feat: Add k8s manifests for 4 missing services and update CI pipeline

[aurelianware]

Summary

Four services had Dockerfiles and source code but were missing Kubernetes deployment manifests, and three of those were not in the CI build matrix. This PR closes those gaps.

Changes

New k8s deployment manifests (ConfigMap + Deployment + Service each):

• premium-billing-service - 2 replicas, Cosmos DB + Stripe secrets, coverage/sponsor service deps
• appeals-service - 2 replicas, Cosmos DB + Azure Storage, claims-service dep
• rfai-service - 1 replica, Cosmos DB + optional MongoDB
• claims-scrubbing-service - 2 replicas (Node.js), Kafka + Cosmos + Azure Storage, port 3000

CI pipeline updates (deploy-azure-aks.yml):

• Added premium-billing-service, appeals-service, rfai-service to Docker build matrix
• Added build_context for shared .NET infrastructure access
• Added Apply backend service manifests step that loops through src/services//k8s/.yaml with ACR image substitution

Deploy script (deploy-core-services.sh):

• Added 3 missing services to the SERVICES array

Testing

• All YAML files validated with Python yaml parser
• Manifest structure follows established patterns from existing services (e.g., claims-service, eligibility-service)

[github-actions]

Package	Line Rate	Branch Rate	Health
CloudHealthOffice.Portal	13%	3%	❌
CloudHealthOffice.Portal	13%	3%	❌
Summary	13% (2498 / 18662)	3% (174 / 5968)	❌

[Copilot]

Pull request overview

Adds Kubernetes deployment manifests for previously-undelivered backend services and updates the AKS deployment workflow + deploy script so these services can be built, pushed, and applied as part of the standard deployment path.

Changes:

• Added new ConfigMap + Deployment + Service manifests for premium-billing-service, appeals-service, rfai-service, and claims-scrubbing-service.
• Expanded the deploy-azure-aks.yml service build matrix and added a step to apply all service manifests with image substitution.
• Updated deploy-core-services.sh to include the newly-manifested services in the deploy list.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
src/services/rfai-service/k8s/rfai-service-deployment.yaml	Introduces k8s manifest for rfai-service (Cosmos/Mongo optional, health probes, service).
src/services/premium-billing-service/k8s/premium-billing-service-deployment.yaml	Introduces k8s manifest for premium-billing-service (Cosmos/Mongo optional, Stripe secrets, deps).
src/services/claims-scrubbing-service/k8s/claims-scrubbing-service-deployment.yaml	Introduces k8s manifest for Node.js claims scrubbing service (Kafka/Cosmos/Storage config, probes).
src/services/appeals-service/k8s/appeals-service-deployment.yaml	Introduces k8s manifest for appeals-service (Cosmos + Storage + claims-service dependency).
scripts/deploy/deploy-core-services.sh	Adds the new services to the deploy list used by the local deploy script.
.github/workflows/deploy-azure-aks.yml	Adds services to the CI build matrix and applies all service manifests with registry/tag substitution.

[Copilot]

This Deployment references secret "cosmos-db-secret" (keys "endpoint"/"key"), but the AKS deploy workflow currently creates "cosmosdb-secret" with only a "connectionString" key. As-is, the referenced secret/keys will be missing and the pod will fail to start. Align the secret name/keys between the workflow and manifests.

Suggested change

	- name: CosmosDb__AccountEndpoint
	valueFrom:
	secretKeyRef:
	name: cosmos-db-secret
	key: endpoint
	- name: CosmosDb__AccountKey
	valueFrom:
	secretKeyRef:
	name: cosmos-db-secret
	key: key
	- name: CosmosDb__ConnectionString
	valueFrom:
	secretKeyRef:
	name: cosmosdb-secret
	key: connectionString

[Copilot]

This Deployment expects Cosmos DB endpoint in secret "cosmos-db-secret" (key "endpoint"), but the AKS deploy workflow currently creates "cosmosdb-secret" and only provides a "connectionString" key. If this service is deployed via the workflow, it will fail due to the missing secret/keys. Align the secret name/keys between the workflow and manifests.

Suggested change

	name: cosmos-db-secret
	key: endpoint
	name: cosmosdb-secret
	key: connectionString

[Copilot]

The tag rewrite here replaces every ":latest" with the SHA tag, which will also mutate manifests that still reference ghcr.io images (encounter-service, fhir-service, risk-adjustment-service, smart-auth-service, etc.). Those sha-* tags won’t exist in GHCR (and several of those images aren’t built by this workflow), so deployments will fail to pull. Scope the substitution (and/or the apply loop) to only images built/pushed to ${ACR} by this workflow.

Suggested change

	-e "s|:latest|:${SHA}|g" \
	-e "s|\(${ACR}/cloudhealthoffice-[^:]*\):latest|\1:${SHA}|g" \

[Copilot]

PR description says premium-billing-service should run with 2 replicas, but this manifest sets replicas: 1. Either update the manifest to match the intended replica count, or adjust the PR description so it accurately reflects the deployment configuration.

[Copilot]

PR description says appeals-service should run with 2 replicas, but this manifest sets replicas: 1. Either update the manifest to match the intended replica count, or adjust the PR description so it accurately reflects the deployment configuration.

[Copilot]

This Deployment references secret "cosmos-db-secret" (keys "endpoint"/"key"), but the AKS deploy workflow currently creates "cosmosdb-secret" with only a "connectionString" key. As-is, the referenced secret/keys will be missing and the pod will fail to start. Align the secret name/keys between the workflow and manifests.

Suggested change

	- name: CosmosDb__Endpoint
	valueFrom:
	secretKeyRef:
	name: cosmos-db-secret
	key: endpoint
	- name: CosmosDb__Key
	valueFrom:
	secretKeyRef:
	name: cosmos-db-secret
	key: key
	- name: CosmosDb__ConnectionString
	valueFrom:
	secretKeyRef:
	name: cosmosdb-secret
	key: connectionString

[Copilot]

deploy-core-services.sh verifies service health by port-forwarding and calling /health/live for every service. claims-scrubbing-service (Node.js) exposes /livez and /readyz (not /health/live), so after adding it to SERVICES this script will report it as unhealthy even when it’s running. Update the verification logic to use /livez for claims-scrubbing-service (or make the endpoint path configurable per service).

[Copilot]

PR description says claims-scrubbing-service should run with 2 replicas, but this manifest sets replicas: 1. Either update the manifest to match the intended replica count, or adjust the PR description so it accurately reflects the deployment configuration.

[Copilot]

appeals-service Program.cs reads Cosmos DB configuration from "CosmosDb:Endpoint" and "CosmosDb:Key" and throws if they are missing, but this manifest sets "CosmosDb__AccountEndpoint" (and "CosmosDb__AccountKey" below). This will result in Endpoint/Key being unset at runtime and the container crashing on startup. Use env var names that match what the service reads (CosmosDb__Endpoint / CosmosDb__Key) or update the service to read AccountEndpoint/AccountKey consistently.

Suggested change

	- name: CosmosDb__AccountEndpoint
	valueFrom:
	secretKeyRef:
	name: cosmos-db-secret
	key: endpoint
	- name: CosmosDb__AccountKey
	- name: CosmosDb__Endpoint
	valueFrom:
	secretKeyRef:
	name: cosmos-db-secret
	key: endpoint
	- name: CosmosDb__Key

[Copilot]

The manifests expect a secret named "cosmos-db-secret" with "endpoint"/"key" keys, but this workflow creates "cosmosdb-secret" with only a "connectionString" key (earlier in the job). With this new apply loop, deployments will fail due to missing secrets/keys unless the secret name/shape is aligned between the workflow and manifests.