oracle · gotsysdba · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -88,8 +88,15 @@ jobs:
             WORKDIR=$(mktemp -d)
             git worktree add "$WORKDIR" "$TAG"
 
-            # Package Helm chart for this tag
-            helm package "$WORKDIR/helm" -d docs/public/helm --debug
+            # Extract version from tag (remove 'v' prefix if present)
+            if [[ $TAG =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+              VERSION=${TAG#v}
+              echo "Packaging Helm chart with version: $VERSION"
+              helm package "$WORKDIR/helm" -d docs/public/helm --version "$VERSION" --app-version "$VERSION" --debug
+            else
+              echo "Tag $TAG does not match version format (vMAJOR.MINOR.PATCH), packaging without version override"
+              helm package "$WORKDIR/helm" -d docs/public/helm --debug
+            fi
 
             # Clean up
             git worktree remove "$WORKDIR"

diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
@@ -39,13 +39,16 @@ jobs:
           echo "Tag validated: $TAG_NAME"
           echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
 
-      - name: Inject Static Version into _version.py and versions.tf
+      - name: Inject Static Version into _version.py, versions.tf, and Chart.yaml
         run: |
           echo "__version__ = \"$VERSION\"" > src/common/_version.py
           sed -i "s/app_version[[:space:]]*=[[:space:]]*\".*\"/app_version = \"$VERSION\"/" opentofu/versions.tf
+          sed -i "s/^version:[[:space:]]*.*$/version: $VERSION/" helm/Chart.yaml
+          sed -i "s/^appVersion:[[:space:]]*\".*\"$/appVersion: \"$VERSION\"/" helm/Chart.yaml
           echo "Injected version:"
           cat src/common/_version.py
           cat opentofu/versions.tf
+          cat helm/Chart.yaml
         env:
           VERSION: ${{ steps.version.outputs.VERSION }}
 

diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -1,8 +1,9 @@
 apiVersion: v2
 name: ai-optimizer
 description: A Helm chart Oracle AI Optimizer and Toolkit
-version: 1.1.0
-appVersion: "1.1.0"
+# Do Not Modify. Updated automatically during release cycle by .github/workflows/releases.yml
+version: 0.0.0
+appVersion: "0.0.0"
 type: application
 home: https://github.com/oracle/ai-optimizer
 sources:

diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
@@ -244,6 +244,56 @@ Requires either 'dsn' OR all of (host, port, service_name).
 {{- end -}}
 
 
+{{/* ******************************************
+Database Type Helpers
+These helpers provide consistent database type checking across templates.
+*********************************************** */}}
+{{- define "server.database.type" -}}
+{{- if .Values.server.database -}}
+  {{- .Values.server.database.type -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "server.database.isSIDB" -}}
+{{- eq (include "server.database.type" .) "SIDB-FREE" -}}
+{{- end -}}
+
+{{- define "server.database.isADBFree" -}}
+{{- eq (include "server.database.type" .) "ADB-FREE" -}}
+{{- end -}}
+
+{{- define "server.database.isADBS" -}}
+{{- eq (include "server.database.type" .) "ADB-S" -}}
+{{- end -}}
+
+{{- define "server.database.isOther" -}}
+{{- eq (include "server.database.type" .) "OTHER" -}}
+{{- end -}}
+
+{{- define "server.database.isADB" -}}
+{{- or (eq (include "server.database.type" .) "ADB-S") (eq (include "server.database.type" .) "ADB-FREE") -}}
+{{- end -}}
+
+{{- define "server.database.isContainerDB" -}}
+{{- or (eq (include "server.database.type" .) "SIDB-FREE") (eq (include "server.database.type" .) "ADB-FREE") -}}
+{{- end -}}
+
+{{- define "server.database.needsPrivAuth" -}}
+{{- or (eq (include "server.database.isADB" .) "true") (eq (include "server.database.isOther" .) "true") -}}
+{{- end -}}
+
+{{/* ******************************************
+Database Service Name Helper
+Returns the short database type prefix (sidb or adb) for service naming.
+*********************************************** */}}
+{{- define "server.database.shortType" -}}
+{{- $dbType := include "server.database.type" . -}}
+{{- if $dbType -}}
+  {{- lower (split "-" $dbType)._0 -}}
+{{- end -}}
+{{- end -}}
+
+
 {{/* ******************************************
 Password Generator for Databases
 *********************************************** */}}

diff --git a/helm/templates/server/database.yaml b/helm/templates/server/database.yaml
@@ -0,0 +1,263 @@
+## Copyright (c) 2024, 2025, Oracle and/or its affiliates.
+## Licensed under the Universal Permissive License v1.0 as shown at http://oss.oracle.com/licenses/upl.
+# spell-checker: ignore nindent freepdb1 oserror selectai sidb spfile sqlplus
+# spell-checker: ignore sqlcode sqlerror varchar nolog ptype sysdba tablespace tblspace
+
+# This file consolidates database-related Kubernetes resources:
+# - Secrets (auth, priv, wallet)
+# - Deployment (SIDB-FREE, ADB-FREE)
+# - Job (database initialization)
+# - AutonomousDatabase (ADB-S operator)
+#
+# Note: ConfigMap (initialization scripts) is now in db-configmap.yaml
+
+{{- if .Values.server.database }}
+
+---
+# Database Authentication Secret
+{{- include "server.database.validateOtherType" . }}
+{{- $secretName := include "server.databaseSecret" . }}
+{{- $secret_existing := lookup "v1" "Secret" .Release.Namespace $secretName }}
+{{- if not $secret_existing }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    app.kubernetes.io/component: database
+    {{- include "global.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/resource-policy: keep
+type: Opaque
+stringData:
+  username: "AI_OPTIMIZER"
+  password: {{ include "server.randomPassword" . | quote }}
+  {{- if eq (include "server.database.isSIDB" .) "true" }}
+  service: "{{ .Release.Name }}-{{ include "server.database.shortType" . }}-1521:1521/FREEPDB1"
+  {{- else if eq (include "server.database.isADBFree" .) "true" }}
+  service: "{{ .Release.Name }}-{{ include "server.database.shortType" . }}-1521:1521/FREEPDB1"
+  {{- else if eq (include "server.database.isOther" .) "true" }}
+    {{- if and .Values.server.database.other.dsn (ne (.Values.server.database.other.dsn | trim) "") }}
+  service: "{{ .Values.server.database.other.dsn }}"
+    {{- else }}
+  service: "{{ .Values.server.database.other.host }}:{{ .Values.server.database.other.port }}/{{ .Values.server.database.other.service_name }}"
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+---
+# Database Privileged User Secret
+{{- $secretName := include "server.databasePrivSecret" . }}
+{{- $secret_existing := lookup "v1" "Secret" .Release.Namespace $secretName }}
+{{- if not $secret_existing }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    app.kubernetes.io/component: database
+    {{- include "global.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/resource-policy: keep
+type: Opaque
+stringData:
+  username: {{ if eq (include "server.database.isADB" .) "true" }}"ADMIN"{{ else }}"SYSTEM"{{ end }}
+  password: {{ include "server.randomPassword" . | quote }}
+{{- end }}
+
+{{- if eq (include "server.database.isADBS" .) "true" }}
+---
+# ADB Wallet Password Secret
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-adb-wallet-pass-{{ .Release.Revision }}
+  labels:
+    app.kubernetes.io/component: database
+    {{- include "global.labels" . | nindent 4 }}
+stringData:
+  {{ .Release.Name }}-adb-wallet-pass-{{ .Release.Revision }}: {{ include "server.randomPassword" . | quote }}
+{{- end }}
+
+{{- if eq (include "server.database.isContainerDB" .) "true" }}
+---
+# Database Deployment (SIDB-FREE or ADB-FREE)
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "global.fullname" . }}-{{ include "server.database.shortType" . }}
+  labels:
+    app.kubernetes.io/component: database
+    {{- include "global.labels" . | nindent 4}}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: database
+      {{- include "global.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.server.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app.kubernetes.io/component: database
+        {{- include "global.labels" . | nindent 8 }}
+        {{- with .Values.server.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      securityContext:
+        fsGroup: 54321
+        runAsGroup: 54321
+        runAsUser: 54321
+      containers:
+        - name: db-container
+          image: {{ .Values.server.database.image.repository }}:{{ .Values.server.database.image.tag }}
+          imagePullPolicy: {{ .Values.server.database.image.pullPolicy | default "IfNotPresent" }}
+          ports:
+            - containerPort: 1521
+          readinessProbe:
+            tcpSocket:
+              port: 1521
+            initialDelaySeconds: 60
+            periodSeconds: 10
+          env:
+            {{- include "server.database.authN" . | nindent 12 }}
+          {{- if eq (include "server.database.isSIDB" .) "true" }}
+            - name: ORACLE_PWD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "server.databaseSecret" . }}
+                  key: {{ default "password" .Values.server.database.authN.passwordKey }}
+          volumeMounts:
+            - name: db-init-scripts
+              mountPath: "/opt/oracle/scripts/startup"
+          {{- else }}
+            - name: DATABASE_NAME
+              value: FREEPDB1
+            - name: ENABLE_ARCHIVE_LOG
+              value: "False"
+            - name: ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "server.databasePrivSecret" . }}
+                  key: {{ default "password" .Values.server.database.privAuthN.passwordKey }}
+            - name: WALLET_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "server.databaseSecret" . }}
+                  key: {{ default "password" .Values.server.database.authN.passwordKey }}
+          {{- end }}
+      {{- if eq (include "server.database.isSIDB" .) "true" }}
+      volumes:
+        - name: db-init-scripts
+          configMap:
+            name: {{ include "global.fullname" . }}-db-init
+      {{- end }}
+{{- end }}
+
+{{- if .Values.server.database.privAuthN }}
+---
+# Database Initialization Job
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "global.fullname" . }}-run-sql-{{ .Release.Revision }}
+  labels:
+    app.kubernetes.io/component: database
+    {{- include "global.labels" . | nindent 4 }}
+spec:
+  ttlSecondsAfterFinished: 300  # 5 minutes
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: oracle-sqlcl-runner
+        image: container-registry.oracle.com/database/sqlcl:latest
+        env:
+        - name: TNS_ADMIN
+          value: /app/tns_admin
+        - name: API_SERVER_HOST
+          value: {{ include "server.serviceName" . }}
+        - name: API_SERVER_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "global.apiSecretName" . }}
+              key: {{ include "global.apiSecretKey" . }}
+        - name: PRIV_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.server.database.privAuthN.secretName }}
+              key: {{ default "username" .Values.server.database.privAuthN.usernameKey }}
+        - name: PRIV_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.server.database.privAuthN.secretName }}
+              key: {{ default "password" .Values.server.database.privAuthN.passwordKey }}
+        {{- include "server.database.authN" . | nindent 8 }}
+        command: ["/bin/sh", "-c"]
+        args:
+          - |
+            attempt=1
+            while [ "$attempt" -lt 360 ]; do
+                sh /opt/oracle/scripts/startup/init.sh
+                if [ $? -eq 0 ]; then
+                exit 0
+                fi
+                echo "Waiting for connectivity to ${DB_DSN} ($attempt/360)"
+                sleep 10
+                attempt=$((attempt + 1))
+            done
+        volumeMounts:
+        - name: db-init-scripts
+          mountPath: /opt/oracle/scripts/startup
+        {{- if eq (include "server.database.isADBS" .) "true" }}
+        - name: tns-admin
+          mountPath: /app/tns_admin
+        {{- end }}
+      volumes:
+      - name: db-init-scripts
+        configMap:
+          name: {{ include "global.fullname" . }}-db-init
+      {{- if eq (include "server.database.isADBS" .) "true" }}
+      - name: tns-admin
+        secret:
+          secretName: {{ .Release.Name }}-adb-tns-admin-{{ .Release.Revision }}
+      {{- end }}
+{{- end }}
+
+{{- if eq (include "server.database.isADBS" .) "true" }}
+---
+# AutonomousDatabase Operator Resource (ADB-S)
+apiVersion: database.oracle.com/v4
+kind: AutonomousDatabase
+metadata:
+  name: {{ .Release.Name }}-adb-s
+  labels:
+    app.kubernetes.io/component: database
+    {{- include "global.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  action: "Sync"
+  details:
+    id: {{ .Values.server.database.oci.ocid }}
+  wallet:
+    name: {{ .Release.Name }}-adb-tns-admin-{{ .Release.Revision }}
+    password:
+      k8sSecret:
+        name: {{ .Release.Name }}-adb-wallet-pass-{{ .Release.Revision }}
+  {{- if .Values.server.oci_config }}
+  ociConfig:
+    configMapName: {{ .Release.Name }}-oci-config
+    {{- if .Values.server.oci_config.keySecretName }}
+    secretName: {{ .Values.server.oci_config.keySecretName }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- end }}
diff --git a/helm/templates/server/db-adb-wallet-secret.yaml b/helm/templates/server/db-adb-wallet-secret.yaml