senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/k8s/network-policies
History
senke 2aea1af361 docs(J2): align docs with reality — rewrite CLAUDE.md, fix README, purge chat-server refs 
Completes Day 2 of the v1.0.3 → v1.0.4 cleanup sprint. The documentation
now describes the actual repo layout instead of a fictional one.

CLAUDE.md — complete rewrite
  Old version referenced paths that don't exist and a protocol aimed at
  implementing v0.11.0 (current tag: v1.0.3). The agent was following a
  map for a city that had been rebuilt.
  - backend/        → veza-backend-api/
  - frontend/       → apps/web/
  - ORIGIN/ (root)  → veza-docs/ORIGIN/
  - veza-chat-server → merged into backend-api (v0.502, commit 279a10d31)
  - apps/desktop/   → never existed
  Also refreshed: stack versions (Go 1.25, Vite 5, React 18.2, Axum 0.8),
  commands, conventions, hook bypasses (SKIP_TYPES/SKIP_TESTS/SKIP_E2E),
  scope rules kept as immutable (no AI/ML, no Web3, no gamification, no
  dark patterns, no public popularity metrics).

README.md — targeted fixes
  - "Version cible: v0.101" → "Version courante: v1.0.4"
  - "Development Setup (v0.9.3)" → "Development Setup"
  - Removed Desktop (Electron) section — never implemented
  - Removed veza-chat-server from structure — merged into backend
  - Removed deprecated compose files section (nothing is DEPRECATED now)

k8s runbooks — remove stale chat-server references
  The disaster-recovery runbooks still scaled/restarted a deployment
  that no longer exists. In a real failover these commands would have
  failed silently and blocked the procedure. Files patched:
    - k8s/disaster-recovery/runbooks/cluster-failover.md
    - k8s/disaster-recovery/runbooks/data-restore.md
    - k8s/disaster-recovery/runbooks/database-failover.md
    - k8s/disaster-recovery/runbooks/rollback-procedure.md
    - k8s/network-policies/README.md
    - k8s/secrets/README.md
    - k8s/secrets.yaml.example
  Each reference is replaced by a short inline note pointing to v0.502
  (commit 279a10d31) so future readers understand the history.

.env.example — remove CHAT_JWT_SECRET
  Legacy env var for the deleted chat server. Replaced by an explanatory
  comment.

Not in this commit (user handles on Forgejo):
  - Closing the 5 open dependabot PRs on veza-chat-server/* branches
  - Deleting those 5 remote branches after the PRs are closed

Refs: AUDIT_REPORT.md §5.1, §7.1, §10 P1, §10 P4
2026-04-14 17:23:50 +02:00
..
backend-api-allow.yaml chore: consolidate CI, E2E, backend and frontend updates 2026-02-17 16:43:21 +01:00
default-deny.yaml chore: consolidate CI, E2E, backend and frontend updates 2026-02-17 16:43:21 +01:00
frontend-allow.yaml chore: consolidate CI, E2E, backend and frontend updates 2026-02-17 16:43:21 +01:00
README.md docs(J2): align docs with reality — rewrite CLAUDE.md, fix README, purge chat-server refs 2026-04-14 17:23:50 +02:00

README.md

Network Policies

Network policies restrict traffic between pods for defense in depth.

Dependencies

Service Ingress From Egress To
backend-api ingress-nginx PostgreSQL (5432), Redis (6379), DNS
frontend ingress-nginx -
stream-server ingress-nginx Redis, storage

Usage

  1. Apply default deny first:

    kubectl apply -f k8s/network-policies/default-deny.yaml

  2. Apply allow policies for each component:

    kubectl apply -f k8s/network-policies/backend-api-allow.yaml
kubectl apply -f k8s/network-policies/frontend-allow.yaml

Ingress Controller

Policies reference namespaceSelector.matchLabels.name: ingress-nginx. Ensure your ingress controller namespace has this label:

kubectl label namespace ingress-nginx name=ingress-nginx

External Services

If PostgreSQL or Redis run outside the cluster, the egress ipBlock.cidr: 0.0.0.0/0 allows connections. For stricter policies, replace with specific CIDRs.