fixes: #1888 Documentation — eSignet standalone multi-namespace deployment (esignet standalone + MOSIP platform profiles)

[bhumi46]

fixes: #1888 Documentation — eSignet standalone multi-namespace deployment (esignet standalone + MOSIP platform profiles)

Summary

• Add eSignet standalone deployment guide covering multi-namespace setup (esignet, esignet-cre, esignet-qa11, esignet-sunbird)
• Update Complete Deployment Flow diagram with profile-based flows and dark theme support
• Expand GH_INFRA_PAT section with permissions table and signup auto-trigger context
• Add INFRA_PROFILE section with Terraform profile values and cluster sizes
• Update WORKFLOW_GUIDE with profile info
• Add new guides: HELMSMAN_EXTERNAL_GUIDE, HELMSMAN_MOSIP_GUIDE, HELMSMAN_TESTRIGS_GUIDE
• Update docs/_images with new and revised screenshots

Summary by CodeRabbit

Release Notes

• Documentation

  • Expanded deployment instructions for MOSIP core and eSignet standalone, emphasizing profile-based DSF structure and deploy-time ${...} substitution.
  • Updated Helm-sman workflow guidance, including profile/mode behavior, environment-variable alignment, and verification steps.
  • Added new guides for MOSIP, external services, eSignet standalone, test rigs, and Helmsman destroy; refreshed onboarding and workflow/Terraform documentation.

• Secrets & Setup

  • Added GH_INFRA_PAT to setup/secret-generation checklists and secret configuration.

• Infrastructure & Cleanup

  • Updated environment destruction steps for profile-isolated Terraform state handling.

• Diagrams

  • Refreshed architecture/state isolation and profile naming examples.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 12f4c837-bf6f-4b81-bd55-68d82aa48f5c

📥 Commits

Reviewing files that changed from the base of the PR and between 44e3bd7 and b14fc50.

📒 Files selected for processing (1)

• docs/ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md

✅ Files skipped from review due to trivial changes (1)

• docs/ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md

---

Walkthrough

Documentation was updated for profile-based deployment flows, runtime DSF variable substitution, GH_INFRA_PAT secret handling, new Helmsman guides, and aligned onboarding and destruction instructions.

Changes

Profile-based deployment documentation overhaul

Layer / File(s)	Summary
GH_INFRA_PAT and Terraform profile docs README.md, docs/SECRET_GENERATION_GUIDE.md, docs/TERRAFORM_WORKFLOW_GUIDE.md, docs/_images/ARCHITECTURE_DIAGRAMS.md	README adds GH_INFRA_PAT guidance and secret checklist items; the secret generation guide adds a full GH_INFRA_PAT section and renumbering; Terraform workflow docs add INFRA_PROFILE mapping; architecture diagrams add profile-scoped state naming.
Profile-based DSF variable substitution docs/DSF_CONFIGURATION_GUIDE.md	The guide is rewritten around profile directories, deploy-time ${...} substitution, environment-variable-backed cluster and domain values, and variable-focused validation and troubleshooting.
README and workflow guide updates README.md, docs/WORKFLOW_GUIDE.md	Deployment flow diagrams, Helmsman step instructions, workflow parameter tables, and visual summaries are updated for MOSIP and eSignet profile routing.
New Helmsman deployment guides docs/HELMSMAN_EXTERNAL_GUIDE.md, docs/HELMSMAN_MOSIP_GUIDE.md, docs/HELMSMAN_TESTRIGS_GUIDE.md, docs/ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md	Four new guides add workflow steps, prerequisites, environment setup, verification commands, and profile-specific deployment notes for external services, MOSIP core, testrigs, and standalone eSignet.
Supporting guide and diagram alignment docs/esignet_README.md, docs/HELMSMAN_DESTROY_GUIDE.md, docs/ONBOARDING_GUIDE.md, docs/ENVIRONMENT_DESTRUCTION_GUIDE.md, docs/profile-based-deployment.drawio	Existing deployment, onboarding, destruction, and diagram docs are aligned to profile-specific paths, branch selection, and profile-scoped state handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• [MOSIP-44613] Documentation — eSignet multi-namespace deployment (esignet standalone + MOSIP platform profiles) mosip-infra#1888: This PR updates the same profile-based Helmsman and eSignet deployment documentation split across the deployment guides and workflow docs.

Possibly related PRs

• mosip/infra#246: Directly related Terraform profile/state isolation documentation and workflow changes overlap with this PR’s profile-scoped deployment docs.

Poem

🐇 I hopped through guides from dawn to dusk,
With ${domain_name} and profiles in my tusk.
GH_INFRA_PAT now shines so bright,
MOSIP and eSignet both feel just right.
Hop, skip, apply — the docs are neat,
A carrot-colored deployment treat.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is clearly related to the PR’s main documentation changes for eSignet standalone deployment and MOSIP platform profiles.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (6)

docs/WORKFLOW_GUIDE.md (1)

250-250: 💤 Low value

Add language identifiers to fenced code blocks containing ASCII diagrams.

Multiple fenced code blocks in the workflow summary sections lack language identifiers (Markdown rule MD040). While these are text-based flowcharts and not code, adding text or plaintext as the language specifier improves consistency and validation:

-```
+```text
 eSignet standalone profile (profile=esignet):
 ...
-```
+```text

This applies to lines 250, 255, 332, 396, 406, 453, 519, 589, 759, and 783. Consider running a markdown linter (markdownlint-cli2) to identify and auto-fix all instances.

Also applies to: 255-255, 332-332, 396-396, 406-406, 453-453, 519-519, 589-589, 759-759, 783-783

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/WORKFLOW_GUIDE.md` at line 250, Fenced code blocks containing ASCII
diagrams throughout the document lack language identifiers, violating Markdown
rule MD040. Add a language identifier (text or plaintext) to all opening fenced
code blocks by modifying the triple backticks from ``` to ```text on lines 250,
255, 332, 396, 406, 453, 519, 589, 759, and 783. This improves markdown
validation consistency without changing the content of these ASCII workflow
diagrams.

Source: Linters/SAST tools

docs/HELMSMAN_TESTRIGS_GUIDE.md (1)

37-55: ⚡ Quick win

eSignet testrigs "no additional secrets required" claim needs context.

Line 51 states: "No additional secrets required for testrigs — captcha and keycloak secrets were already created during eSignet deployment and are available in each namespace."

This assumes users have already run the eSignet DSF deployment (helmsman_esignet.yml). However, a reader jumping directly to the testrigs guide might miss this dependency. Consider:

• Cross-linking to the deployment prerequisite (the eSignet guide that creates these secrets)
• Or explicitly stating in the Prerequisites section (line 31) that "eSignet DSF must have completed first (captcha/keycloak secrets created in namespace)"

This would align with the standalone guide's clear sequencing (ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md Step 1 → Step 2 → Step 4).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/HELMSMAN_TESTRIGS_GUIDE.md` around lines 37 - 55, The eSignet standalone
profile section states that no additional secrets are required for testrigs
because captcha and keycloak secrets were already created during eSignet
deployment, but this assumes readers have completed the eSignet DSF deployment
prerequisite. Add a cross-link to the eSignet deployment guide
(helmsman_esignet.yml or ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md) in the
Prerequisites section around line 31, or explicitly state there that eSignet DSF
deployment must be completed first to create these secrets in the namespace.
This clarifies the sequencing dependency for readers who jump directly to the
testrigs guide.

docs/HELMSMAN_EXTERNAL_GUIDE.md (1)

73-80: 💤 Low value

Clarify db_port vs esignet_db_port in the parameter table header.

Line 73 introduces the parameter as "db_port | External postgres port — MOSIP platform only" but line 80 follows with "esignet_db_port | eSignet container postgres port". The table context at line 71 says "Workflow Inputs," making it ambiguous whether these are both always available (which they are) or profile-specific.

Amend the table header or add a note clarifying: "Both fields appear in the workflow form regardless of profile; fill only the port that matches your selected profile."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/HELMSMAN_EXTERNAL_GUIDE.md` around lines 73 - 80, The parameter
descriptions for db_port and esignet_db_port in the Workflow Inputs table are
ambiguous about availability across profiles. Currently, db_port is described as
"External postgres port — MOSIP platform only" and esignet_db_port as "eSignet
container postgres port," which doesn't clarify that both fields always appear
in the workflow form regardless of profile. Update the table header or add a
clarifying note stating that both fields are always available in the workflow
form but users should only fill the port that matches their selected profile
(db_port for mosip-platform profiles and esignet_db_port for esignet profile).

docs/ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md (2)

227-227: ⚡ Quick win

Emphasize skip_mosip_dsf_check requirement more prominently in Step 2 instructions.

Line 227 flags the importance of ticking skip_mosip_dsf_check for standalone eSignet, explaining that without it the workflow waits for a mosip-dsf=completed label that will never appear, causing the workflow to fail. This is a critical user error point.

Consider adding a visual callout (e.g., ⚠️ or CRITICAL) above the form field table at line 215, or repeating the warning at line 225 to ensure it stands out and catches the eye before the user runs the workflow.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md` at line 227, The critical
requirement about ticking `skip_mosip_dsf_check` for standalone eSignet
deployment needs stronger visual emphasis to prevent user errors. Add a
prominent warning callout using visual markers (such as ⚠️ or **CRITICAL**)
above the form field table in Step 2 where configuration options are presented,
and consider repeating the core warning about the `mosip-dsf=completed`
namespace label prerequisite near the end of Step 2 instructions. This will
ensure the warning about `skip_mosip_dsf_check` stands out visually and catches
users' attention before they proceed with running the workflow, preventing
workflow failures from this critical misconfiguration.

---

114-119: ⚡ Quick win

Warn that CRE/QA11 Keycloak credentials are for remote admin access, not local.

Line 119 correctly notes that CRE_KEYCLOAK_ADMIN_PASSWORD and QA11_KEYCLOAK_ADMIN_PASSWORD are for remote CRE and QA11 Keycloak instances, and a wrong password will cause the preinstall hook to fail with a curl error. However, this critical detail is buried in a footnote.

Consider promoting this to a highlighted callout box or separate subsection (e.g., "⚠️ Remote Keycloak Credentials") so users understand these are not for the local Keycloak deployed in Step 1, but for external CRE/QA11 environments that the hook queries.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md` around lines 114 - 119, The
critical distinction that CRE_KEYCLOAK_ADMIN_PASSWORD and
QA11_KEYCLOAK_ADMIN_PASSWORD are for remote CRE and QA11 Keycloak instances (not
the local Keycloak deployed by this stack) is currently buried in a warning
footnote, which users may easily overlook. Extract this important warning from
the footnote and create a separate, more prominent callout section with a clear
heading such as "⚠️ Remote Keycloak Credentials" that explicitly explains these
environment variables are for external admin access to remote Keycloak instances
and emphasizes that misconfiguration will cause the preinstall hook to fail with
curl errors. This ensures users understand the distinction between local and
remote credentials before they configure these variables.

docs/ENVIRONMENT_DESTRUCTION_GUIDE.md (1)

48-48: ⚡ Quick win

Clarify Terraform profile naming vs. Helmsman profile naming to prevent user confusion.

The ENVIRONMENT_DESTRUCTION_GUIDE references Terraform profiles as mosip/esignet, but the esignet_README.md references Helmsman profiles as mosip-platform-1.2.0.x and mosip-platform-1.2.1.x. This inconsistency may confuse users who need to coordinate infrastructure destruction with Helmsman service destruction.

Guidance needed:

1. Document the relationship between Terraform Profile parameter values (e.g., mosip/esignet) and Helmsman profile values (e.g., mosip-platform-1.2.0.x)
2. If the naming formats are intentionally different, add a "profile mapping" table in README or a dedicated section explaining the distinction
3. Ensure workflow documentation clearly states which profile name format to use for each tool

Also applies to: 176-176, 411-411

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/ENVIRONMENT_DESTRUCTION_GUIDE.md` at line 48, The
ENVIRONMENT_DESTRUCTION_GUIDE uses Terraform profile naming format
(mosip/esignet) while esignet_README.md uses Helmsman profile naming format
(mosip-platform-1.2.0.x, mosip-platform-1.2.1.x), creating confusion about which
format applies to each tool. Add a clarification section early in the
ENVIRONMENT_DESTRUCTION_GUIDE that explains the relationship between Terraform
and Helmsman profile naming conventions, either by documenting how one format
maps to the other or by creating a profile mapping table. Additionally, ensure
all profile references in the guide (including those at lines 176 and 411) are
clearly annotated with which tool they apply to and which naming format should
be used for that specific tool.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/esignet_README.md`:
- Around line 156-158: The documentation in esignet_README.md contains incorrect
deployment profile names that do not match the actual workflow and directory
structure. Replace all occurrences of `mosip-platform-1.2.0.x` with
`mosip-platform-java11` and `mosip-platform-1.2.1.x` with
`mosip-platform-java21` across the entire document. This includes the DSF file
paths section (lines 156-158), the GitHub Actions walkthrough section (line
230), and the workflow inputs table (lines 256-262). Ensure consistency
throughout by using the actual Java version suffix format that matches the real
directory structure in Helmsman/dsf/ and the actual workflow profile options
available to users.

---

Nitpick comments:
In `@docs/ENVIRONMENT_DESTRUCTION_GUIDE.md`:
- Line 48: The ENVIRONMENT_DESTRUCTION_GUIDE uses Terraform profile naming
format (mosip/esignet) while esignet_README.md uses Helmsman profile naming
format (mosip-platform-1.2.0.x, mosip-platform-1.2.1.x), creating confusion
about which format applies to each tool. Add a clarification section early in
the ENVIRONMENT_DESTRUCTION_GUIDE that explains the relationship between
Terraform and Helmsman profile naming conventions, either by documenting how one
format maps to the other or by creating a profile mapping table. Additionally,
ensure all profile references in the guide (including those at lines 176 and
411) are clearly annotated with which tool they apply to and which naming format
should be used for that specific tool.

In `@docs/ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md`:
- Line 227: The critical requirement about ticking `skip_mosip_dsf_check` for
standalone eSignet deployment needs stronger visual emphasis to prevent user
errors. Add a prominent warning callout using visual markers (such as ⚠️ or
**CRITICAL**) above the form field table in Step 2 where configuration options
are presented, and consider repeating the core warning about the
`mosip-dsf=completed` namespace label prerequisite near the end of Step 2
instructions. This will ensure the warning about `skip_mosip_dsf_check` stands
out visually and catches users' attention before they proceed with running the
workflow, preventing workflow failures from this critical misconfiguration.
- Around line 114-119: The critical distinction that CRE_KEYCLOAK_ADMIN_PASSWORD
and QA11_KEYCLOAK_ADMIN_PASSWORD are for remote CRE and QA11 Keycloak instances
(not the local Keycloak deployed by this stack) is currently buried in a warning
footnote, which users may easily overlook. Extract this important warning from
the footnote and create a separate, more prominent callout section with a clear
heading such as "⚠️ Remote Keycloak Credentials" that explicitly explains these
environment variables are for external admin access to remote Keycloak instances
and emphasizes that misconfiguration will cause the preinstall hook to fail with
curl errors. This ensures users understand the distinction between local and
remote credentials before they configure these variables.

In `@docs/HELMSMAN_EXTERNAL_GUIDE.md`:
- Around line 73-80: The parameter descriptions for db_port and esignet_db_port
in the Workflow Inputs table are ambiguous about availability across profiles.
Currently, db_port is described as "External postgres port — MOSIP platform
only" and esignet_db_port as "eSignet container postgres port," which doesn't
clarify that both fields always appear in the workflow form regardless of
profile. Update the table header or add a clarifying note stating that both
fields are always available in the workflow form but users should only fill the
port that matches their selected profile (db_port for mosip-platform profiles
and esignet_db_port for esignet profile).

In `@docs/HELMSMAN_TESTRIGS_GUIDE.md`:
- Around line 37-55: The eSignet standalone profile section states that no
additional secrets are required for testrigs because captcha and keycloak
secrets were already created during eSignet deployment, but this assumes readers
have completed the eSignet DSF deployment prerequisite. Add a cross-link to the
eSignet deployment guide (helmsman_esignet.yml or
ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md) in the Prerequisites section around line
31, or explicitly state there that eSignet DSF deployment must be completed
first to create these secrets in the namespace. This clarifies the sequencing
dependency for readers who jump directly to the testrigs guide.

In `@docs/WORKFLOW_GUIDE.md`:
- Line 250: Fenced code blocks containing ASCII diagrams throughout the document
lack language identifiers, violating Markdown rule MD040. Add a language
identifier (text or plaintext) to all opening fenced code blocks by modifying
the triple backticks from ``` to ```text on lines 250, 255, 332, 396, 406, 453,
519, 589, 759, and 783. This improves markdown validation consistency without
changing the content of these ASCII workflow diagrams.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 193eb5cc-2795-4055-98c7-53749bbdb86f

📥 Commits

Reviewing files that changed from the base of the PR and between be1c242 and 3532611.

⛔ Files ignored due to path filters (6)

• docs/_images/esignet.png is excluded by !**/*.png
• docs/_images/helmsman-external-services.png is excluded by !**/*.png
• docs/_images/helmsman-mosip.png is excluded by !**/*.png
• docs/_images/helmsman-testrigs.png is excluded by !**/*.png
• docs/_images/infra-terraform-apply.png is excluded by !**/*.png
• docs/_images/infra-terraform-destroy.png is excluded by !**/*.png

📒 Files selected for processing (15)

• README.md
• docs/DSF_CONFIGURATION_GUIDE.md
• docs/ENVIRONMENT_DESTRUCTION_GUIDE.md
• docs/ESIGNET_STANDALONE_DEPLOYMENT_GUIDE.md
• docs/HELMSMAN_DESTROY_GUIDE.md
• docs/HELMSMAN_EXTERNAL_GUIDE.md
• docs/HELMSMAN_MOSIP_GUIDE.md
• docs/HELMSMAN_TESTRIGS_GUIDE.md
• docs/ONBOARDING_GUIDE.md
• docs/SECRET_GENERATION_GUIDE.md
• docs/TERRAFORM_WORKFLOW_GUIDE.md
• docs/WORKFLOW_GUIDE.md
• docs/_images/ARCHITECTURE_DIAGRAMS.md
• docs/esignet_README.md
• docs/profile-based-deployment.drawio

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check workflow profile choices
grep -A 10 "profile:" .github/workflows/helmsman_esignet.yml | grep -A 6 "options:"

# Check if DSF directories match the profile choices
find Helmsman/dsf -type d -maxdepth 1 | sort

Repository: mosip/infra

Length of output: 341

---

🏁 Script executed:

# Check the actual content of the documentation file at the mentioned lines
head -260 docs/esignet_README.md | tail -110 | cat -n

Repository: mosip/infra

Length of output: 5698

---

Profile names in documentation do not match actual workflow or directory structure.

The documentation references deployment profiles as mosip-platform-1.2.0.x and mosip-platform-1.2.1.x, but the actual workflow and directory structure use mosip-platform-java11 and mosip-platform-java21.

Affected locations:

• Lines 156–158: DSF file paths document mosip-platform-1.2.0.x and mosip-platform-1.2.1.x
• Line 230: GitHub Actions walkthrough references mosip-platform-1.2.0.x
• Lines 256–262: Workflow inputs table lists mosip-platform-1.2.0.x, mosip-platform-1.2.1.x

Actual values:

• Workflow profile options: mosip-platform-java11, mosip-platform-java21, esignet
• DSF directories: Helmsman/dsf/mosip-platform-java11, Helmsman/dsf/mosip-platform-java21

Users following the documented profile names will fail when submitting the GitHub Actions form. Update all profile name references to use the Java version suffix format.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/esignet_README.md` around lines 156 - 158, The documentation in
esignet_README.md contains incorrect deployment profile names that do not match
the actual workflow and directory structure. Replace all occurrences of
`mosip-platform-1.2.0.x` with `mosip-platform-java11` and
`mosip-platform-1.2.1.x` with `mosip-platform-java21` across the entire
document. This includes the DSF file paths section (lines 156-158), the GitHub
Actions walkthrough section (line 230), and the workflow inputs table (lines
256-262). Ensure consistency throughout by using the actual Java version suffix
format that matches the real directory structure in Helmsman/dsf/ and the actual
workflow profile options available to users.