improvement(helm): postgres startupProbe + otel-collector NetworkPolicy

waleedlatif1 · waleedlatif1 · commit 7d1e49777481 · 2026-05-12T14:00:53.000-07:00
- add startupProbe defaults for both postgresql + copilot-postgresql STSs
  to shield liveness from slow first-boot (pgvector init, WAL replay)
- render a dedicated NetworkPolicy for the otel-collector when
  telemetry.enabled=true (OTLP ingress from app/realtime/copilot, DNS +
  HTTPS egress for forwarding to external observability backends)
- document why copilot + copilot-postgresql intentionally do NOT ship
  dedicated NetworkPolicies (Redis URL is unknowable at render time)
- regression test pins the otel-collector NP at documentIndex 3
diff --git a/helm/sim/templates/networkpolicy.yaml b/helm/sim/templates/networkpolicy.yaml
@@ -303,4 +303,89 @@ spec:
     - protocol: TCP
       port: 443
 {{- end }}
+
+{{- if .Values.telemetry.enabled }}
+---
+# Network Policy for OpenTelemetry Collector
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "sim.fullname" . }}-otel-collector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "sim.labels" . | nindent 4 }}
+    app.kubernetes.io/component: telemetry
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "sim.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: telemetry
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # OTLP from app
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "sim.app.selectorLabels" . | nindent 10 }}
+    ports:
+    - protocol: TCP
+      port: 4317
+    - protocol: TCP
+      port: 4318
+  # OTLP from realtime
+  {{- if .Values.realtime.enabled }}
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "sim.realtime.selectorLabels" . | nindent 10 }}
+    ports:
+    - protocol: TCP
+      port: 4317
+    - protocol: TCP
+      port: 4318
+  {{- end }}
+  # OTLP from copilot
+  {{- if .Values.copilot.enabled }}
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "sim.selectorLabels" . | nindent 10 }}
+          app.kubernetes.io/component: copilot
+    ports:
+    - protocol: TCP
+      port: 4317
+    - protocol: TCP
+      port: 4318
+  {{- end }}
+  egress:
+  # DNS
+  - to: []
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 53
+  # HTTPS for forwarding to external observability backends (Datadog, Honeycomb, etc.)
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+          {{- range (default (list "169.254.169.254/32" "169.254.170.2/32") .Values.networkPolicy.egressExceptCidrs) }}
+          - {{ . | quote }}
+          {{- end }}
+    ports:
+    - protocol: TCP
+      port: 443
+{{- end }}
+
+{{- /*
+  Copilot + copilot-postgresql intentionally do NOT ship dedicated NetworkPolicies.
+  Copilot requires REDIS_URL (external Redis on a non-443 port), and the chart
+  cannot know the user's Redis host/port at render time — a default egress rule
+  would silently block Redis on most installs. Users running networkPolicy.enabled=true
+  with copilot enabled should add their own NPs (or extend networkPolicy.egress
+  with the appropriate egress rules).
+*/}}
 {{- end }}
diff --git a/helm/sim/templates/statefulset-copilot-postgres.yaml b/helm/sim/templates/statefulset-copilot-postgres.yaml
@@ -115,6 +115,10 @@ spec:
           envFrom:
             - secretRef:
                 name: {{ include "sim.fullname" . }}-copilot-postgresql-secret
+          {{- if .Values.copilot.postgresql.startupProbe }}
+          startupProbe:
+            {{- toYaml .Values.copilot.postgresql.startupProbe | nindent 12 }}
+          {{- end }}
           {{- if .Values.copilot.postgresql.livenessProbe }}
           livenessProbe:
             {{- toYaml .Values.copilot.postgresql.livenessProbe | nindent 12 }}
diff --git a/helm/sim/templates/statefulset-postgresql.yaml b/helm/sim/templates/statefulset-postgresql.yaml
@@ -140,6 +140,10 @@ spec:
                 name: {{ include "sim.fullname" . }}-postgresql-env
             - secretRef:
                 name: {{ include "sim.postgresqlSecretName" . }}
+          {{- if .Values.postgresql.startupProbe }}
+          startupProbe:
+            {{- toYaml .Values.postgresql.startupProbe | nindent 12 }}
+          {{- end }}
           {{- if .Values.postgresql.livenessProbe }}
           livenessProbe:
             {{- toYaml .Values.postgresql.livenessProbe | nindent 12 }}
diff --git a/helm/sim/tests/networkpolicy_test.yaml b/helm/sim/tests/networkpolicy_test.yaml
@@ -128,6 +128,19 @@ tests:
               - protocol: TCP
                 port: 3000
 
+  - it: telemetry collector NetworkPolicy renders when telemetry.enabled=true
+    set:
+      <<: *defaults
+      telemetry.enabled: true
+    documentIndex: 3
+    asserts:
+      - equal:
+          path: kind
+          value: NetworkPolicy
+      - equal:
+          path: metadata.name
+          value: t-sim-otel-collector
+
   - it: networkPolicy.egress (custom rules) are appended to both app and realtime NetworkPolicies
     set:
       <<: *defaults
diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml
@@ -622,12 +622,22 @@ postgresql:
     targetPort: 5432
   
   # Health checks
+  # startupProbe shields liveness from slow first-boot scenarios (pgvector
+  # extension init, WAL replay after a crash on a large data dir). Gives
+  # postgres up to 150s (30 * 5s) to become ready before liveness takes over.
+  startupProbe:
+    exec:
+      command: ["pg_isready", "-U", "postgres", "-d", "sim"]
+    periodSeconds: 5
+    failureThreshold: 30
+    timeoutSeconds: 5
+
   livenessProbe:
     exec:
       command: ["pg_isready", "-U", "postgres", "-d", "sim"]
     initialDelaySeconds: 10
     periodSeconds: 5
-  
+
   readinessProbe:
     exec:
       command: ["pg_isready", "-U", "postgres", "-d", "sim"]
@@ -1440,14 +1450,24 @@ copilot:
       targetPort: 5432
 
     # Health checks
+    # startupProbe shields liveness from slow first-boot scenarios (pgvector
+    # extension init, WAL replay after a crash). Gives postgres up to 150s
+    # (30 * 5s) to become ready before liveness takes over.
+    startupProbe:
+      exec:
+        command: ["pg_isready", "-U", "copilot", "-d", "copilot"]
+      periodSeconds: 5
+      failureThreshold: 30
+      timeoutSeconds: 5
+
     livenessProbe:
       exec:
         command: ["pg_isready", "-U", "copilot", "-d", "copilot"]
       initialDelaySeconds: 10
       periodSeconds: 5
       timeoutSeconds: 5
       failureThreshold: 10
-    
+
     readinessProbe:
       exec:
         command: ["pg_isready", "-U", "copilot", "-d", "copilot"]
