oracle
diff --git a/‎.github/workflows/documentation.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/documentation.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/image_smoke.yml
Lines changed: 52 additions & 17 deletions b/‎.github/workflows/image_smoke.yml
Lines changed: 52 additions & 17 deletions
diff --git a/‎.github/workflows/opentofu.yml
Lines changed: 2 additions & 4 deletions b/‎.github/workflows/opentofu.yml
Lines changed: 2 additions & 4 deletions
diff --git a/‎.github/workflows/pytest.yml
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/pytest.yml
Lines changed: 4 additions & 2 deletions
diff --git a/‎.github/workflows/releases.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/releases.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md
Lines changed: 3 additions & 0 deletions b/‎README.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/content/advanced/helm.md
Lines changed: 7 additions & 2 deletions b/‎docs/content/advanced/helm.md
Lines changed: 7 additions & 2 deletions
diff --git a/‎helm/charts/server/templates/configmap.yaml
Lines changed: 66 additions & 0 deletions b/‎helm/charts/server/templates/configmap.yaml
Lines changed: 66 additions & 0 deletions
diff --git a/‎helm/charts/server/templates/database.yaml
Lines changed: 57 additions & 0 deletions b/‎helm/charts/server/templates/database.yaml
Lines changed: 57 additions & 0 deletions
@@ -36,7 +36,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     env:
-      HUGO_VERSION: 0.145.0
+      HUGO_VERSION: 0.148.0
     steps:
       - name: Install Hugo CLI
         run: |
 
@@ -4,17 +4,18 @@ name: Validate Container Images
 on:
   pull_request:
     types:
-      - opened
       - synchronize
       - reopened
       - ready_for_review
+    paths:
+      - "src/**"
+      - ".github/workflows/image_smoke.yml"
 
   # Allows running this workflow manually
   workflow_dispatch:
 
 jobs:
-  docker-build:
-    if: github.event.pull_request.draft == false
+  image-build-test:
     runs-on: ubuntu-latest
     # Block merging if the job fails
     permissions:
@@ -37,30 +38,64 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          driver: docker-container
-
-      - name: Cache Image Layers
+      - name: Restore Cache
         uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ matrix.build.name }}-${{ github.sha }}
+          key: ${{ runner.os }}-buildx-${{ matrix.build.name }}-${{ github.ref_name }}
           restore-keys: |
             ${{ runner.os }}-buildx-${{ matrix.build.name }}-
+            ${{ runner.os }}-buildx-
+
+      - name: Create Buildx builder
+        run: docker buildx create --use --name mybuilder || docker buildx use mybuilder
 
       - name: Build Container Image with Cache
         run: |
-          docker buildx create --use
-          docker buildx build \
-            --cache-from=type=local,src=/tmp/.buildx-cache \
-            --cache-to=type=local,dest=/tmp/.buildx-cache-new \
-            --file ${{ matrix.build.context }}/${{ matrix.build.dockerfile }} \
-            --output=type=cacheonly \
-            ${{ matrix.build.context }}
+          if [ "${{ matrix.build.name }}" = "aio" ]; then
+            docker buildx build \
+              --cache-from=type=local,src=/tmp/.buildx-cache \
+              --cache-to=type=local,dest=/tmp/.buildx-cache-new \
+              --file ${{ matrix.build.context }}/${{ matrix.build.dockerfile }} \
+              --tag ${{ matrix.build.name }}:${{ github.sha }} \
+              --load \
+              ${{ matrix.build.context }}
+          else
+            docker buildx build \
+              --cache-from=type=local,src=/tmp/.buildx-cache \
+              --cache-to=type=local,dest=/tmp/.buildx-cache-new \
+              --file ${{ matrix.build.context }}/${{ matrix.build.dockerfile }} \
+              --output=type=cacheonly \
+              ${{ matrix.build.context }}
+          fi
 
       - name: Move Cache for Reuse
         run: |
           rm -rf /tmp/.buildx-cache
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
+      - name: Save Cache
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ matrix.build.name }}-${{ github.ref_name }}
+
+      - name: Scan with Trivy
+        if: matrix.build.name == 'aio'
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          scan-type: image
+          image-ref: "aio:${{ github.sha }}"
+          severity: HIGH,CRITICAL
+          format: json
+          output: trivy-report.json
+          cache: true
+          ignore-unfixed: true
+          exit-code: 1
+
+      - name: Upload Trivy Report on Failure
+        if: failure() && matrix.build.name == 'aio'
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report-${{ matrix.build.name }}
+          path: trivy-report.json
@@ -4,21 +4,19 @@ name: Validate Infrastructure as Code
 on:
   pull_request:
     types:
-      - opened
       - synchronize
       - reopened
       - ready_for_review
-    # Limit runs to only when opentofu changes
     paths:
+      - "tests/**"
       - "opentofu/**"
       - ".github/workflows/opentofu.yml"
 
   # Allows running this workflow manually
   workflow_dispatch:
 
 jobs:
-  check:
-    if: github.event.pull_request.draft == false
+  verify-iac:
     runs-on: ubuntu-latest
     container:
       image: hashicorp/terraform:latest
 
@@ -4,17 +4,19 @@ name: Test Suite
 on:
   pull_request:
     types:
-      - opened
       - synchronize
       - reopened
       - ready_for_review
+    paths:
+      - "tests/**"
+      - "src/**"
+      - ".github/workflows/pytest.yml"
 
   # Allows running this workflow manually
   workflow_dispatch:
 
 jobs:
   check:
-    if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
     services:
       docker:
 
@@ -7,7 +7,7 @@ env:
   IAC: ${GITHUB_REPOSITORY#${GITHUB_REPOSITORY_OWNER}/}-stack.zip
 
 jobs:
-  build:
+  build-release:
     runs-on: ubuntu-latest
     permissions:
       contents: write
 
@@ -1,6 +1,9 @@
 # Oracle AI Optimizer and Toolkit
 
 <!-- spell-checker:ignore streamlit, venv, setuptools -->
+![Test Status](https://github.com/oracle-samples/ai-optimizer/actions/workflows/pytest.yml/badge.svg)
+![IaC Status](https://github.com/oracle-samples/ai-optimizer/actions/workflows/opentofu.yml/badge.svg)
+![Build Status](https://github.com/oracle-samples/ai-optimizer/actions/workflows/image_smoke.yml/badge.svg)
 
 ## Description
 
 
@@ -155,7 +155,7 @@ Configure Oracle Cloud Infrastructure used by the {{< short_app_ref >}} API Serv
 | server.oci_config.user | string | `""` | User OCID.  Required when specifying keySecretName. |
 | server.oci_config.fingerprint | string | `""` | Fingerprint.  Required when specifying keySecretName. |
 | server.oci_config.region | string | `""` | Region. Required when oke is true. |
-| server.oci_config.fileSecretName | string | `""` | Secret containing an OCI config file and the key_file(s). Use the scripts/oci_config.py script to help create the secret based on an existing ~.oci/config file |
+| server.oci_config.fileSecretName | string | `""` | Secret containing an OCI config file and the key_file(s). Use the [scripts/oci_config.py](https://github.com/oracle-samples/ai-optimizer/blob/main/helm/scripts/oci_config.py) script to help create the secret based on an existing ~.oci/config file |
 | server.oci_config.keySecretName | string | `""` | Secret containing a single API key corresponding to above tenancy configuration This used by OraOperator when not running in OKE |
 
 ###### Examples
@@ -299,7 +299,7 @@ Give the **Helm Chart** a spin using a locally installed [Kind](https://kind.sig
 
 1. (Optional) Configure for Oracle Cloud Infrastructure
 
-    If you already have an OCI API configuration file, use the `oci_config` helper script to turn it into a secret for OCI connectivity:
+    If you already have an OCI API configuration file, use the [scripts/oci_config.py](https://github.com/oracle-samples/ai-optimizer/blob/main/helm/scripts/oci_config.py) helper script to turn it into a secret for OCI connectivity:
 
     ```sh
     kubectl create namespace ai-optimizer
@@ -337,6 +337,11 @@ Give the **Helm Chart** a spin using a locally installed [Kind](https://kind.sig
         enabled: true
     ```
 
+1. Add the Helm Repository
+```sh
+helm repo add ai-optimizer https://oracle-samples.github.io/ai-optimizer/helm
+```
+
 1. Deploy the Helm Chart
 
     ```sh
 
@@ -13,6 +13,8 @@ metadata:
 data:
   init.sh: |
     sqlplus <<- EOF
+    WHENEVER SQLERROR EXIT 1
+    WHENEVER OSERROR EXIT 1
     connect / as sysdba
     ALTER SYSTEM SET VECTOR_MEMORY_SIZE=512M SCOPE=SPFILE;
     ALTER SESSION SET CONTAINER=FREEPDB1;
@@ -36,6 +38,70 @@ data:
     STARTUP FORCE;
     ALTER SYSTEM REGISTER;
     EOF
+{{- else if eq .Values.database.type "ADB-FREE" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: db-custom-scripts
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+data:
+  init.sh: |
+    sql /nolog <<- EOF
+    WHENEVER SQLERROR EXIT 1
+    WHENEVER OSERROR EXIT 1
+    connect ADMIN/${DB_PASSWORD}@//${DB_DSN}
+    DECLARE
+      l_conn_user VARCHAR2(255);
+      l_user      VARCHAR2(255);
+      l_tblspace  VARCHAR2(255);
+    BEGIN
+      BEGIN
+          SELECT user INTO l_conn_user FROM DUAL;
+          SELECT username INTO l_user FROM DBA_USERS WHERE USERNAME='${DB_USERNAME}';
+      EXCEPTION WHEN no_data_found THEN
+          EXECUTE IMMEDIATE 'CREATE USER "${DB_USERNAME}" IDENTIFIED BY "${DB_PASSWORD}"';
+      END;
+      SELECT default_tablespace INTO l_tblspace FROM dba_users WHERE username = '${DB_USERNAME}';
+      EXECUTE IMMEDIATE 'ALTER USER "${DB_USERNAME}" QUOTA UNLIMITED ON ' || l_tblspace;
+      EXECUTE IMMEDIATE 'GRANT DB_DEVELOPER_ROLE TO "${DB_USERNAME}"';
+      EXECUTE IMMEDIATE 'GRANT EXECUTE ON DBMS_CLOUD TO "${DB_USERNAME}"';
+      EXECUTE IMMEDIATE 'GRANT EXECUTE ON DBMS_CLOUD_AI TO "${DB_USERNAME}"';
+      EXECUTE IMMEDIATE 'GRANT EXECUTE ON DBMS_CLOUD_PIPELINE TO "${DB_USERNAME}"';
+      EXECUTE IMMEDIATE 'ALTER USER "${DB_USERNAME}" DEFAULT ROLE ALL';
+    END;
+    /
+    BEGIN  
+      DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
+        host => '${API_SERVER_HOST}',
+        ace  => xs\$ace_type(privilege_list => xs\$name_list('http'),
+                            principal_name => '${DB_USERNAME}',
+                            principal_type => xs_acl.ptype_db)
+      );
+    END;
+    /
+    BEGIN
+      DBMS_CLOUD.CREATE_CREDENTIAL(
+        credential_name   => 'AI_OPTIMIZER_CRED', 
+        username          =>  'SELECTAI', 
+        password          =>  '${API_SERVER_KEY}'
+      );
+      EXCEPTION WHEN OTHERS THEN
+        IF SQLCODE = -20022 THEN NULL;
+        ELSE RAISE;
+        END IF;
+    END;
+    /
+    -- !! NOT YET GA !!
+    -- BEGIN
+    --  DBMS_CLOUD_AI.CREATE_PROFILE(
+    --      profile_name => 'AI_OPTIMIZER' ,
+    --      attributes   => '{"provider_endpoint": "${API_SERVER_HOST}:8000",
+    --                        "model": "openai"}'
+    --  );
+    --END;
+    --/
+    EOF
 {{- else if .Values.oci_config }}
 apiVersion: v1
 kind: ConfigMap
 
@@ -54,6 +54,63 @@ spec:
         - name: db-custom-scripts
           configMap:
             name:  db-custom-scripts
+  {{- else if eq .Values.database.type "ADB-FREE" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "release.name" . }}-adb
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+    "app.kubernetes.io/component": "database"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "app.selectorLabels" . | nindent 6 }}
+      "app.kubernetes.io/component": "database"
+  template:
+    metadata:
+      labels:
+        {{- include "app.labels" . | nindent 8 }}
+        "app.kubernetes.io/component": "database"
+    spec:
+      securityContext:
+        fsGroup: 54321
+        runAsGroup: 54321
+        runAsUser: 54321
+      containers:
+        - name:  adb-free
+          image: {{ .Values.database.image.repository }}:{{ .Values.database.image.tag }}
+          imagePullPolicy: IfNotPresent
+          ports:
+          - containerPort: 1521
+          readinessProbe:
+            tcpSocket:
+              port: 1521
+            initialDelaySeconds: 60
+            periodSeconds: 10
+          env:
+          - name: DATABASE_NAME
+            value: FREEPDB1
+          - name: ENABLE_ARCHIVE_LOG
+            value: "False"
+          - name: ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ $secretName }}
+                key: password
+          - name: WALLET_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ $secretName }}
+                key: password
+          volumeMounts:
+            - name: db-custom-scripts
+              mountPath: "/opt/oracle/scripts/startup"
+      volumes:
+        - name: db-custom-scripts
+          configMap:
+            name:  db-custom-scripts
   {{- else if eq .Values.database.type "ADB-S" }}
 apiVersion: database.oracle.com/v1alpha1
 kind: AutonomousDatabase