From 74c218063d8420c17f8dbb66677c20ce3e14ecfd Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 22 Jan 2026 07:17:07 -0800
Subject: [PATCH] Allow homelab to scrape CNPG metrics on port 9187
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add tcp:9187 to tag:homelab → tag:k8s ACL rule for Prometheus
to scrape CloudNativePG metrics endpoint.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 pulumi/policy.hujson | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson
index 142326b..53215f5 100644
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@@ -74,11 +74,11 @@
 			"dst": ["tag:homelab"],
 			"ip":  ["tcp:3001", "tcp:2200"],
 		},
-		// Homelab can reach k8s PostgreSQL for borgmatic backups
+		// Homelab can reach k8s PostgreSQL for borgmatic backups and metrics scraping
 		{
 			"src": ["tag:homelab"],
 			"dst": ["tag:k8s"],
-			"ip":  ["tcp:5432"],
+			"ip":  ["tcp:5432", "tcp:9187"],
 		},
 	],
 
@@ -141,10 +141,10 @@
 			"accept": ["tag:kiwix:443", "tag:forge:443", "tag:feed:443", "tag:pg:5432"],
 			"deny":   ["tag:grafana:443", "tag:loki:3100", "tag:nas:445", "tag:registry:443", "tag:k8s-api:443"],
 		},
-		// Homelab can reach homelab and NAS
+		// Homelab can reach homelab, NAS, and k8s metrics
 		{
 			"src":    "tag:homelab",
-			"accept": ["tag:homelab:22", "tag:nas:445"],
+			"accept": ["tag:homelab:22", "tag:nas:445", "tag:k8s:9187"],
 		},
 		// K8s workloads can reach registry and forge (on indri:3001 HTTP, :2200 SSH)
 		{