[MOSIP-44613] eSignet 1.7.1 multi-namespace standalone deployment — DSFs, hooks, workflows and values#245
Open
bhumi46 wants to merge 142 commits into
Open
[MOSIP-44613] eSignet 1.7.1 multi-namespace standalone deployment — DSFs, hooks, workflows and values#245bhumi46 wants to merge 142 commits into
bhumi46 wants to merge 142 commits into
Conversation
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <bhumi46@users.noreply.github.com>
…ofile based workflow Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
[MOSIP-44613]merging develop changes into MOSIP-44613
…ofile based workflow Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
…ofile based workflow Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
…ofile based workflow Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
…ofile based workflow Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
…ofile based workflow Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
…ofile based workflow Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
…ofile based workflow Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
updating this branch with develop
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <bhumi46@users.noreply.github.com>
…ofile based workflow Signed-off-by: abhishek-1809 <abhisahu1920@gmail.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Updated documentation and flow diagram for terraform profile based workflow
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
Helmsman/dsf/esignet/esignet-dsf.yaml (1)
1-19: ⚡ Quick winDocument dependency on external-dsf.yaml for complete deployment.
The DSF header comments list components but don't mention that this DSF requires prior deployment of external dependencies (postgres-init, keycloak-init) from external-dsf.yaml. Per coding guidelines, "eSignet DSF priority order must start at -18 (postgres) and deploy keycloak-init at -11 in keycloak namespace." Since those entries are in external-dsf.yaml, consider adding a dependency note in the header.
📝 Suggested header addition
# ============================================================================= # eSignet Profile - eSignet Services DSF (Desired State File) # ============================================================================= # This DSF deploys eSignet v1.7.1 services for the standalone eSignet profile. +# +# Prerequisites: Deploy external-dsf.yaml first (postgres-init at -18, +# keycloak-init at -11, and other external dependencies). # # Components (in priority order):🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Helmsman/dsf/esignet/esignet-dsf.yaml` around lines 1 - 19, Add a short header note to esignet-dsf.yaml stating that this DSF depends on external-dsf.yaml for external prerequisites (specifically postgres-init at priority -18 and keycloak-init at priority -11 in the keycloak namespace) so reviewers know those components must be deployed first; reference the external-dsf.yaml dependency and the specific entries postgres-init and keycloak-init (priority -18 and -11) in the comment block at the top of the file.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Helmsman/dsf/esignet/esignet-dsf.yaml`:
- Around line 493-555: The preInstall hooks pms-partner-cre-preinstall.sh and
pms-partner-qa11-preinstall.sh create Istio Gateways that reference TLS secrets
credentialName: pms-partner-cre-tls and pms-partner-qa11-tls but there are no
Secret manifests in the repo; ensure those TLS Secrets exist in the istio-system
namespace before helm install by either adding Kubernetes Secret manifests (or
cert-manager Certificate resources) for pms-partner-cre-tls and
pms-partner-qa11-tls to the repo and/or document/automate their pre-provisioning
(or modify the preinstall hooks to create/import the secrets), and verify the
Gateway names (pms-partner-cre-gateway, pms-partner-qa11-gateway) point to the
correct credentialName values.
- Around line 568-638: The DSF deploys the mosip/partner-onboarder only as the
esignet release and leaves esignet-misp-onboarder disabled, while esignet-cre
and esignet-qa11 only get an empty placeholder secret (mosip-esignet-misp-key /
esignet-misp-onboarder-key), so the MOSIP_ESIGNET_MISP_KEY never gets populated;
fix by either (A) adding namespace-specific releases named like
esignet-misp-onboarder for the esignet-cre and esignet-qa11 namespaces (same
chart mosip/partner-onboarder and same set keys) so the onboarder job writes the
per-namespace secret, or (B) implement a post-install hook/job that copies the
populated secret esignet-misp-onboarder-key (key: mosip-esignet-misp-key) from
the esignet namespace into esignet-cre and esignet-qa11 after the shared
onboarder runs; if you keep a single shared onboarder, add documentation
describing this copy mechanism and ensure the preInstall hooks that currently
create placeholders are updated to expect the copy step.
---
Nitpick comments:
In `@Helmsman/dsf/esignet/esignet-dsf.yaml`:
- Around line 1-19: Add a short header note to esignet-dsf.yaml stating that
this DSF depends on external-dsf.yaml for external prerequisites (specifically
postgres-init at priority -18 and keycloak-init at priority -11 in the keycloak
namespace) so reviewers know those components must be deployed first; reference
the external-dsf.yaml dependency and the specific entries postgres-init and
keycloak-init (priority -18 and -11) in the comment block at the top of the
file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 8dd7192c-850d-49a2-9fea-430316650865
⛔ Files ignored due to path filters (5)
docs/_images/esignet.pngis excluded by!**/*.pngdocs/_images/helmsman-external-services.pngis excluded by!**/*.pngdocs/_images/helmsman-testrigs.pngis excluded by!**/*.pngdocs/_images/infra-terraform-apply.pngis excluded by!**/*.pngdocs/_images/infra-terraform-destroy.pngis excluded by!**/*.png
📒 Files selected for processing (8)
.github/workflows/README.mdHelmsman/dsf/esignet/esignet-dsf.yamlREADME.mddocs/ENVIRONMENT_DESTRUCTION_GUIDE.mddocs/SECRET_GENERATION_GUIDE.mddocs/TERRAFORM_WORKFLOW_GUIDE.mddocs/_images/ARCHITECTURE_DIAGRAMS.mdterraform/README.md
✅ Files skipped from review due to trivial changes (1)
- docs/ENVIRONMENT_DESTRUCTION_GUIDE.md
…Fs and workflows Sub-task: mosip/mosip-infra#1889 Signed-off-by: bhumi46 <thisisbn46@gmail.com>
…workflows Sub-task: mosip/mosip-infra#1889 Signed-off-by: bhumi46 <thisisbn46@gmail.com>
…gnet workflow eSignet uses its own postgres instance (container), separate from the MOSIP platform external postgres. Using a dedicated ESIGNET_DB_PORT variable keeps the two independently configurable via vars.ESIGNET_DB_PORT vs vars.DB_PORT. Sub-task: mosip/mosip-infra#1889 Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/helmsman_external.yml (1)
62-82:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winConsider validating
db_portin the required variables check.The validation step checks
domain_name,env_name,clusterid, andslack_channel_name, but does not validatedb_port. Given that all downstream DSF files now require${db_port}for postgres-init and other database configurations (as seen in external-dsf.yaml, esignet-dsf.yaml, mosip-dsf.yaml, and testrigs-dsf.yaml), an empty or unsetdb_portwill cause Helm chart deployment failures.🔍 Suggested validation addition
DOMAIN="${{ github.event.inputs.domain_name || vars.DOMAIN_NAME }}" ENV="${{ github.event.inputs.env_name || vars.ENV_NAME }}" CLUSTER="${{ github.event.inputs.clusterid || vars.CLUSTER_ID }}" SLACK_CH="${{ github.event.inputs.slack_channel_name || vars.SLACK_CHANNEL_NAME }}" + DB_PORT="${{ github.event.inputs.db_port || vars.DB_PORT }}" [ -z "$DOMAIN" ] && errors+=("domain_name is empty — set vars.DOMAIN_NAME under Environment '${{ github.ref_name }}'") [ -z "$ENV" ] && errors+=("env_name is empty — set vars.ENV_NAME under Environment '${{ github.ref_name }}'") [ -z "$CLUSTER" ] && errors+=("clusterid is empty — set vars.CLUSTER_ID under Environment '${{ github.ref_name }}'") [ -z "$SLACK_CH" ] && errors+=("slack_channel_name is empty — set vars.SLACK_CHANNEL_NAME under Environment '${{ github.ref_name }}'") + [ -z "$DB_PORT" ] && errors+=("db_port is empty — set vars.DB_PORT under Environment '${{ github.ref_name }}'")Also add DB_PORT to the success output around line 82.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helmsman_external.yml around lines 62 - 82, Add validation for db_port alongside the existing DOMAIN/ENV/CLUSTER/SLACK_CH checks: capture DB_PORT from inputs/vars into a DB_PORT variable (like DOMAIN/ENV/CLUSTER/SLACK_CH), append an error to the errors array if DB_PORT is empty, and include DB_PORT in the success echo output (echo "✓ db_port = $DB_PORT") so the workflow fails early when db_port is unset; update the error messages/printf block to reflect this new check and reuse the same errors array and exit flow..github/workflows/helmsman_mosip.yml (1)
48-62:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winConsider validating
db_portin the required variables check.Similar to helmsman_external.yml, this workflow validates
domain_nameandenv_namebut notdb_port. The downstream mosip-dsf.yaml (line 232) now requires${db_port}for masterdata-loader database configuration. An unsetdb_portwill cause deployment failures.🔍 Suggested validation addition
errors=() DOMAIN="${{ github.event.inputs.domain_name || vars.DOMAIN_NAME }}" ENV="${{ github.event.inputs.env_name || vars.ENV_NAME }}" + DB_PORT="${{ github.event.inputs.db_port || vars.DB_PORT }}" [ -z "$DOMAIN" ] && errors+=("domain_name is empty — set vars.DOMAIN_NAME under Environment '${{ github.ref_name }}'") [ -z "$ENV" ] && errors+=("env_name is empty — set vars.ENV_NAME under Environment '${{ github.ref_name }}'") + [ -z "$DB_PORT" ] && errors+=("db_port is empty — set vars.DB_PORT under Environment '${{ github.ref_name }}'")Also add DB_PORT to the success output around line 62.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helmsman_mosip.yml around lines 48 - 62, Add validation for DB_PORT like DOMAIN and ENV: read DB_PORT="${{ github.event.inputs.db_port || vars.DB_PORT }}" into the same errors array, check [ -z "$DB_PORT" ] && errors+=("db_port is empty — set vars.DB_PORT under Environment '${{ github.ref_name }}'"), and if all good echo "✓ db_port = $DB_PORT" alongside the existing success lines; ensure you reference the same errors array and exit behavior used in the DOMAIN/ENV validation so an unset db_port fails early before mosip-dsf.yaml consumes ${db_port}.
🧹 Nitpick comments (2)
.github/workflows/helmsman_external.yml (1)
108-111: ⚡ Quick winConsider persisting
db_portalongside other workflow inputs.The persistence step saves
DOMAIN_NAME,ENV_NAME,CLUSTER_ID, andSLACK_CHANNEL_NAMEas environment variables via the GitHub API, but does not persistDB_PORT. This creates an inconsistency: if a user suppliesdb_portvia workflow_dispatch, it won't be persisted for subsequent runs, requiring manual re-entry or reliance on a separately configuredvars.DB_PORT.♻️ Suggested persistence addition
save_var "DOMAIN_NAME" "${{ github.event.inputs.domain_name }}" save_var "ENV_NAME" "${{ github.event.inputs.env_name }}" save_var "CLUSTER_ID" "${{ github.event.inputs.clusterid }}" save_var "SLACK_CHANNEL_NAME" "${{ github.event.inputs.slack_channel_name }}" + save_var "DB_PORT" "${{ github.event.inputs.db_port }}"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helmsman_external.yml around lines 108 - 111, The workflow saves several workflow_dispatch inputs using save_var but omits persisting the DB_PORT input; update the persistence block to call save_var for "DB_PORT" using the github.event.inputs.db_port value so db_port is stored like DOMAIN_NAME/ENV_NAME/CLUSTER_ID/SLACK_CHANNEL_NAME and is available for subsequent runs; locate the save_var lines (e.g., the existing save_var "DOMAIN_NAME" ... entries) and add save_var "DB_PORT" "${{ github.event.inputs.db_port }}" in the same section..github/workflows/helmsman_mosip.yml (1)
112-113: ⚡ Quick winConsider persisting
db_portalongside other workflow inputs.The persistence step saves
DOMAIN_NAMEandENV_NAME, but notDB_PORT. This creates the same inconsistency as in helmsman_external.yml: user-supplieddb_portvalues won't persist across workflow runs.♻️ Suggested persistence addition
save_var "DOMAIN_NAME" "${{ github.event.inputs.domain_name }}" save_var "ENV_NAME" "${{ github.event.inputs.env_name }}" + save_var "DB_PORT" "${{ github.event.inputs.db_port }}"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helmsman_mosip.yml around lines 112 - 113, The workflow persistence step currently calls save_var for DOMAIN_NAME and ENV_NAME but omits DB_PORT, so add a save_var invocation for "DB_PORT" using the input value "${{ github.event.inputs.db_port }}" to persist user-provided db_port across runs; update the same persistence block where save_var "DOMAIN_NAME" and save_var "ENV_NAME" are invoked so save_var "DB_PORT" is saved consistently with those variables.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/helmsman_external.yml:
- Around line 62-82: Add validation for db_port alongside the existing
DOMAIN/ENV/CLUSTER/SLACK_CH checks: capture DB_PORT from inputs/vars into a
DB_PORT variable (like DOMAIN/ENV/CLUSTER/SLACK_CH), append an error to the
errors array if DB_PORT is empty, and include DB_PORT in the success echo output
(echo "✓ db_port = $DB_PORT") so the workflow fails early when db_port is unset;
update the error messages/printf block to reflect this new check and reuse the
same errors array and exit flow.
In @.github/workflows/helmsman_mosip.yml:
- Around line 48-62: Add validation for DB_PORT like DOMAIN and ENV: read
DB_PORT="${{ github.event.inputs.db_port || vars.DB_PORT }}" into the same
errors array, check [ -z "$DB_PORT" ] && errors+=("db_port is empty — set
vars.DB_PORT under Environment '${{ github.ref_name }}'"), and if all good echo
"✓ db_port = $DB_PORT" alongside the existing success lines; ensure you
reference the same errors array and exit behavior used in the DOMAIN/ENV
validation so an unset db_port fails early before mosip-dsf.yaml consumes
${db_port}.
---
Nitpick comments:
In @.github/workflows/helmsman_external.yml:
- Around line 108-111: The workflow saves several workflow_dispatch inputs using
save_var but omits persisting the DB_PORT input; update the persistence block to
call save_var for "DB_PORT" using the github.event.inputs.db_port value so
db_port is stored like DOMAIN_NAME/ENV_NAME/CLUSTER_ID/SLACK_CHANNEL_NAME and is
available for subsequent runs; locate the save_var lines (e.g., the existing
save_var "DOMAIN_NAME" ... entries) and add save_var "DB_PORT" "${{
github.event.inputs.db_port }}" in the same section.
In @.github/workflows/helmsman_mosip.yml:
- Around line 112-113: The workflow persistence step currently calls save_var
for DOMAIN_NAME and ENV_NAME but omits DB_PORT, so add a save_var invocation for
"DB_PORT" using the input value "${{ github.event.inputs.db_port }}" to persist
user-provided db_port across runs; update the same persistence block where
save_var "DOMAIN_NAME" and save_var "ENV_NAME" are invoked so save_var "DB_PORT"
is saved consistently with those variables.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 315642f6-1086-4ba5-aec8-002a968ef580
📒 Files selected for processing (14)
.github/workflows/helmsman_esignet.yml.github/workflows/helmsman_external.yml.github/workflows/helmsman_mosip.yml.github/workflows/helmsman_testrigs.ymlHelmsman/dsf/esignet/external-dsf.yamlHelmsman/dsf/esignet/testrigs-dsf.yamlHelmsman/dsf/mosip-platform-java11/esignet-dsf.yamlHelmsman/dsf/mosip-platform-java11/external-dsf.yamlHelmsman/dsf/mosip-platform-java11/mosip-dsf.yamlHelmsman/dsf/mosip-platform-java11/testrigs-dsf.yamlHelmsman/dsf/mosip-platform-java21/esignet-dsf.yamlHelmsman/dsf/mosip-platform-java21/external-dsf.yamlHelmsman/dsf/mosip-platform-java21/mosip-dsf.yamlHelmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml
🚧 Files skipped from review as they are similar to previous changes (4)
- .github/workflows/helmsman_testrigs.yml
- .github/workflows/helmsman_esignet.yml
- Helmsman/dsf/esignet/external-dsf.yaml
- Helmsman/dsf/esignet/testrigs-dsf.yaml
esignet standalone uses container postgres (5432), separate from MOSIP platform external postgres (5433). Consistent with esignet-dsf change — all esignet profile DSFs now use ESIGNET_DB_PORT. Sub-task: mosip/mosip-infra#1889 Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Add validate-inputs step checks for DB_PORT and ESIGNET_DB_PORT env vars in all four Helmsman workflows, following the same error-accumulation pattern as domain_name. helmsman_external and helmsman_testrigs validate both; helmsman_mosip validates db_port only; helmsman_esignet validates esignet_db_port only. Signed-off-by: bhumi46 <bhumi11111a@gmail.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Add CRE_POSTGRES_PASSWORD, QA11_POSTGRES_PASSWORD, CRE_KEYCLOAK_ADMIN_PASSWORD, and QA11_KEYCLOAK_ADMIN_PASSWORD to the existing 'Validate required secrets' step in helmsman_esignet.yml, inside the profile=esignet block. Fail fast before Helmsman runs rather than at preinstall hook time. Signed-off-by: bhumi46 <bhumi11111a@gmail.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/helmsman_external.yml (1)
225-237:⚠️ Potential issue | 🔴 Critical | ⚡ Quick win
kubectlis used before it is installed.The "Mask sensitive secrets" step (line 225) uses
kubectlto retrieve the MinIO secret, but "Setup kubectl and kubeconfig" (line 239) runs later. This will fail becausekubectlis not available on the runner at this point.Move this step after the "Setup kubectl, istioctl and kubeconfig" step, or at minimum after kubectl is installed and KUBECONFIG is configured.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helmsman_external.yml around lines 225 - 237, The "Mask sensitive secrets" step currently calls kubectl to read the MinIO secret (the MINIO_ROOT_PASSWORD extraction line) before kubectl/KUBECONFIG are prepared; move the entire "Mask sensitive secrets" step so it runs after the "Setup kubectl, istioctl and kubeconfig" step (or any step that installs kubectl and exports KUBECONFIG) to ensure kubectl is available and configured before MINIO_ROOT_PASSWORD is fetched and masked.
🧹 Nitpick comments (1)
.github/workflows/helmsman_external.yml (1)
73-80: 💤 Low valueBoth
DB_PORTandESIGNET_DB_PORTare validated as required for all profiles.When
profileismosip-platform-java11ormosip-platform-java21,ESIGNET_DB_PORTmay not be needed. Similarly, whenprofileisesignet,DB_PORT(for MOSIP platform postgres) may be unused. Consider making validation profile-conditional to avoid requiring operators to set variables they don't need.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helmsman_external.yml around lines 73 - 80, The current validation always requires DB_PORT and ESIGNET_DB_PORT; change it to conditional validation based on the profile value (e.g., the env var holding the profile name) so only required ports are enforced for a given profile. Update the checks around DB_PORT and ESIGNET_DB_PORT to first test the profile (compare against "esignet", "mosip-platform-java11", "mosip-platform-java21" or whatever PROFILE variable you use) and only append the appropriate error messages when the profile requires that port; preserve the existing error text and array name (errors+=(...)) and keep the other validations unchanged so functions/lines referencing DB_PORT and ESIGNET_DB_PORT behave correctly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/helmsman_external.yml:
- Around line 225-237: The "Mask sensitive secrets" step currently calls kubectl
to read the MinIO secret (the MINIO_ROOT_PASSWORD extraction line) before
kubectl/KUBECONFIG are prepared; move the entire "Mask sensitive secrets" step
so it runs after the "Setup kubectl, istioctl and kubeconfig" step (or any step
that installs kubectl and exports KUBECONFIG) to ensure kubectl is available and
configured before MINIO_ROOT_PASSWORD is fetched and masked.
---
Nitpick comments:
In @.github/workflows/helmsman_external.yml:
- Around line 73-80: The current validation always requires DB_PORT and
ESIGNET_DB_PORT; change it to conditional validation based on the profile value
(e.g., the env var holding the profile name) so only required ports are enforced
for a given profile. Update the checks around DB_PORT and ESIGNET_DB_PORT to
first test the profile (compare against "esignet", "mosip-platform-java11",
"mosip-platform-java21" or whatever PROFILE variable you use) and only append
the appropriate error messages when the profile requires that port; preserve the
existing error text and array name (errors+=(...)) and keep the other
validations unchanged so functions/lines referencing DB_PORT and ESIGNET_DB_PORT
behave correctly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: dbf09d14-2bcd-4648-b17a-7c10985c3c82
📒 Files selected for processing (8)
.github/workflows/helmsman_esignet.yml.github/workflows/helmsman_external.yml.github/workflows/helmsman_mosip.yml.github/workflows/helmsman_testrigs.ymlHelmsman/dsf/esignet/external-dsf.yamlHelmsman/dsf/esignet/testrigs-dsf.yamlHelmsman/dsf/mosip-platform-java11/esignet-dsf.yamlHelmsman/dsf/mosip-platform-java21/esignet-dsf.yaml
🚧 Files skipped from review as they are similar to previous changes (6)
- Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml
- Helmsman/dsf/mosip-platform-java11/esignet-dsf.yaml
- .github/workflows/helmsman_mosip.yml
- Helmsman/dsf/esignet/testrigs-dsf.yaml
- .github/workflows/helmsman_esignet.yml
- Helmsman/dsf/esignet/external-dsf.yaml
Helmsman v3.17.1 has no --skip-releases flag. Replace with -exclude-target (one flag per release) which is the correct way to exclude specific apps from execution. Build the arg string incrementally inside the existing loop. Signed-off-by: bhumi46 <bhumi11111a@gmail.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
The MinIO Helm chart creates a secret named 'minio' in the 'minio' namespace (key: root-password). The step was wrongly looking for a secret named 's3' which is a derived secret created by s3-setup.sh in the 's3' namespace, not the chart's own secret. Aligns with helmsman_external.yml and s3-setup.sh which both read from 'kubectl -n minio get secret minio'. Signed-off-by: bhumi46 <bhumi11111a@gmail.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
The esignet testrigs-dsf.yaml uses ${cre_domain_name} and ${qabase_domain_name}
for CRE/QA11 apitestrig db-server and base URL config. Add both vars to
workflow inputs, job-level env (with vars.* fallback), and save_var
persistence — same pattern as helmsman_esignet.yml.
Signed-off-by: bhumi46 <bhumi11111a@gmail.com>
Signed-off-by: bhumi46 <thisisbn46@gmail.com>
…n testrigs Add profile-conditional validation to testrigs validate-inputs job: when profile=esignet (or push-triggered, where profile is auto-detected as esignet), require cre_domain_name and qabase_domain_name to be set. Errors accumulate in the shared errors[] array before the single exit. Signed-off-by: bhumi46 <bhumi11111a@gmail.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
esignet-signup-apitestrig deploys into the signup namespace but it was missing from the namespaces: block, causing Helmsman validation to fail. Signed-off-by: bhumi46 <bhumi11111a@gmail.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Without this flag Helmsman treats releases from esignet-dsf.yaml (esignet, oidc-ui, softhsm, etc.) as untracked and deletes them when only testrigs-dsf.yaml is applied. --keep-untracked-releases preserves all releases not listed in the current DSF. Signed-off-by: bhumi46 <bhumi11111a@gmail.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Document all changes from this session:
- Add ${db_port} and ${esignet_db_port} to DSF Runtime Variable Substitution table
- Update push-triggered fallback vars list to include DB_PORT/ESIGNET_DB_PORT
- Clarify MinIO secret name (minio in minio ns) vs derived s3 secret in s3 ns
- Add gotchas: --skip-releases invalid (use -exclude-target), testrigs needs
--keep-untracked-releases, signup namespace must be in testrigs namespaces
block, cre/qabase domain required for esignet testrigs, esignet profile
secret validation for CRE/QA11 postgres and keycloak admin passwords
Signed-off-by: bhumi46 <bhumi11111a@gmail.com>
Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/helmsman_testrigs.yml:
- Around line 83-88: The validation block incorrectly runs when PROFILE is empty
(e.g., on push events), causing esignet-only checks to fail; modify the
condition that guards CRE_DOMAIN/QABASE_DOMAIN validation so it only runs for an
actual esignet profile (e.g., change if [ -z "$PROFILE" ] || [ "$PROFILE" =
"esignet" ]; then to if [ "$PROFILE" = "esignet" ]; then) or remove these checks
from this step and move them into the deploy job after PROFILE detection; update
references to PROFILE, CRE_DOMAIN, and QABASE_DOMAIN accordingly so
esignet-specific validation is deferred until the profile is known.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 3b687fed-03c6-44bd-9cc4-4462b9377694
📒 Files selected for processing (4)
.github/workflows/helmsman_esignet.yml.github/workflows/helmsman_testrigs.ymlCLAUDE.mdHelmsman/dsf/esignet/testrigs-dsf.yaml
✅ Files skipped from review due to trivial changes (1)
- CLAUDE.md
🚧 Files skipped from review as they are similar to previous changes (1)
- Helmsman/dsf/esignet/testrigs-dsf.yaml
…guide - esignet-domain-config → esignet-global (CM name) - esignet-1.7.1 → esignet-standalone (hooks directory) - mosip-platform-java11 → mosip-platform-1.2.0.x (DSF directory) - mosip-platform-java21 → mosip-platform-1.2.1.x (DSF directory) - qabase_domain_name → qa11_domain_name everywhere - domain_name, clusterid, db_port, esignet_db_port → required: true in workflows - Comment out signup auto-trigger in helmsman_esignet.yml ([DISABLED]) - Add docs/ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md - Sync docs/TERRAFORM_WORKFLOW_GUIDE.md INFRA_PROFILE constraint note Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
… plugin values Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
…o all esignet apitestrig configmaps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Signed-off-by: bhumi46 <thisisbn46@gmail.com>
…rig configmap keys Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: bhumi46 <thisisbn46@gmail.com>
…dcoded value Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Signed-off-by: bhumi46 <thisisbn46@gmail.com>
Signed-off-by: bhumi46 <thisisbn46@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
external-dsf.yaml: moveesignet-keycloak-initto keycloak namespace (priority -11); add per-namespace postgres-init entries formosip_esignet_cre,mosip_esignet_qa11,mosip_esignet_sunbird,mosip_mockidentitysystem, and signup schemas; fix MinIO re-deploy root-password pass-throughesignet-dsf.yaml: deploy 4 fully isolated eSignet instances (esignet/esignet-cre/esignet-qa11/esignet-sunbird) with per-namespace SoftHSM, plugin values, oidc-ui, mock-RP, PMS partner+policy, and optional onboarderssignup-dsf.yaml: Signup Keycloak init, kernel services (authmanager / auditmanager / otpmanager / notifier), mock-smtp, signup-service, signup-ui (all disabled by default)testrigs-dsf.yaml: API testrig for all 4 esignet namespaces + signup apitestrig + signup uitestrig; sequential cronjob trigger viatrigger-test-jobs-esignet.shesignet-1.7.1/: config-server setup/postinstall, cre/qa11/sunbird preinstall wrappers, keycloak-init pre/postinstall fan-out, MISP and mock-RP onboarder hooks (replaces old partner-onboarder), signup hooks (keycloak-init, kernel, notifier, signup-service), testrig setup hookshelmsman_signup.ymlworkflow (new); extendhelmsman_esignet.ymlwith multi-namespace secret injection and auto-trigger chain to signup; fixhelmsman_external.ymlMinIO password on upgradeesignet-{,cre-,qa11-,sunbird-}plugin-values.yaml), keycloak init values (keycloak-esignet-init-values.yaml,keycloak-signup-init-values.yaml), config-server values, SoftHSM values, and testrig values underHelmsman/utils/Linked Issues
Closes mosip/mosip-infra#1790
Sub-tasks:
external-dsf.yamlesignet-dsf.yamlsignup-dsf.yamland Signup stack hookstestrigs-dsf.yamland testrig hooksTest plan
external-dsf.yamlapply: postgres-init creates all 4 esignet DBs + mock-identity + signup schemas;esignet-keycloak-initcompletes in keycloak ns;esignet-postinstall-keycloak-init.shfans keycloak resources to all 4 esignet namespaces; MinIO upgrade passes existing root password without PASSWORDS ERROResignet-dsf.yamlapply: all 4 eSignet instances healthy (plugin 1/2/2/3); oidc-ui VirtualServices resolve on correct subdomains; mock-RP services up in each namespace;esignet-domain-configCM present in all 4 namespaces with correctmosip-esignet-hostper namespacesignup-dsf.yamlapply: kernel services (authmanager/auditmanager/otpmanager/notifier), signup-service, signup-ui all healthy;esignet-dsf=completedlabel present on default namespace before signup workflow firestestrigs-dsf.yamlapply: cronjobs created in all 4 esignet namespaces + signup;trigger-test-jobs-esignet.shfires sequentially without resource exhaustionpre-helmsman-cleanup.shremoves stale Jobs before re-run🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Documentation
Bug Fixes