Ryan Loiselle — Developer / Architect
February 2026
This document summarises the BC Government deployment standards applied to all HelloNetworkWorld deployments on OpenShift Emerald be808f.
All pods must carry the label DataClass: Medium for justice applications.
This is enforced in both the Helm chart _helpers.tpl selector labels and in each deployment template.
# In every pod template
labels:
DataClass: MediumAll OpenShift Routes must have the annotation:
annotations:
aviinfrasetting.ako.vmware.com/name: dataclass-mediumNEVER use dataclass-low — the dataclass-low Virtual IP does not exist on Emerald (confirmed February 2026). Using it will result in a non-functional route with no error message.
All containers must listen on port 8080. Never use 80, 443, or 5000 in OpenShift pods.
All containers must run as a non-root user:
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: [ALL]All pods must declare both requests and limits for CPU and memory.
See charts/hnw-app/values.yaml for HNW-specific tuned values.
Every namespace application must start with default-deny ingress and egress policies.
See charts/hnw-app/templates/networkpolicies.yaml for the complete policy suite.
All production images must be pushed to and pulled from:
artifacts.developer.gov.bc.ca/dbe8-docker-local/
Never use Docker Hub images in production namespaces.
Secrets must never be committed to Git.
Provision secrets manually:
oc create secret generic hnw-db-credentials \
--from-literal=connectionString="..." \
-n be808f-devAll pods must define both livenessProbe and readinessProbe.
API: /health/live and /health/ready
Frontend: /nginx-health
Use netapp-file-standard for all PersistentVolumeClaims (MariaDB data).
Never use netapp-block-standard for application data volumes.