Devops cositas (#5)

* Adds initial Docker Compose setup

Sets up Docker Compose for local development.

Defines services for the API and database (PostgreSQL with pgvector).
Configures environment variables, volumes, and health checks for both services.
Also includes a Dockerfile that uses uv to manage the python environment and dependencies.

* Add initial database setup with tables for documents, document chunks, and chat sessions

* Refactor Docker setup: replace pgvector with new Dockerfiles for DocsManager and RAGManager, update docker-compose.yml for service configuration, and adjust Python version in RAGManager.

* Adds CI/CD workflows for deployment and validation

Sets up GitHub Actions workflows for continuous integration and continuous deployment.

- Introduces a deployment workflow that builds and pushes Docker images to ACR, configures kubectl, and restarts deployments in a Kubernetes namespace.
- Implements a pull request validation workflow that performs secret scanning with Gitleaks, builds Docker images for validation (without pushing), runs Trivy vulnerability scans, and uploads the results to GitHub Security.
- Adds a PR summary workflow that posts a comment on the pull request with the results of the Gitleaks and build validation jobs, including a notice to check the security tab for any found vulnerabilities.

* Refactors PR validation workflow for clarity

Streamlines the PR validation workflow by removing the Gitleaks job and improving the presentation of Trivy results.

The workflow now focuses on build validation and vulnerability scanning with clearer output in the PR summary. Trivy results are now displayed in a table format within the PR comment, and a direct link to the detailed results in the Actions tab is included. The Gitleaks check is removed.

* Enhances deployment workflow with summaries

Adds deployment summary to the workflow, providing detailed information about the deployed service, image, and pod status in the job summary.

Also, it includes a success notification with links to deployed services and sets fail-fast to false to ensure all services are deployed.

Author: Locatelli-Flor

.github/workflows/deploy.yml

@@ -0,0 +1,102 @@
+name: Deploy to Kubernetes
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  REGISTRY: crretoxmas2024.azurecr.io
+  NAMESPACE: reto-xmas-2025-goland-ia-backend
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        service:
+          - name: docs-manager
+            path: ./DocsManager
+            image: reto-xmas-2025-goland-ia-backend-docs-manager
+            deployment: docs-manager
+          - name: rag-manager
+            path: ./RAGManager
+            image: reto-xmas-2025-goland-ia-backend-rag-manager
+            deployment: rag-manager
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to ACR
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ secrets.ACR_USERNAME }}
+        password: ${{ secrets.ACR_PASSWORD }}
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: ${{ matrix.service.path }}
+        platforms: linux/amd64
+        push: true
+        tags: |
+          ${{ env.REGISTRY }}/${{ matrix.service.image }}:latest
+          ${{ env.REGISTRY }}/${{ matrix.service.image }}:${{ github.sha }}
+        cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ matrix.service.image }}:buildcache
+        cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ matrix.service.image }}:buildcache,mode=max
+
+    - name: Set up kubectl
+      uses: azure/setup-kubectl@v3
+      with:
+        version: 'latest'
+
+    - name: Configure kubectl
+      run: |
+        mkdir -p $HOME/.kube
+        echo "${{ secrets.KUBECONFIG }}" | base64 -d > $HOME/.kube/config
+        chmod 600 $HOME/.kube/config
+
+    - name: Restart deployment
+      run: |
+        kubectl rollout restart deployment/${{ matrix.service.deployment }} -n ${{ env.NAMESPACE }}
+        kubectl rollout status deployment/${{ matrix.service.deployment }} -n ${{ env.NAMESPACE }} --timeout=5m
+
+    - name: Verify deployment
+      run: |
+        echo "✅ Deployment successful for ${{ matrix.service.name }}"
+        kubectl get pods -n ${{ env.NAMESPACE }} -l app=${{ matrix.service.deployment }}
+
+    - name: Deployment Summary
+      if: always()
+      run: |
+        echo "### 🚀 Deployment Summary" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Service:** ${{ matrix.service.name }}" >> $GITHUB_STEP_SUMMARY
+        echo "**Image:** ${{ env.REGISTRY }}/${{ matrix.service.image }}:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
+        echo "**Status:** ${{ job.status }}" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "#### Pods:" >> $GITHUB_STEP_SUMMARY
+        echo '```' >> $GITHUB_STEP_SUMMARY
+        kubectl get pods -n ${{ env.NAMESPACE }} -l app=${{ matrix.service.deployment }} >> $GITHUB_STEP_SUMMARY
+        echo '```' >> $GITHUB_STEP_SUMMARY
+
+  notify-success:
+    name: Deployment Success
+    runs-on: ubuntu-latest
+    needs: [build-and-deploy]
+    if: success()
+    steps:
+    - name: Success Summary
+      run: |
+        echo "### ✅ Deployment Successful!" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "All services deployed successfully:" >> $GITHUB_STEP_SUMMARY
+        echo "- 🌐 DocsManager: https://goland-ia-backend-docs-manager.reto-ucu.net" >> $GITHUB_STEP_SUMMARY
+        echo "- 🌐 RAGManager: https://goland-ia-backend-rag-manager.reto-ucu.net" >> $GITHUB_STEP_SUMMARY

.github/workflows/pr-validation.yml

@@ -0,0 +1,99 @@
+name: PR Validation
+
+on:
+  pull_request:
+    branches:
+      - main
+
+env:
+  REGISTRY: crretoxmas2024.azurecr.io
+  DOCS_MANAGER_IMAGE: reto-xmas-2025-goland-ia-backend-docs-manager
+  RAG_MANAGER_IMAGE: reto-xmas-2025-goland-ia-backend-rag-manager
+
+jobs:
+  build-validation:
+    name: Build Validation
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        service:
+          - name: docs-manager
+            path: ./DocsManager
+            image: reto-xmas-2025-goland-ia-backend-docs-manager
+          - name: rag-manager
+            path: ./RAGManager
+            image: reto-xmas-2025-goland-ia-backend-rag-manager
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: ${{ matrix.service.path }}
+        platforms: linux/amd64
+        load: true
+        tags: ${{ matrix.service.image }}:pr-${{ github.event.pull_request.number }}
+        cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ matrix.service.image }}:buildcache
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ matrix.service.image }}:pr-${{ github.event.pull_request.number }}
+        format: 'sarif'
+        output: 'trivy-results-${{ matrix.service.name }}.sarif'
+        severity: 'CRITICAL,HIGH'
+        exit-code: '0'
+
+    - name: Upload Trivy results to GitHub Security
+      uses: github/codeql-action/upload-sarif@v4
+      if: always()
+      with:
+        sarif_file: 'trivy-results-${{ matrix.service.name }}.sarif'
+        category: 'trivy-${{ matrix.service.name }}'
+
+    - name: Print Trivy results
+      if: always()
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ matrix.service.image }}:pr-${{ github.event.pull_request.number }}
+        format: 'table'
+        severity: 'CRITICAL,HIGH'
+        exit-code: '0'
+
+  pr-summary:
+    name: PR Summary
+    runs-on: ubuntu-latest
+    needs: [build-validation]
+    if: always()
+    steps:
+    - name: PR Comment
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const buildStatus = '${{ needs.build-validation.result }}';
+          
+          const statusEmoji = (status) => {
+            if (status === 'success') return '✅';
+            if (status === 'failure') return '❌';
+            return '⚠️';
+          };
+          
+          let message = '## 🔍 PR Validation Results\n\n';
+          message += `| Check | Status |\n`;
+          message += `|-------|--------|\n`;
+          message += `| Build | ${statusEmoji(buildStatus)} ${buildStatus} |\n`;
+          message += `| Trivy | Check Security tab |\n\n`;
+          message += `[View detailed results](${context.payload.repository.html_url}/actions/runs/${context.runId})`;
+          
+          github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: message
+          });

DocsManager/Dockerfile

@@ -0,0 +1,13 @@
+FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+
+WORKDIR /app
+
+COPY pyproject.toml uv.lock* ./
+
+RUN uv sync --frozen --no-cache || uv sync --no-cache
+
+COPY . .
+
+EXPOSE 8000
+
+CMD ["uv", "run", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

DocsManager/Dockerfile.pgvector

@@ -1 +1 @@
-3.14
+3.12

DocsManager/docker-compose.yml

@@ -0,0 +1,13 @@
+FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim
+
+WORKDIR /app
+
+COPY pyproject.toml uv.lock* ./
+
+RUN uv sync --frozen --no-cache || uv sync --no-cache
+
+COPY . .
+
+EXPOSE 8000
+
+CMD ["uv", "run", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

RAGManager/.python-version

@@ -0,0 +1,85 @@
+services:
+  docs-manager:
+    build:
+      context: ./DocsManager
+      dockerfile: Dockerfile
+    container_name: docs-manager
+    ports:
+      - "8000:8000"
+    env_file:
+      - .env
+      - ./DocsManager/.env
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: unless-stopped
+    environment:
+      - PYTHONUNBUFFERED=1
+      - SERVICE_NAME=docs-manager
+      - SERVICE_ROLE=document-handler
+
+  rag-manager:
+    build:
+      context: ./RAGManager
+      dockerfile: Dockerfile
+    container_name: rag-manager
+    ports:
+      - "8001:8000"
+    env_file:
+      - .env
+      - ./RAGManager/.env
+    depends_on:
+      db:
+        condition: service_healthy
+      rabbitmq:
+        condition: service_healthy
+    restart: unless-stopped
+    environment:
+      - PYTHONUNBUFFERED=1
+      - SERVICE_NAME=rag-manager
+      - SERVICE_ROLE=document-processor
+
+  db:
+    image: pgvector/pgvector:pg16
+    container_name: postgres-db
+    env_file:
+      - .env
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: ${POSTGRES_DB}
+    ports:
+      - "5432:5432"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+      - ./db-init:/docker-entrypoint-initdb.d
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  rabbitmq:
+    image: rabbitmq:3.13-management-alpine
+    container_name: rabbitmq
+    ports:
+      - "5672:5672"
+      - "15672:15672"
+    env_file:
+      - .env
+    environment:
+      RABBITMQ_DEFAULT_USER: ${RABBITMQ_USER}
+      RABBITMQ_DEFAULT_PASS: ${RABBITMQ_PASSWORD}
+    volumes:
+      - rabbitmq_data:/var/lib/rabbitmq
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "rabbitmq-diagnostics", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  postgres_data:
+  rabbitmq_data: