Skip to content

ci(observer-deploy): disable NetworkPolicy in smoke stack#60

Merged
yzs15 merged 1 commit into
masterfrom
fix/smoke-ci-networkpolicy-permission
Jul 1, 2026
Merged

ci(observer-deploy): disable NetworkPolicy in smoke stack#60
yzs15 merged 1 commit into
masterfrom
fix/smoke-ci-networkpolicy-permission

Conversation

@yzs15

@yzs15 yzs15 commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Post-#58 hotfix: smoke job fails because the dev-yuzishu SA lacks networkpolicies RBAC. Disables NP for smoke only; release/production keeps it on.

Failure:

User "system:serviceaccount:dev-yuzishu:observer-github-actions" cannot get resource "networkpolicies" in API group "networking.k8s.io"

🤖 Generated with Claude Code

PR #58 introduced templates/networkpolicy.yaml gated on cluster.enabled.
The smoke job sets cluster.enabled=True (per PR #58 spec, to validate
multi-pod behaviour end-to-end), so the NetworkPolicy manifest renders.
But dev-yuzishu's observer-github-actions ServiceAccount lacks the
networkpolicies.networking.k8s.io RBAC, so `helm install` fails on the
resource discovery lookup.

Fix: pass cluster.networkPolicy.enabled=false in the smoke values. NP is
defense-in-depth (per spec §Internal NetworkPolicy), not the primary
auth (HMAC+nonce is). The smoke stack still exercises the shared registry,
forwarding, drain, and cluster secret rotation paths.

Release job (production) keeps NetworkPolicy on by default via
values-production.example.yaml.

Fixes broken 'observer build and deploy / smoke' job on master post PR #58 merge.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants