aurelianware · aurelianware · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026
diff --git a/.github/workflows/deploy-azure-aks.yml b/.github/workflows/deploy-azure-aks.yml
@@ -290,7 +290,7 @@ jobs:
   deploy-aks:
     name: Deploy Portal & Services → AKS
     runs-on: ubuntu-latest
-    needs: build-push-acr
+    needs: [build-push-acr, build-push-services]
     permissions:
       id-token: write
       contents: read
@@ -318,17 +318,36 @@ jobs:
           kubectl create namespace ${{ env.NAMESPACE }} \
             --dry-run=client -o yaml | kubectl apply -f -
 
-      - name: Create Cosmos DB secret
+      - name: Create MongoDB auth secret (standalone StatefulSet credentials)
         run: |
-          kubectl create secret generic cosmosdb-secret \
-            --from-literal=connectionString="${{ secrets.COSMOS_DB_CONNECTION_STRING }}" \
+          MONGO_USER="${{ secrets.MONGODB_USERNAME }}"
+          MONGO_PASS="${{ secrets.MONGODB_PASSWORD }}"
+          : "${MONGO_USER:=admin}"
+          : "${MONGO_PASS:=admin}"
+          kubectl create secret generic mongodb-auth \
+            --from-literal=username="${MONGO_USER}" \
+            --from-literal=password="${MONGO_PASS}" \
             -n ${{ env.NAMESPACE }} \
             --dry-run=client -o yaml | kubectl apply -f -
 
-      - name: Create MongoDB secret (Cosmos DB MongoDB API)
+      - name: Create Cosmos DB / MongoDB connection secret
         run: |
+          # Use CosmosDB if configured, otherwise fall back to standalone MongoDB
+          CONN="${{ secrets.COSMOS_DB_CONNECTION_STRING }}"
+          if [ -z "$CONN" ]; then
+            MONGO_USER="${{ secrets.MONGODB_USERNAME }}"
+            MONGO_PASS="${{ secrets.MONGODB_PASSWORD }}"
+            : "${MONGO_USER:=admin}"
+            : "${MONGO_PASS:=admin}"
+            CONN="mongodb://${MONGO_USER}:${MONGO_PASS}@mongodb.cloudhealthoffice.svc.cluster.local:27017"
+            echo "No COSMOS_DB_CONNECTION_STRING set — using standalone MongoDB"
+          fi
+          kubectl create secret generic cosmosdb-secret \
+            --from-literal=connectionString="${CONN}" \
+            -n ${{ env.NAMESPACE }} \
+            --dry-run=client -o yaml | kubectl apply -f -
           kubectl create secret generic mongodb-secret \
-            --from-literal=connectionString="${{ secrets.COSMOS_DB_CONNECTION_STRING }}" \
+            --from-literal=connectionString="${CONN}" \
             -n ${{ env.NAMESPACE }} \
             --dry-run=client -o yaml | kubectl apply -f -
 
@@ -409,6 +428,16 @@ jobs:
             --wait \
             --timeout 5m
 
+      - name: Deploy Redis (distributed cache / session store)
+        run: |
+          kubectl apply -f infrastructure/k8s/redis-dataprotection.yaml
+          kubectl rollout status deployment/redis-dataprotection -n ${{ env.NAMESPACE }} --timeout=120s
+
+      - name: Deploy MongoDB (standalone fallback for DataProtection keys)
+        run: |
+          kubectl apply -f infrastructure/k8s/mongodb-deployment.yaml
+          kubectl rollout status statefulset/mongodb -n ${{ env.NAMESPACE }} --timeout=120s
+
       - name: Substitute ACR image in portal deployment
         run: |
           ACR="${{ env.REGISTRY }}"

diff --git a/infrastructure/k8s/mongodb-deployment.yaml b/infrastructure/k8s/mongodb-deployment.yaml
@@ -32,12 +32,12 @@ spec:
         - name: MONGO_INITDB_ROOT_USERNAME
           valueFrom:
             secretKeyRef:
-              name: mongodb-secret
+              name: mongodb-auth
               key: username
         - name: MONGO_INITDB_ROOT_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: mongodb-secret
+              name: mongodb-auth
               key: password
         volumeMounts:
         - name: mongodb-data
@@ -66,12 +66,5 @@ spec:
   selector:
     app: mongodb
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: mongodb-secret
-  namespace: cloudhealthoffice
-type: Opaque
-stringData:
-  username: admin
-  password: securepassword123
+# mongodb-auth Secret is created by CI/CD from GitHub Secrets.
+# Do NOT hardcode credentials here.
diff --git a/src/portal/CloudHealthOffice.Portal/k8s/portal-deployment.yaml b/src/portal/CloudHealthOffice.Portal/k8s/portal-deployment.yaml
@@ -143,19 +143,16 @@ spec:
               name: portal-config
               key: Redis__ConnectionString
         - name: AzureAd__TenantId
-          value: ""
           valueFrom:
             secretKeyRef:
               name: azure-ad-config
               key: TenantId
         - name: AzureAd__ClientId
-          value: ""
           valueFrom:
             secretKeyRef:
               name: azure-ad-config
               key: ClientId
         - name: AzureAd__ClientSecret
-          value: ""
           valueFrom:
             secretKeyRef:
               name: azure-ad-config
@@ -192,10 +189,10 @@ spec:
               key: professional-price-id
         resources:
           requests:
-            memory: "256Mi"
-            cpu: "200m"
-          limits:
             memory: "512Mi"
+            cpu: "250m"
+          limits:
+            memory: "1Gi"
             cpu: "1000m"
         startupProbe:
           httpGet: