Add Helm chart for showcase (web + API + MongoDB)#1
Open
PatStLouis wants to merge 7 commits intomainfrom
Open
Conversation
PatStLouis
force-pushed
the
feat/helm-showcase-mongodb
branch
from
4e497a1 to
d123277
Compare
* Restructer frontend and add admin base component Signed-off-by: jamshale <jamiehalebc@gmail.com> * Small prettier issue Signed-off-by: jamshale <jamiehalebc@gmail.com> * Restrict permission in continous-integration workflow Signed-off-by: jamshale <jamiehalebc@gmail.com> * Remove unused indy github actions Signed-off-by: jamshale <jamiehalebc@gmail.com> --------- Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
…ase-server (bcgov#385) * ci: GHCR showcase images and streamline package workflows Publish bc-wallet-showcase-frontend and bc-wallet-showcase-server to GHCR via Build and Publish Packages (.github/workflows/build_packages.yml), triggered on GitHub Release published and workflow_dispatch with optional Cypress before image builds. Remove legacy Docker Swarm/SSH deploy from that workflow, delete the separate Continuous Deployment workflow, and remove the showcase-builder on_push_main pipeline (including disabled OpenShift deploy jobs). Add explicit GITHUB_TOKEN permissions for least-privilege; build images with repo-root Docker context and fix frontend Dockerfile copy path for the frontend/ workspace layout. Deployment automation is intentionally omitted until Helm chart deployment is wired up. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: fix on_pr_opened for main and frontend/server paths Address PR bcgov#385 review: target main/release instead of removed showcase-builder branch, and scope path filters to frontend/, server/, plus root package.json and yarn.lock (workspace install). Replace obsolete jobs that referenced apps/ and missing composite actions with a draft-only-gated smoke build of server and frontend Dockerfiles from repo root, matching build_packages.yml context. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: run PR Docker smoke workflow on main only Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor --------- Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca>
* ci: Node 22 for showcase frontend job and refresh Docker actions - Add setup-node (22) before yarn install in build-and-push-image-frontend so engines >=22 are satisfied on ubuntu-latest. - Replace deprecated docker/login, metadata, and build-push action pins with current major versions to avoid save-state/set-output warnings. - Simplify setup-node composite: use setup-node built-in yarn cache instead of a separate cache step that ran yarn before Node was configured. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: tighten workflows (concurrency, timeouts, husky, cypress v6) - Cancel superseded PR runs for CI and Docker smoke via concurrency groups. - Add job timeouts and HUSKY=0 for faster, deterministic installs. - Use frozen yarn installs with network timeout in release/package builds. - Upgrade optional release Cypress job from github-action v2 to v6 (install: false). - Enable DOCKER_BUILDKIT for PR Dockerfile smoke builds. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: further workflow hardening and supply-chain metadata - Replace fixed 120s Cypress wait with wait-on for :3000 and :5000, plus a shorter warm-up for async agent/credential setup. - Install and build packages from the workspace root using yarn workspace commands; drop unused FRONTEND_DIR/SERVER_DIR env entries. - Tighten image job gates: do not run after Cypress failure or cancel. - Add Docker Buildx, build-push-action v7, and minimal provenance + SBOM attestations on GHCR pushes. - Remove unused npm registry-url from the setup-node composite. - Extend PR Docker smoke path filters; clarify Dependabot docker comments. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * fix(deps): clear Yarn peer warnings across workspaces - Add eslint to the root devDependencies so eslint-* packages resolve peers. - Upgrade qrcode.react to v4 and use QRCodeSVG; fix import order for eslint. - Add @testing-library/dom, explicit vite, and @babel/* for CRA/vitest peers. - Remove unused postcss-loader; add @types/node for ts-node on the server. - Refresh yarn.lock. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: drop redundant yarn install before Docker in release builds The runner yarn install + workspace build was not copied into images; Dockerfiles already install and build in the image. Remove those steps from the GHCR push jobs. Frontend: pass REACT_APP_* via Docker build-args and set them in the Dockerfile so CRA still inlines config at image build time. Scope the image build stage to yarn workspace frontend build only. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * docs: describe GitHub Actions, setup-node, and refresh Docker README - Add .github/README.md as the canonical CI reference (workflows, GHCR images, Cypress gate, Docker build-args, Dependabot). - Update root README env paths, Node 22, Docker build/run examples, and link to CI docs; drop broken CONTRIBUTING/CODE_OF_CONDUCT links. - Link developer showcase doc to the new CI documentation. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * fix(docker): use uppercase AS for stage name (FromAsCasing) Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * style: apply Prettier to .github/README.md tables Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: address PR review (dispatch booleans, attestations, public build-args) - Use workflow_dispatch boolean inputs directly in job if conditions instead of comparing to the string 'true'; gate cypress-skipped on manual runs only. - Grant id-token:write on GHCR image jobs alongside packages:write for provenance/SBOM attestation upload. - Prefer repository vars for REACT_APP_* build-args (inlined in client JS) with secrets fallback; document in .github/README.md. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor --------- Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca>
PatStLouis
force-pushed
the
feat/helm-showcase-mongodb
branch
from
8793061 to
d657d28
Compare
bcgov#389) * feat(server): provision MongoDB connection via Mongoose (PE-01, PE-02) Add a MongoDB connection layer so the server can persist showcase definitions, sessions, and audit data across restarts. - Add getMongoUri() which resolves the connection URI from MONGODB_URI (direct) or from individual MONGODB_HOST/PORT/DB_NAME/USER/PASSWORD vars, with localhost defaults for native dev - Add connectDB() (mongoose.connect) and registerShutdownHandlers() for graceful SIGTERM/SIGINT disconnect - Call connectDB() at server startup before any other init - Update /server/ready to return 503 when the DB connection is not open - Add mongodb-memory-server for in-process test isolation - Document MONGODB_USER and MONGODB_PASSWORD in .env.example Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com> * awaiting or handling rejections in mongo connections Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * add mongodb connection timeout Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Resolve copilot feedback - `registerShutdownHandlers` — made `disconnectFn` and `once` injectable with sensible defaults, collapsed the two `process.once` calls into a loop - `run()` in `index.ts` — added `.catch()` so a startup failure logs and exits cleanly instead of producing an unhandled rejection - **Tests** — retry logic (success on first, success after retry, exhausts all attempts), shutdown handler signal registration, and disconnect invocation for both SIGTERM and SIGINT - `baseSchema.ts` — recreated from scratch since it was lost in the earlier reset Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com> * Rename MONGODB_DB_NAME Co-authored-by: Patrick St-Louis <43082425+PatStLouis@users.noreply.github.com> * Use mongoose built in timout feature Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com> * rename mongo from bcwallet_demo to bc_wallet_showcase elsewhere Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com> --------- Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Patrick St-Louis <43082425+PatStLouis@users.noreply.github.com>
…cgov#392) * feat(frontend): migrate to Vite 8 and tighten dependencies Replace Create React App (react-scripts) with Vite 8 and Vitest 4 for the frontend; align server Vitest/coverage on v4 for a single hoisted toolchain. Bring in peer-dependency hygiene from the docker-builds work: root eslint, frontend @testing-library/dom and @typescript-eslint packages, Babel plugins for ESLint flow peers, qrcode.react v4, and server @types/node. Use lodash/startCase subpath imports so the production bundle does not pull the full lodash surface. Speed: Vite production build (esbuild minify), disable gzip reporting in build, and split check-types so frontend uses ES module settings for import.meta while the server keeps its existing tsconfig. Update CI/deploy env vars from REACT_APP_* to VITE_*; fix frontend Docker image copy path to frontend/dist. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * chore: migrate to ESLint 9 flat config and Prettier 3 Replace .eslintrc.js with eslint.config.mjs using @eslint/js, typescript-eslint v8, FlatCompat for eslint-plugin-import legacy extends, native eslint-plugin-cypress recommended block for cypress/** only, and eslint-plugin-prettier recommended. Add root typescript for typescript-eslint peer; bump prettier to v3, eslint-config-prettier v10, eslint-plugin-cypress v6, and eslint-import-resolver-typescript v4. Point TypeScript-ESLint at tsconfig.eslint.json (not projectService) so server test files are included; ignore eslint.config.mjs from TS parsing; relax import rules for vite and config entrypoints. Remove redundant frontend ESLint/Babel packages; fix QR components to ESM qrcode.react imports, useTitle side effect, and credentials thunk catch binding. Apply Prettier 3 formatting across files touched by eslint --fix. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * build: production server image and slimmer Docker context - Run compiled server in production (node + dotenv); load routing-controllers from *.js when running build output. - Multi-stage server Dockerfile: workspace install, tsc build, runtime without global ts-node/typescript. - Expand .dockerignore for faster, smaller builds; align frontend Dockerfile with HUSKY=0 and frozen yarn install. - Add server start:prod script (build then start). Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: Node 22 for showcase frontend job and refresh Docker actions - Add setup-node (22) before yarn install in build-and-push-image-frontend so engines >=22 are satisfied on ubuntu-latest. - Replace deprecated docker/login, metadata, and build-push action pins with current major versions to avoid save-state/set-output warnings. - Simplify setup-node composite: use setup-node built-in yarn cache instead of a separate cache step that ran yarn before Node was configured. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: further workflow hardening and supply-chain metadata - Replace fixed 120s Cypress wait with wait-on for :3000 and :5000, plus a shorter warm-up for async agent/credential setup. - Install and build packages from the workspace root using yarn workspace commands; drop unused FRONTEND_DIR/SERVER_DIR env entries. - Tighten image job gates: do not run after Cypress failure or cancel. - Add Docker Buildx, build-push-action v7, and minimal provenance + SBOM attestations on GHCR pushes. - Remove unused npm registry-url from the setup-node composite. - Extend PR Docker smoke path filters; clarify Dependabot docker comments. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * docs: describe GitHub Actions, setup-node, and refresh Docker README - Add .github/README.md as the canonical CI reference (workflows, GHCR images, Cypress gate, Docker build-args, Dependabot). - Update root README env paths, Node 22, Docker build/run examples, and link to CI docs; drop broken CONTRIBUTING/CODE_OF_CONDUCT links. - Link developer showcase doc to the new CI documentation. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: gate Cypress Cloud recording on CYPRESS_RECORD_KEY Avoid cypress run --record when the secret is unset so release and manual dispatch E2E jobs pass without Cypress Dashboard configuration. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * fix(server): point production entry at tsc output build/src/index.js TypeScript emits under build/src/ when config/ and vitest.config.ts share the compilation root with src/. Align start script, Dockerfile CMD, and the public asset copy with that layout so docker compose backend starts and serves static files. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * fix(frontend): repair Caddyfile vars syntax for Caddy 2.8+ Use explicit matcher in vars (*), and read VITE_BASE_ROUTE so compose env matches frontend/.env. Update developer env snippet for Vite. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * fix(frontend): Snowplow collector URL uses https for local dev Match page protocol caused POST to http://spt...; collector redirects to HTTPS and CORS preflight fails. Pin https on the collector hostname. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * chore(frontend): update BC Government copyright year to 2026 Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * docs: clarify Docker/Vite build-args, compose stacks, and CI Cypress - README: replace CRA wording with Vite, document REACT_APP_* → VITE_* Dockerfile mapping, default browse URL, and compose port conflict. - docker-compose.yml: header comments for mutually exclusive services. - continuous-integration.yml: comment on frontend-only Cypress start vs apiUrl. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * chore(frontend): drop package.json browserslist; pin targets in PostCSS Autoprefixer read the CRA-style browserslist field; after removal, set overrideBrowserslist from NODE_ENV so production vs dev queries match the former package.json entries. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * ci: use VITE_HOST_BACKEND for yarn dev in release Cypress job Vite exposes VITE_* to the client; REACT_APP_HOST_BACKEND is ignored for the showcase API base URL during monorepo dev. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor * style(server): Prettier trailing commas in db/connection.ts Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor --------- Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca>
PatStLouis
force-pushed
the
feat/helm-showcase-mongodb
branch
2 times, most recently
from
9006d87 to
f6ace0d
Compare
Add umbrella Helm chart for Caddy frontend, API server, and CloudPirates MongoDB with optional NetworkPolicies. Add dev/PR deploy and teardown workflows, helm lint/publish, and deploy/showcase values overlays. OpenShift-oriented behavior: Mongo TCP init uses ClusterIP via Helm lookup when available; NetworkPolicy DNS/HTTPS egress without brittle peer lists; Caddy upstream uses service-link env expansion to avoid pod DNS timeouts; consolidate server/Mongo secrets and remove redundant secret template. Update server Mongo timeout tests, connection handling, and related formatting/docs. Signed-off-by: Patrick St-Louis <patrick.st-louis@opsecid.ca> Made-with: Cursor
PatStLouis
force-pushed
the
feat/helm-showcase-mongodb
branch
from
7ead4a2 to
f9eef91
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a Helm umbrella chart at
charts/showcasefor the BC Wallet showcase stack: API server, web (Caddy + static files), and optional MongoDB via the CloudPirates OCI chart (same style as OWF acapy).What’s included
oci://registry-1.docker.io/cloudpirates/mongodb(seeChart.lock). No Bitnami on this chart; local helpers for names/labels/images.showcase.server.existingSecret→ serverenvFromfor GitOps. Optional chart-managed*-server-envwhen unset + dev-stylemongodb.auth.rootPassword/showcase.server.secretEnv.mongodb.enabled: falsefor cleanhelm lint. Images default to bcgov GHCR (ghcr.io/bcgov/bc-wallet-demo-server,ghcr.io/bcgov/bc-wallet-demo-web).charts/showcase/README.md. Runhelm dependency updatein that directory before install (*.tgzgitignored).Verify
Note
showcase.publicBackendUrlis required. Forks may need to override imagerepositoryif packages are not underbcgov.