Add feature branch deployment pipeline

- Add deploy_feature job for ephemeral dev environments
- Use unique identifier (feat-{short_sha}) for K8s resource isolation
- Dynamic hostnames for ingress (orchard-{sha}.common.global.bsf.tools)
- Add cleanup_feature job with on_stop for automatic cleanup on merge
- Add values-dev.yaml with lighter resources for ephemeral deployments
- Refactor deploy_stage to use dynamic image tag from CI

.gitlab-ci.yml

@@ -49,3 +49,95 @@ python_tests:
 #     - |
 #       helm upgrade --install orchard-dev ./helm/orchard --namespace $NAMESPACE -f $VALUES_FILE
 
+.deploy_template: &deploy_template
+  image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
+  before_script:
+    - helm version
+    - helm repo add stable https://charts.helm.sh/stable
+    - helm repo add bitnami https://charts.bitnami.com/bitnami
+    - cd helm/orchard
+    - helm dependency update
+    - helm repo update
+  script:
+    - echo "Deploying to $ENV environment in namespace $NAMESPACE using chart $VALUES_FILE with agent $AGENT"
+    - helm upgrade --install orchard-$ENV ./helm/orchard --namespace $NAMESPACE -f $VALUES_FILE --set image.tag=$IMAGE
+  environment:
+    name: $ENV
+    kubernetes:
+      agent: $AGENT
+
+# Deploy to stage (main branch)
+deploy_stage:
+  stage: deploy
+  variables:
+    ENV: stage
+    NAMESPACE: orch-stage-namespace
+    VALUES_FILE: "helm/orchard/values-stage.yaml"
+    AGENT: orchard-stage
+    IMAGE: $CI_COMMIT_SHA
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "main"'
+      when: always
+  <<: *deploy_template
+
+# Deploy feature branch to dev namespace
+deploy_feature:
+  stage: deploy
+  variables:
+    FEATURE_ID: feat-$CI_COMMIT_SHORT_SHA
+    ENV: feat-$CI_COMMIT_SHORT_SHA
+    NAMESPACE: orch-dev-namespace
+    VALUES_FILE: "helm/orchard/values-dev.yaml"
+    AGENT: orchard-dev
+    IMAGE: $CI_COMMIT_SHA
+    FEATURE_HOST: orchard-$CI_COMMIT_SHORT_SHA.common.global.bsf.tools
+    MINIO_HOST: minio-$CI_COMMIT_SHORT_SHA.common.global.bsf.tools
+  before_script:
+    - helm version
+    - helm repo add stable https://charts.helm.sh/stable
+    - helm repo add bitnami https://charts.bitnami.com/bitnami
+    - cd helm/orchard
+    - helm dependency update
+    - helm repo update
+  script:
+    - echo "Deploying feature branch to $ENV environment"
+    - |
+      helm upgrade --install orchard-$FEATURE_ID ./helm/orchard \
+        --namespace $NAMESPACE \
+        -f $VALUES_FILE \
+        --set image.tag=$IMAGE \
+        --set ingress.hosts[0].host=$FEATURE_HOST \
+        --set ingress.tls[0].hosts[0]=$FEATURE_HOST \
+        --set ingress.tls[0].secretName=orchard-$FEATURE_ID-tls \
+        --set minioIngress.host=$MINIO_HOST \
+        --set minioIngress.tls.secretName=minio-$FEATURE_ID-tls
+  environment:
+    name: review/$CI_COMMIT_REF_SLUG
+    url: https://orchard-$CI_COMMIT_SHORT_SHA.common.global.bsf.tools
+    on_stop: cleanup_feature
+    kubernetes:
+      agent: $AGENT
+  rules:
+    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
+      when: always
+
+# Cleanup feature branch deployment
+cleanup_feature:
+  stage: deploy
+  variables:
+    FEATURE_ID: feat-$CI_COMMIT_SHORT_SHA
+    NAMESPACE: orch-dev-namespace
+    AGENT: orchard-dev
+  image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
+  script:
+    - echo "Cleaning up feature deployment orchard-$FEATURE_ID"
+    - helm uninstall orchard-$FEATURE_ID --namespace $NAMESPACE || true
+  environment:
+    name: review/$CI_COMMIT_REF_SLUG
+    action: stop
+    kubernetes:
+      agent: $AGENT
+  rules:
+    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
+      when: manual
+  allow_failure: true

CHANGELOG.md

@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added GitLab CI pipeline for feature branch deployments to dev namespace (#51)
+- Added `deploy_feature` job with dynamic hostnames and unique release names (#51)
+- Added `cleanup_feature` job with `on_stop` for automatic cleanup on merge (#51)
+- Added `values-dev.yaml` Helm values for lightweight ephemeral environments (#51)
 
 ## [0.4.0] - 2026-01-12
 ### Added

helm/orchard/values-dev.yaml

@@ -0,0 +1,165 @@
+# Values for feature branch deployments (ephemeral dev environments)
+# Hostnames are overridden by CI pipeline via --set flags
+replicaCount: 1
+
+image:
+  repository: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp
+  pullPolicy: Always
+  tag: "latest"  # Overridden by CI
+
+imagePullSecrets:
+  - name: orchard-pull-secret
+
+initContainer:
+  image:
+    repository: containers.global.bsf.tools/busybox
+    tag: "1.36"
+    pullPolicy: IfNotPresent
+
+serviceAccount:
+  create: true
+  automount: true
+  annotations: {}
+  name: ""  # Auto-generated based on release name
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+
+securityContext:
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 8080
+
+# Ingress - hostnames overridden by CI pipeline
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+  hosts:
+    - host: orchard-dev.common.global.bsf.tools  # Overridden by CI
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: orchard-tls  # Overridden by CI
+      hosts:
+        - orchard-dev.common.global.bsf.tools  # Overridden by CI
+
+# Lighter resources for ephemeral environments
+resources:
+  limits:
+    cpu: 250m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+livenessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 10
+  periodSeconds: 10
+
+readinessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 5
+  periodSeconds: 5
+
+autoscaling:
+  enabled: false
+
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+orchard:
+  server:
+    host: "0.0.0.0"
+    port: 8080
+
+  database:
+    host: ""
+    port: 5432
+    user: orchard
+    password: ""
+    dbname: orchard
+    sslmode: disable
+    existingSecret: ""
+    existingSecretPasswordKey: "password"
+
+  s3:
+    endpoint: ""
+    region: us-east-1
+    bucket: orchard-artifacts
+    accessKeyId: ""
+    secretAccessKey: ""
+    usePathStyle: true
+    existingSecret: ""
+    existingSecretAccessKeyKey: "access-key-id"
+    existingSecretSecretKeyKey: "secret-access-key"
+
+  download:
+    mode: "presigned"
+    presignedUrlExpiry: 3600
+
+# PostgreSQL - ephemeral, no persistence
+postgresql:
+  enabled: true
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/postgresql
+    tag: "15"
+    pullPolicy: IfNotPresent
+  auth:
+    username: orchard
+    password: orchard-password
+    database: orchard
+  primary:
+    persistence:
+      enabled: false
+
+# MinIO - ephemeral, no persistence
+minio:
+  enabled: true
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/minio
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  auth:
+    rootUser: minioadmin
+    rootPassword: minioadmin
+  defaultBuckets: "orchard-artifacts"
+  persistence:
+    enabled: false
+
+# MinIO ingress - hostname overridden by CI
+minioIngress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+  host: "minio-dev.common.global.bsf.tools"  # Overridden by CI
+  tls:
+    enabled: true
+    secretName: minio-tls  # Overridden by CI
+
+redis:
+  enabled: false
+
+waitForDatabase: true
+
+global:
+  security:
+    allowInsecureImages: true

helm/orchard/values-stage.yaml

@@ -0,0 +1,190 @@
+# Default values for orchard
+replicaCount: 1
+
+image:
+  repository: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp
+  pullPolicy: Always
+  tag: "latest"  # Defaults to chart appVersion
+
+imagePullSecrets:
+  - name: orchard-pull-secret
+
+# Init container image (used for wait-for-db, wait-for-minio)
+initContainer:
+  image:
+    repository: containers.global.bsf.tools/busybox
+    tag: "1.36"
+    pullPolicy: IfNotPresent
+
+serviceAccount:
+  create: true
+  automount: true
+  annotations: {}
+  name: "orchard"
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+
+securityContext:
+  readOnlyRootFilesystem: false  # Python needs to write __pycache__
+  runAsNonRoot: true
+  runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 8080
+
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+  hosts:
+    - host: orchard-stage.common.global.bsf.tools
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: 
+    - secretName: orchard-tls
+      hosts:
+        - orchard-stage.common.global.bsf.tools
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 500m
+    memory: 512Mi
+
+livenessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 10
+  periodSeconds: 10
+
+readinessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 5
+  periodSeconds: 5
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 80
+  targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# Orchard server configuration
+orchard:
+  server:
+    host: "0.0.0.0"
+    port: 8080
+
+  # Database configuration (used when postgresql.enabled is false)
+  database:
+    host: ""
+    port: 5432
+    user: orchard
+    password: ""
+    dbname: orchard
+    sslmode: disable
+    existingSecret: ""
+    existingSecretPasswordKey: "password"
+
+  # S3 configuration (used when minio.enabled is false)
+  s3:
+    endpoint: ""
+    region: us-east-1
+    bucket: orchard-artifacts
+    accessKeyId: ""
+    secretAccessKey: ""
+    usePathStyle: true
+    existingSecret: ""
+    existingSecretAccessKeyKey: "access-key-id"
+    existingSecretSecretKeyKey: "secret-access-key"
+
+  # Download configuration
+  download:
+    mode: "presigned"  # presigned, redirect, or proxy
+    presignedUrlExpiry: 3600  # Presigned URL expiry in seconds
+
+# PostgreSQL subchart configuration
+postgresql:
+  enabled: true
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/postgresql
+    tag: "15"
+    pullPolicy: IfNotPresent
+  auth:
+    username: orchard
+    password: orchard-password
+    database: orchard
+  primary:
+    persistence:
+      enabled: false
+      size: 10Gi
+
+# MinIO subchart configuration
+minio:
+  enabled: true
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/minio
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  auth:
+    rootUser: minioadmin
+    rootPassword: minioadmin
+  defaultBuckets: "orchard-artifacts"
+  persistence:
+    enabled: false
+    size: 50Gi
+
+# MinIO external ingress for presigned URL access (separate from subchart ingress)
+minioIngress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"  # Disable body size limit for uploads
+  host: "minio-orch-stage.common.global.bsf.tools"
+  tls:
+    enabled: true
+    secretName: minio-tls
+
+# Redis subchart configuration (for future caching)
+redis:
+  enabled: false
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/redis
+    tag: "7.2"
+    pullPolicy: IfNotPresent
+  auth:
+    enabled: true
+    password: redis-password
+  architecture: standalone
+  master:
+    persistence:
+      enabled: true
+      size: 1Gi
+
+# Wait for database before starting (SQLAlchemy creates tables on startup)
+waitForDatabase: true
+
+global:
+  security:
+    allowInsecureImages: true