fix(infra): resolve fresh-build DB schema gaps, Kerberos warnings, and Dockerfile syntax

- Workflow: add PostgreSQL auto-migration (8 tables in schema `workflow`) with AddStartupMigrations wiring and embedded SQL migration - Scheduler: add missing `schema_version` and `source` columns to `scheduler.schedules` table in both init script and migration - Platform: delay analytics maintenance 15s to avoid race with migration 020_AnalyticsRollups creating compute_daily_rollups() - Docker: install libgssapi-krb5-2 in runtime image to eliminate Npgsql Kerberos probe warnings across all 59 services - Docker: remove `# syntax=docker/dockerfile:1.7` directive from both Dockerfiles to avoid BuildKit frontend pull failures on flaky DNS - Postgres init: add `workflow` schema to 01-create-schemas.sql Verified: 75 containers, 0 unhealthy, 0 recurring errors after full wipe-and-rebuild cycle. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 11:40:08 +03:00
parent afbedf1c60
commit 53f294400f
10 changed files with 227 additions and 4 deletions
--- a/devops/compose/postgres-init/01-create-schemas.sql
+++ b/devops/compose/postgres-init/01-create-schemas.sql
@@ -15,3 +15,4 @@ CREATE SCHEMA IF NOT EXISTS issuer_directory;
 CREATE SCHEMA IF NOT EXISTS analytics;
 CREATE SCHEMA IF NOT EXISTS scheduler_app;
 CREATE SCHEMA IF NOT EXISTS findings_ledger_app;
+CREATE SCHEMA IF NOT EXISTS workflow;
--- a/devops/compose/postgres-init/03-scheduler-tables.sql
+++ b/devops/compose/postgres-init/03-scheduler-tables.sql
@@ -229,7 +229,9 @@ CREATE TABLE IF NOT EXISTS scheduler.schedules (
    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_by TEXT NOT NULL,
    deleted_at TIMESTAMPTZ,
-    deleted_by TEXT
+    deleted_by TEXT,
+    schema_version TEXT,
+    source TEXT NOT NULL DEFAULT 'user'
 );

 CREATE INDEX IF NOT EXISTS idx_schedules_tenant ON scheduler.schedules(tenant_id) WHERE deleted_at IS NULL;
--- a/devops/docker/Dockerfile.console
+++ b/devops/docker/Dockerfile.console
@@ -1,4 +1,3 @@
-# syntax=docker/dockerfile:1.7
 # Multi-stage Angular console image with non-root runtime (DOCKER-44-001)
 ARG NODE_IMAGE=node:20-bookworm-slim
 ARG NGINX_IMAGE=nginxinc/nginx-unprivileged:1.27-alpine
--- a/devops/docker/Dockerfile.hardened.template
+++ b/devops/docker/Dockerfile.hardened.template
@@ -1,4 +1,3 @@
-# syntax=docker/dockerfile:1.7
 # Hardened multi-stage template for StellaOps services
 # Parameters are build-time ARGs so this file can be re-used across services.

@@ -34,6 +33,12 @@ ARG APP_GID=10001
 ARG APP_PORT=8080
 ARG APP_BINARY=StellaOps.Service
 ARG PUBLISH_DIR=/app/publish
+# Install GSSAPI/Kerberos client library required by Npgsql for GSSAPI-capable
+# PostgreSQL connections. Even when password auth is used, Npgsql probes for this
+# library on startup. Sovereign deployments may enable Kerberos-protected Postgres.
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends libgssapi-krb5-2 && \
+    rm -rf /var/lib/apt/lists/*
 # Create non-root user/group with stable ids for auditability
 RUN groupadd -r -g ${APP_GID} ${APP_USER} && \
    useradd  -r -u ${APP_UID} -g ${APP_GID} -d /var/lib/${APP_USER} ${APP_USER} && \