feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware
- Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups) - Implement RLS policies with SET LOCAL for tenant isolation - Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback - Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header - Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor) - Configure AppDbContext with tenant scoping and RLS support - Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture - Write TDD integration tests for multi-tenant isolation and RLS enforcement - Add health check null safety for connection string Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure)
This commit is contained in:
WorkClub Automation
68
.sisyphus/evidence/task-6-final-summary.txt
Normal file
68
.sisyphus/evidence/task-6-final-summary.txt
Normal file
@@ -0,0 +1,68 @@
|
||||
TASK 6: KUBERNETES KUSTOMIZE BASE MANIFESTS — COMPLETE ✓
|
||||
==========================================================
|
||||
|
||||
DELIVERABLES:
|
||||
✓ Created /infra/k8s/base/ directory structure
|
||||
✓ All 11 manifest files created:
|
||||
- kustomization.yaml (root orchestrator)
|
||||
- backend-deployment.yaml (1 replica, port 8080, health probes)
|
||||
- backend-service.yaml (ClusterIP, port 80→8080)
|
||||
- frontend-deployment.yaml (1 replica, port 3000, health probe)
|
||||
- frontend-service.yaml (ClusterIP, port 80→3000)
|
||||
- postgres-statefulset.yaml (1 replica, 10Gi PVC, pg_isready)
|
||||
- postgres-service.yaml (headless + primary service)
|
||||
- keycloak-deployment.yaml (1 replica, port 8080, production mode)
|
||||
- keycloak-service.yaml (ClusterIP)
|
||||
- configmap.yaml (app config + postgres init script)
|
||||
- ingress.yaml (path-based routing: / → frontend, /api → backend)
|
||||
|
||||
VERIFICATION RESULTS:
|
||||
✓ kustomize build infra/k8s/base: SUCCESS (456 lines valid YAML)
|
||||
✓ Resource kinds: ConfigMap, Deployment (3), Ingress, Service (5), StatefulSet
|
||||
✓ Resource naming: All use consistent workclub- prefix
|
||||
✓ Health probes: .NET (startup/live/ready), Frontend (/api/health), Postgres (pg_isready)
|
||||
✓ Environment variables: All services reference ConfigMap/Secrets correctly
|
||||
✓ Volumes: StatefulSet volumeClaimTemplate 10Gi, ConfigMap mounts for init scripts
|
||||
✓ Headless service: workclub-postgres-headless with publishNotReadyAddresses: true
|
||||
|
||||
REQUIREMENT COVERAGE:
|
||||
✓ Backend: 1 replica, port 8080, all three .NET health probes
|
||||
✓ Frontend: 1 replica, port 3000, /api/health probe
|
||||
✓ PostgreSQL: StatefulSet, 1 replica, port 5432, 10Gi storage, pg_isready check
|
||||
✓ Keycloak: 1 replica, port 8080, KC_DB=postgres, production start command
|
||||
✓ ConfigMap: log-level, cors-origins, api-base-url, keycloak-url, database config
|
||||
✓ Ingress: Single domain routing with pathType: Prefix for /api
|
||||
✓ Resource limits: Placeholders (100m/256Mi requests, 500m/512Mi limits)
|
||||
✓ Image tags: :latest placeholder for all app images
|
||||
|
||||
LEARNING OUTCOMES:
|
||||
✓ Documented in .sisyphus/notepads/club-work-manager/learnings.md
|
||||
✓ Kustomize base+overlay pattern vs Helm
|
||||
✓ K8s resource naming and labeling conventions
|
||||
✓ .NET health probe semantics and timing
|
||||
✓ StatefulSet + headless service pattern for Postgres
|
||||
✓ PostgreSQL initialization via ConfigMap
|
||||
✓ Keycloak 26.x production mode configuration
|
||||
✓ Ingress path-based routing design
|
||||
✓ ConfigMap strategy for non-sensitive data
|
||||
✓ Resource request/limit placeholders
|
||||
|
||||
GIT COMMIT:
|
||||
✓ Commit: a103248
|
||||
✓ Message: "docs(k8s): add Task 6 Kustomize base manifests learnings"
|
||||
✓ Files modified: .sisyphus/notepads/club-work-manager/learnings.md (415 insertions)
|
||||
|
||||
EVIDENCE FILES:
|
||||
✓ .sisyphus/evidence/task-6-kustomize-base.txt (verification results)
|
||||
✓ .sisyphus/evidence/task-6-resource-names.txt (resource inventory)
|
||||
✓ .sisyphus/evidence/task-6-final-summary.txt (this file)
|
||||
|
||||
NOTES FOR NEXT TASKS:
|
||||
- Base manifests ready for Task 25 (dev overlay creation)
|
||||
- Image tags will be overridden per environment in overlays
|
||||
- Resource limits will be environment-specific in overlays
|
||||
- TLS/cert-manager deferred to production overlay
|
||||
- Health check endpoints require implementation in backend/frontend code
|
||||
- Secret values (passwords) must be created separately before deployment
|
||||
|
||||
STATUS: READY FOR DEPLOYMENT PLANNING
|
||||
Reference in New Issue
Block a user