pull_request_closed/terraform Pipeline was successful
Details
41ee265d4a 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ldraney commented 2026-06-03 03:42:07 +00:00
Author
Owner
Copy link

QA Review

Scope: 1 file changed, 1 line added, 0 deleted.

Findings

No issues found. The change is a single-line addition that exactly follows the established pattern for all other namespace entries in the netpol_postgres ingress list:

  • Correct HCL structure: { from = [{ namespaceSelector = { matchLabels = { ... } } }] }
  • Correct namespace value: paldocs
  • Trailing comma present (consistent with other entries)
  • Placement after palinks is logical (alphabetical-ish ordering maintained)
  • No unrelated changes

VERDICT: APPROVE

## QA Review **Scope:** 1 file changed, 1 line added, 0 deleted. ### Findings No issues found. The change is a single-line addition that exactly follows the established pattern for all other namespace entries in the `netpol_postgres` ingress list: - Correct HCL structure: `{ from = [{ namespaceSelector = { matchLabels = { ... } } }] }` - Correct namespace value: `paldocs` - Trailing comma present (consistent with other entries) - Placement after `palinks` is logical (alphabetical-ish ordering maintained) - No unrelated changes ### VERDICT: APPROVE
ldraney commented 2026-06-05 03:55:46 +00:00
Author
Owner
Copy link

PR #398 Review

DOMAIN REVIEW

Tech stack: Terraform / Kubernetes (NetworkPolicy manifest via kubernetes_manifest resource)

This is a single-line addition to the Postgres NetworkPolicy ingress allowlist in terraform/network-policies.tf. The change adds a paldocs namespace selector following the exact same HCL structure used by every other entry in the list (pal-e-ror, landscaping-assistant, palinks).

Terraform/k8s checks:

  • Pattern consistency: The new entry matches the existing structure exactly -- namespaceSelector with matchLabels on kubernetes.io/metadata.name. Correct.
  • Placement: Added after palinks, maintaining alphabetical-ish ordering. Acceptable.
  • State safety: This is a purely additive change to an existing list attribute. No state-breaking risk; tofu plan would show an in-place update to the existing kubernetes_manifest resource. No migration needed.
  • tofu fmt compliance: The line uses consistent indentation and formatting matching the surrounding lines.
  • Security: The change only opens ingress from one additional namespace (paldocs) to the Postgres namespace. This is the correct, least-privilege approach -- namespace-scoped selectors rather than broad CIDR rules.
  • No secrets or credentials in the change.
  • Resource limits / RBAC: Not applicable -- this is a NetworkPolicy ingress rule only.

Historical precedent: This repo has a well-established pattern for this exact change. PRs #376, #378, #382, and #384 all added namespaces to NetworkPolicy allowlists in the same file using the same structure. This PR follows that pattern faithfully.

BLOCKERS

None.

BLOCKER criteria evaluation:

  • Test coverage: Infrastructure NetworkPolicy changes are validated via tofu plan + runtime connectivity checks, not unit tests. The test plan (verify paldocs pods can connect post-apply, inspect the NetworkPolicy YAML) is appropriate for this domain. No new application code to unit test.
  • User input validation: Not applicable -- no user input.
  • Secrets in code: None.
  • DRY violations in auth/security: Not applicable -- single declarative entry.

NITS

None. The change is minimal, correctly scoped, and follows the established pattern precisely.

SOP COMPLIANCE

  • Branch named after issue: 397-add-paldocs-to-postgres-networkpolicy-al follows {issue-number}-{kebab-case-purpose} convention (truncated but acceptable)
  • PR body follows template: Summary, Changes, Test Plan, Related sections all present
  • Related references plan slug: No plan slug referenced. PR body has Related: Closes #397 which is correct for issue linkage, but no plan slug was provided (caller confirmed "No plan slug"). Acceptable for a single-line infra fix.
  • No secrets committed: Confirmed -- no credentials, .env files, or sensitive data
  • No scope creep: Exactly one file, one line, directly addressing the issue
  • Commit message is descriptive: PR title clearly describes the change

PROCESS OBSERVATIONS

  • Deployment frequency: This is a fast, low-risk infra change. The pattern is well-established across multiple prior PRs. Quick merge and apply is appropriate.
  • Change failure risk: Very low. Additive NetworkPolicy change with no destructive potential. Worst case if the namespace name is wrong: paldocs still cannot connect (no regression to other services).
  • Documentation: The PR body's test plan is clear and actionable. No additional docs needed for a NetworkPolicy allowlist entry.

VERDICT: APPROVED

## PR #398 Review ### DOMAIN REVIEW **Tech stack:** Terraform / Kubernetes (NetworkPolicy manifest via `kubernetes_manifest` resource) This is a single-line addition to the Postgres NetworkPolicy ingress allowlist in `terraform/network-policies.tf`. The change adds a `paldocs` namespace selector following the exact same HCL structure used by every other entry in the list (`pal-e-ror`, `landscaping-assistant`, `palinks`). **Terraform/k8s checks:** - **Pattern consistency:** The new entry matches the existing structure exactly -- `namespaceSelector` with `matchLabels` on `kubernetes.io/metadata.name`. Correct. - **Placement:** Added after `palinks`, maintaining alphabetical-ish ordering. Acceptable. - **State safety:** This is a purely additive change to an existing list attribute. No state-breaking risk; `tofu plan` would show an in-place update to the existing `kubernetes_manifest` resource. No migration needed. - **tofu fmt compliance:** The line uses consistent indentation and formatting matching the surrounding lines. - **Security:** The change only opens ingress from one additional namespace (`paldocs`) to the Postgres namespace. This is the correct, least-privilege approach -- namespace-scoped selectors rather than broad CIDR rules. - **No secrets or credentials** in the change. - **Resource limits / RBAC:** Not applicable -- this is a NetworkPolicy ingress rule only. **Historical precedent:** This repo has a well-established pattern for this exact change. PRs #376, #378, #382, and #384 all added namespaces to NetworkPolicy allowlists in the same file using the same structure. This PR follows that pattern faithfully. ### BLOCKERS None. **BLOCKER criteria evaluation:** - Test coverage: Infrastructure NetworkPolicy changes are validated via `tofu plan` + runtime connectivity checks, not unit tests. The test plan (verify paldocs pods can connect post-apply, inspect the NetworkPolicy YAML) is appropriate for this domain. No new application code to unit test. - User input validation: Not applicable -- no user input. - Secrets in code: None. - DRY violations in auth/security: Not applicable -- single declarative entry. ### NITS None. The change is minimal, correctly scoped, and follows the established pattern precisely. ### SOP COMPLIANCE - [x] Branch named after issue: `397-add-paldocs-to-postgres-networkpolicy-al` follows `{issue-number}-{kebab-case-purpose}` convention (truncated but acceptable) - [x] PR body follows template: Summary, Changes, Test Plan, Related sections all present - [ ] Related references plan slug: No plan slug referenced. PR body has `Related: Closes #397` which is correct for issue linkage, but no plan slug was provided (caller confirmed "No plan slug"). Acceptable for a single-line infra fix. - [x] No secrets committed: Confirmed -- no credentials, .env files, or sensitive data - [x] No scope creep: Exactly one file, one line, directly addressing the issue - [x] Commit message is descriptive: PR title clearly describes the change ### PROCESS OBSERVATIONS - **Deployment frequency:** This is a fast, low-risk infra change. The pattern is well-established across multiple prior PRs. Quick merge and apply is appropriate. - **Change failure risk:** Very low. Additive NetworkPolicy change with no destructive potential. Worst case if the namespace name is wrong: paldocs still cannot connect (no regression to other services). - **Documentation:** The PR body's test plan is clear and actionable. No additional docs needed for a NetworkPolicy allowlist entry. ### VERDICT: APPROVED
ldraney deleted branch 397-add-paldocs-to-postgres-networkpolicy-al 2026-06-05 04:07:06 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform!398
No description provided.