SIMSBIOHUB-850: Implement Crunchy DB (#338)

Author: dylanrogowsky-oxd

.github/workflows/deployStatic.yml

@@ -120,62 +120,6 @@ jobs:
           docker build -t ${{ vars.OPENSHIFT_REGISTRY }}/${{ vars.OPENSHIFT_LICENSE_PLATE }}-tools/$APP_NAME:${{ env.IMAGE_TAG }} .
           docker push ${{ vars.OPENSHIFT_REGISTRY }}/${{ vars.OPENSHIFT_LICENSE_PLATE }}-tools/$APP_NAME:${{ env.IMAGE_TAG }}
 
-  # Build the Database image
-  buildAndPushDatabase:
-    name: Build Database Image
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    if: ${{ github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' }}
-    env:
-      IMAGE_TAG: build-1.0.0-${{ needs.checkoutRepo.outputs.timestamp }}-${{ github.base_ref || github.ref_name }}
-      BRANCH: ${{ github.base_ref || github.ref_name }}
-      APP_NAME: "biohub-platform-db"
-    needs:
-      - checkoutRepo
-    steps:
-      # Load repo from cache
-      - name: Cache repo
-        uses: actions/cache@v4
-        id: cache-repo
-        env:
-          cache-name: cache-repo
-        with:
-          path: ${{ github.workspace }}/*
-          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ github.event.pull_request.head.sha || github.sha }}
-
-      # Checkout the branch if not restored via cache
-      - name: Checkout Target Branch
-        if: steps.cache-repo.outputs.cache-hit != 'true'
-        uses: actions/checkout@v6
-
-      # Install oc, which was removed from the ubuntu-latest image in v24.04
-      - name: Install OpenShift CLI tools
-        uses: redhat-actions/openshift-tools-installer@v1
-        with:
-          oc: "4.16"
-
-      # Log in to OpenShift
-      # Note: The secrets needed to log in are NOT available if the PR comes from a FORK.
-      # PR's must originate from a branch off the original repo or else all openshift `oc` commands will fail.
-      - name: Log in to OpenShift
-        uses: redhat-actions/oc-login@v1
-        with:
-          openshift_server_url: https://api.silver.devops.gov.bc.ca:6443
-          openshift_token: ${{ secrets.TOOLS_SA_TOKEN }}
-          namespace: ${{ vars.OPENSHIFT_LICENSE_PLATE }}-${{ env.BRANCH }}
-
-      # Authenticate Docker with OpenShift registry
-      - name: Authenticate Docker with OpenShift registry
-        run: |
-          echo ${{ secrets.TOOLS_SA_TOKEN }} | docker login -u unused --password-stdin ${{ vars.OPENSHIFT_REGISTRY }}
-
-      # Build and push the database image using Docker
-      - name: Build and Push Database Image
-        working-directory: database
-        run: |
-          docker build -t ${{ vars.OPENSHIFT_REGISTRY }}/${{ vars.OPENSHIFT_LICENSE_PLATE }}-tools/$APP_NAME:${{ env.IMAGE_TAG }} .
-          docker push ${{ vars.OPENSHIFT_REGISTRY }}/${{ vars.OPENSHIFT_LICENSE_PLATE }}-tools/$APP_NAME:${{ env.IMAGE_TAG }}
-
   # Build the Database Setup image
   buildAndPushDatabaseSetup:
     name: Build Database Setup Image
@@ -300,7 +244,6 @@ jobs:
     needs:
       - checkoutRepo
       - buildAndPushApp
-      - buildAndPushDatabase
       - buildAndPushDatabaseSetup
       - buildAndPushAPI
     steps:
@@ -358,15 +301,6 @@ jobs:
             -f ./infrastructure/biohub-platform/values-$BRANCH.yaml \
             --set-string biohub-platform-app.environment.ts=$TS \
             --set-string biohub-platform-app.environment.changeId=$BUILD_TAG \
-            --set-string biohub-platform-db.environment.ts=$TS \
-            --set-string biohub-platform-db.environment.changeId=$BUILD_TAG \
-            --set-string biohub-platform-db.app.postgresAdmin=${{ secrets.DATABASE_ADMIN }} \
-            --set-string biohub-platform-db.app.postgresAdminPassword=${{ secrets.DATABASE_ADMIN_PASSWORD }} \
-            --set-string biohub-platform-db.app.postgresUser=${{ secrets.DATABASE_USER }} \
-            --set-string biohub-platform-db.app.postgresUserPassword=${{ secrets.DATABASE_USER_PASSWORD }} \
-            --set-string biohub-platform-db.app.postgresUserApi=${{ secrets.DATABASE_USER_API }} \
-            --set-string biohub-platform-db.app.postgresUserApiPassword=${{ secrets.DATABASE_USER_API_PASSWORD }} \
-            --set-string biohub-platform-db.app.postgresDb=${{ secrets.DATABASE_NAME }} \
             --set-string biohub-platform-db-setup.environment.ts=$TS \
             --set-string biohub-platform-db-setup.environment.changeId=$BUILD_TAG \
             --set-string biohub-platform-api.environment.ts=$TS \
@@ -405,7 +339,7 @@ jobs:
           set -e
           KEEP=3
           SUFFIX="-$BRANCH"
-          IMAGES="biohub-platform-app biohub-platform-api biohub-platform-db biohub-platform-db-setup"
+          IMAGES="biohub-platform-app biohub-platform-api biohub-platform-db-setup"
           echo "Pruning image tags for environment $BRANCH in $TOOLS_NAMESPACE (keeping $KEEP most recent by date)"
           for IMAGE in $IMAGES; do
             echo "Checking image stream $IMAGE..."

api/src/app.ts

@@ -3,7 +3,7 @@ import { initialize } from 'express-openapi';
 import multer from 'multer';
 import { OpenAPIV3 } from 'openapi-types';
 import swaggerUIExperss from 'swagger-ui-express';
-import { defaultPoolConfig, initDBPool } from './database/db';
+import { getDefaultPoolConfig, initDBPool } from './database/db';
 import { initDBConstants } from './database/db-constants';
 import { ensureHTTPError, HTTP400, HTTP500 } from './errors/http-error';
 import { rootAPIDoc } from './openapi/root-api-doc';
@@ -154,7 +154,7 @@ app.use('/api-docs', swaggerUIExperss.serve, swaggerUIExperss.setup(openAPIFrame
 
 // Start api
 async function main() {
-  initDBPool(defaultPoolConfig);
+  initDBPool(getDefaultPoolConfig());
   await initDBConstants();
   await initPgBoss();
 

api/src/database/db.ts

@@ -1,4 +1,5 @@
 import knex, { Knex } from 'knex';
+import * as fs from 'node:fs';
 import * as pg from 'pg';
 import { SQLStatement } from 'sql-template-strings';
 import { z } from 'zod';
@@ -35,6 +36,12 @@ export const defaultPoolConfig: pg.PoolConfig = {
   idleTimeoutMillis: DB_IDLE_TIMEOUT
 };
 
+/** Default pool config with SSL (CA verification) when PG_SSL_CA_PATH is set. */
+export const getDefaultPoolConfig = (): pg.PoolConfig => ({
+  ...defaultPoolConfig,
+  ...(process.env.PG_SSL_CA_PATH && { ssl: { ca: fs.readFileSync(process.env.PG_SSL_CA_PATH) } })
+});
+
 // Custom type handler for psq `DATE` type to prevent local time/zone information from being added.
 // Why? By default, node-postgres assumes local time/zone for any psql `DATE` or `TIME` types that don't have timezone information.
 // This Can lead to unexpected behavior when the original psql `DATE` value was intentionally omitting time/zone information.

database/src/knexfile.ts

@@ -1,3 +1,8 @@
+import * as fs from 'node:fs';
+
+// Use SSL with CA verification when PG_SSL_CA_PATH is set (Crunchy); otherwise no SSL (legacy/PR).
+const sslConfig = process.env.PG_SSL_CA_PATH ? { ca: fs.readFileSync(process.env.PG_SSL_CA_PATH) } : false;
+
 export default {
   development: {
     client: 'pg',
@@ -6,7 +11,8 @@ export default {
       port: process.env.DB_PORT,
       database: process.env.DB_DATABASE,
       user: process.env.DB_ADMIN,
-      password: process.env.DB_ADMIN_PASS
+      password: process.env.DB_ADMIN_PASS,
+      ...(sslConfig && { ssl: sslConfig })
     },
     pool: {
       min: 2,
@@ -28,7 +34,8 @@ export default {
       port: process.env.DB_PORT,
       database: process.env.DB_DATABASE,
       user: process.env.DB_ADMIN,
-      password: process.env.DB_ADMIN_PASS
+      password: process.env.DB_ADMIN_PASS,
+      ...(sslConfig && { ssl: sslConfig })
     },
     pool: {
       min: 2,

database/src/migrations/20260113000000_add_codeset_feature_type.ts

@@ -10,6 +10,9 @@ import { Knex } from 'knex';
  * Note: Property names remain unchanged - existing properties will now receive values
  * in the format 'code::{table_name}::{id}' instead of plain string values.
  *
+ * Inserts are idempotent (WHERE NOT EXISTS) so the migration can be re-run safely
+ * after a pg_restore without duplicate key errors.
+ *
  * @export
  * @param {Knex} knex
  * @return {*}  {Promise<void>}
@@ -20,76 +23,102 @@ export async function up(knex: Knex): Promise<void> {
     set search_path=biohub,public;
 
     ----------------------------------------------------------------------------------------
-    -- Insert codeset feature type
+    -- Insert codeset feature type (idempotent)
     ----------------------------------------------------------------------------------------
     INSERT INTO feature_type (name, display_name, description)
-    VALUES (
-        'codeset',
-        'Codeset',
-        'A code table containing standardized categories and code values.'
+    SELECT 'codeset', 'Codeset', 'A code table containing standardized categories and code values.'
+    WHERE NOT EXISTS (
+        SELECT 1 FROM feature_type
+        WHERE name = 'codeset' AND record_end_date IS NULL
     );
 
     ----------------------------------------------------------------------------------------
-    -- Insert categories feature property
+    -- Insert categories feature property (idempotent)
     ----------------------------------------------------------------------------------------
-    INSERT INTO 
+    INSERT INTO
         feature_property (feature_property_type_id, name, display_name, description, calculated_value)
-    VALUES (
-        (SELECT feature_property_type_id FROM feature_property_type WHERE name = 'object'),
+    SELECT
+        (SELECT feature_property_type_id FROM feature_property_type WHERE name = 'object' AND record_end_date IS NULL),
         'categories',
         'Categories',
         'An object of categories, each containing standardized code values.',
         false
+    WHERE NOT EXISTS (
+        SELECT 1 FROM feature_property
+        WHERE name = 'categories' AND record_end_date IS NULL
     );
 
     ----------------------------------------------------------------------------------------
-    -- Link categories property to codeset feature type
+    -- Link categories property to codeset feature type (idempotent)
     ----------------------------------------------------------------------------------------
-    INSERT INTO 
+    INSERT INTO
         feature_type_property (feature_type_id, feature_property_id, required_value)
-    VALUES (
-        (SELECT feature_type_id FROM feature_type WHERE name = 'codeset'),
-        (SELECT feature_property_id FROM feature_property WHERE name = 'categories'),
+    SELECT
+        (SELECT feature_type_id FROM feature_type WHERE name = 'codeset' AND record_end_date IS NULL),
+        (SELECT feature_property_id FROM feature_property WHERE name = 'categories' AND record_end_date IS NULL),
         true
+    WHERE NOT EXISTS (
+        SELECT 1 FROM feature_type_property ftp
+        WHERE ftp.feature_type_id = (SELECT feature_type_id FROM feature_type WHERE name = 'codeset' AND record_end_date IS NULL)
+          AND ftp.feature_property_id = (SELECT feature_property_id FROM feature_property WHERE name = 'categories' AND record_end_date IS NULL)
+          AND ftp.record_end_date IS NULL
     );
 
     ----------------------------------------------------------------------------------------
-    -- Insert partnership properties for dataset feature type
+    -- Insert partnership properties for dataset feature type (idempotent)
     ----------------------------------------------------------------------------------------
-    INSERT INTO 
+    INSERT INTO
+        feature_property (feature_property_type_id, name, display_name, description, calculated_value)
+    SELECT (SELECT feature_property_type_id FROM feature_property_type WHERE name = 'array' AND record_end_date IS NULL),
+           'indigenous_partnerships',
+           'Indigenous Partnerships',
+           'An array of indigenous partnerships',
+           false
+    WHERE NOT EXISTS (
+        SELECT 1 FROM feature_property
+        WHERE name = 'indigenous_partnerships' AND record_end_date IS NULL
+    );
+
+    INSERT INTO
         feature_property (feature_property_type_id, name, display_name, description, calculated_value)
-    VALUES 
-        (
-            (SELECT feature_property_type_id FROM feature_property_type WHERE name = 'array'),
-            'indigenous_partnerships',
-            'Indigenous Partnerships',
-            'An array of indigenous partnerships',
-            false
-        ),
-        (
-            (SELECT feature_property_type_id FROM feature_property_type WHERE name = 'array'),
-            'stakeholder_partnerships',
-            'Stakeholder Partnerships',
-            'An array of stakeholder partnerships',
-            false
-        );
-
-    ----------------------------------------------------------------------------------------
-    -- Link partnership properties to dataset feature type
-    ----------------------------------------------------------------------------------------
-    INSERT INTO 
+    SELECT (SELECT feature_property_type_id FROM feature_property_type WHERE name = 'array' AND record_end_date IS NULL),
+           'stakeholder_partnerships',
+           'Stakeholder Partnerships',
+           'An array of stakeholder partnerships',
+           false
+    WHERE NOT EXISTS (
+        SELECT 1 FROM feature_property
+        WHERE name = 'stakeholder_partnerships' AND record_end_date IS NULL
+    );
+
+    ----------------------------------------------------------------------------------------
+    -- Link partnership properties to dataset feature type (idempotent)
+    ----------------------------------------------------------------------------------------
+    INSERT INTO
         feature_type_property (feature_type_id, feature_property_id, required_value)
-    VALUES
-        (
-            (SELECT feature_type_id FROM feature_type WHERE name = 'dataset'),
-            (SELECT feature_property_id FROM feature_property WHERE name = 'indigenous_partnerships'),
-            false
-        ),
-        (
-            (SELECT feature_type_id FROM feature_type WHERE name = 'dataset'),
-            (SELECT feature_property_id FROM feature_property WHERE name = 'stakeholder_partnerships'),
-            false
-        );
+    SELECT
+        (SELECT feature_type_id FROM feature_type WHERE name = 'dataset' AND record_end_date IS NULL),
+        (SELECT feature_property_id FROM feature_property WHERE name = 'indigenous_partnerships' AND record_end_date IS NULL),
+        false
+    WHERE NOT EXISTS (
+        SELECT 1 FROM feature_type_property ftp
+        WHERE ftp.feature_type_id = (SELECT feature_type_id FROM feature_type WHERE name = 'dataset' AND record_end_date IS NULL)
+          AND ftp.feature_property_id = (SELECT feature_property_id FROM feature_property WHERE name = 'indigenous_partnerships' AND record_end_date IS NULL)
+          AND ftp.record_end_date IS NULL
+    );
+
+    INSERT INTO
+        feature_type_property (feature_type_id, feature_property_id, required_value)
+    SELECT
+        (SELECT feature_type_id FROM feature_type WHERE name = 'dataset' AND record_end_date IS NULL),
+        (SELECT feature_property_id FROM feature_property WHERE name = 'stakeholder_partnerships' AND record_end_date IS NULL),
+        false
+    WHERE NOT EXISTS (
+        SELECT 1 FROM feature_type_property ftp
+        WHERE ftp.feature_type_id = (SELECT feature_type_id FROM feature_type WHERE name = 'dataset' AND record_end_date IS NULL)
+          AND ftp.feature_property_id = (SELECT feature_property_id FROM feature_property WHERE name = 'stakeholder_partnerships' AND record_end_date IS NULL)
+          AND ftp.record_end_date IS NULL
+    );
   `);
 }