Skip to content

APS-4068 - use Postgres 15 instead of Mongo for feature deployments #1354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rustyjux merged 6 commits into from
Feb 24, 2026
Merged

APS-4068 - use Postgres 15 instead of Mongo for feature deployments #1354

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f362116
use Postgres 15 instead of Mongo for feature deployments
rustyjux Feb 20, 2026
70f0037
rename step
rustyjux Feb 20, 2026
1958783
specify resources
rustyjux Feb 20, 2026
107217e
update delete deployment workflow (#1353)
rustyjux Feb 20, 2026
c725b71
reduce feature branch PVCs to 1 Gi
rustyjux Feb 24, 2026
9c210de
use 1 Gi PVC for feature branch only
rustyjux Feb 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
213 changes: 148 additions & 65 deletions .github/workflows/ci-build-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,65 +92,142 @@ jobs:
if: github.ref != 'refs/heads/dev'
run: |
export PATH=$PATH:`pwd`/linux-amd64

echo '
image:
registry: docker.pkg.github.com
repository: bcgov-dss/api-serv-infra/mongodb
tag: 5.0-7a639fba
pullPolicy: IfNotPresent
pullSecrets:
- dev-github-read-packages-creds

auth:
rootPassword: "s3cr3t"

serviceAccount:
create: false
name: asp-service-account

arbiter:
enabled: false

rbac:
create: true

updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 100%

readinessProbe:
timeoutSeconds: 30
periodSeconds: 120

livenessProbe:
timeoutSeconds: 30
periodSeconds: 120

persistence:
enabled: true
size: 2Gi

resources:
requests:
cpu: 85m
memory: 480M
limits:
cpu: 300m
memory: 720M

podSecurityContext:
enabled: true
fsGroup: ${{ secrets.RUNNING_UID_GID }}

containerSecurityContext:
enabled: true
runAsUser: ${{ secrets.RUNNING_UID_GID }}
' > values.yaml
helm repo add bitnami https://charts.bitnami.com/bitnami
helm upgrade --install proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db --version 12.1.31 -f values.yaml --history-max 3 bitnami/mongodb
DEPLOY_ID="${{ steps.set-deploy-id.outputs.DEPLOY_ID }}"
DB_NAME="proto-asp-${DEPLOY_ID}-db"

# ConfigMap to create Keystone user and database on first Postgres start
oc create configmap "${DB_NAME}-init" --from-literal=1-init.sql="CREATE ROLE keystonejsuser WITH LOGIN PASSWORD 'keystonejsuser'; CREATE DATABASE keystonejs OWNER keystonejsuser;" --dry-run=client -o yaml | oc apply -f -

# ConfigMap with Keystone schema (run by Job after Postgres is up)
oc create configmap "${DB_NAME}-keystone-schema" --from-file=keystone-init.sql=local/db/keystone-init.sql --dry-run=client -o yaml | oc apply -f -

# PVC for Postgres data (persistence)
cat <<EOF | oc apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ${DB_NAME}-data
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: ${{ startsWith(github.ref_name, 'feature/') && '1Gi' || '2Gi' }}
EOF

# Postgres 15 Deployment (public image)
cat <<EOF | oc apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: ${DB_NAME}
spec:
replicas: 1
selector:
matchLabels:
app: ${DB_NAME}
strategy:
type: Recreate
template:
metadata:
labels:
app: ${DB_NAME}
spec:
containers:
- name: postgres
image: postgres:15
ports:
- containerPort: 5432
env:
- name: POSTGRES_USER
value: postgres
- name: POSTGRES_PASSWORD
value: "s3cr3t"
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
- name: init
mountPath: /docker-entrypoint-initdb.d
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
memory: 256Mi
volumes:
- name: data
persistentVolumeClaim:
claimName: ${DB_NAME}-data
- name: init
configMap:
name: ${DB_NAME}-init
readinessProbe:
exec:
command: [pg_isready, -U, postgres]
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 5
livenessProbe:
exec:
command: [pg_isready, -U, postgres]
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
EOF

# Service for Postgres
cat <<EOF | oc apply -f -
apiVersion: v1
kind: Service
metadata:
name: ${DB_NAME}
spec:
ports:
- port: 5432
targetPort: 5432
name: postgres
selector:
app: ${DB_NAME}
EOF

# Wait for Postgres to be ready
oc rollout status deployment/${DB_NAME} --timeout=300s

# Run Keystone schema (Job)
cat <<EOF | oc apply -f -
apiVersion: batch/v1
kind: Job
metadata:
name: ${DB_NAME}-keystone-init
spec:
ttlSecondsAfterFinished: 300
backoffLimit: 5
template:
spec:
restartPolicy: OnFailure
containers:
- name: run-schema
image: postgres:15
command:
- /bin/sh
- -c
- |
until PGPASSWORD=keystonejsuser psql -h ${DB_NAME} -U keystonejsuser -d keystonejs -c '\q' 2>/dev/null; do echo "Waiting for DB..."; sleep 2; done
PGPASSWORD=keystonejsuser psql -h ${DB_NAME} -U keystonejsuser -d keystonejs -f /schema/keystone-init.sql
env:
- name: PGPASSWORD
value: "keystonejsuser"
volumeMounts:
- name: schema
mountPath: /schema
volumes:
- name: schema
configMap:
name: ${DB_NAME}-keystone-schema
EOF

oc wait --for=condition=complete job/${DB_NAME}-keystone-init --timeout=300s

- name: 'Deploy Backend'
if: github.ref != 'refs/heads/dev'
Expand Down Expand Up @@ -296,14 +373,20 @@ jobs:
value: Oauth2Proxy
KONG_URL:
value: '${{ secrets.KONG_URL_DEV}}'
MONGO_URL:
value: 'mongodb://proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db-mongodb:27017'
MONGO_USER:
value: root
ADAPTER:
value: knex
KNEX_HOST:
value: 'proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db'
KNEX_PORT:
value: '5432'
KNEX_USER:
value: keystonejsuser
secure: true
MONGO_PASSWORD:
value: s3cr3t
KNEX_PASSWORD:
value: keystonejsuser
secure: true
KNEX_DATABASE:
value: keystonejs
FEEDER_URL:
value: 'http://proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-feeder-generic-api'
GITHUB_API_TOKEN:
Expand Down
18 changes: 15 additions & 3 deletions .github/workflows/ci-remove.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,50 +2,62 @@

on:
delete:
branches: [dev, main, feature/*]

jobs:
delete:
if: github.event.ref_type == 'branch' && startsWith(github.event.ref, 'refs/heads/feature/')
runs-on: ubuntu-latest
steps:
- name: Set DEPLOY_ID which will delete a custom deploy from 'dev' environment
run: |
echo "BRANCH = ${{ github.event.ref }}"
export BRANCH="${{ github.event.ref }}"
echo "::set-output name=DEPLOY_ID::${BRANCH//\//-}"
id: set-deploy-id

- name: Get deploy ID
run: echo "The DEPLOY_ID is ${{ steps.set-deploy-id.outputs.DEPLOY_ID }}"

- uses: actions/checkout@v2

- name: Install oc
uses: redhat-actions/oc-installer@v1
with:
version: '4.6'

- name: Authenticate and set context
uses: redhat-actions/oc-login@v1
with:
openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

# Disables SSL cert checking. Use this if you don't have the certificate authority data.
insecure_skip_tls_verify: true

namespace: ${{ env.OPENSHIFT_NAMESPACE }}

- name: 'Get Helm'
run: |
curl -L -O https://get.helm.sh/helm-v3.4.2-linux-amd64.tar.gz
tar -xf helm-v3.4.2-linux-amd64.tar.gz

- name: 'Delete ALL'
- name: 'Delete DB (Postgres k8s resources)'
run: |
DEPLOY_ID="${{ steps.set-deploy-id.outputs.DEPLOY_ID }}"
DB_NAME="proto-asp-${DEPLOY_ID}-db"
oc delete deployment "${DB_NAME}" --ignore-not-found=true
oc delete service "${DB_NAME}" --ignore-not-found=true
oc delete pvc "${DB_NAME}-data" --ignore-not-found=true
oc delete configmap "${DB_NAME}-init" "${DB_NAME}-keystone-schema" --ignore-not-found=true
oc delete job "${DB_NAME}-keystone-init" --ignore-not-found=true

- name: 'Delete ALL (Helm releases)'
run: |
export PATH=$PATH:`pwd`/linux-amd64

helm delete proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db
# for old MongoDB Helm releases
helm delete proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db --ignore-not-found

helm delete proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}
helm delete proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-routes
helm delete proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-feeder

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Loading