feat(lab-02): PostgreSQL streaming replication — primary/replica + pgAdmin

- Real docker-compose.lan.yml: pg-primary + pg-replica + pgAdmin
- docker/replication/primary-init.sh: creates replicator role, pg_hba entry
- docker/pgadmin/servers.json: pre-configured primary + replica connections
- tests/labs/test-lab-03-02.sh: 12 streaming replication tests (155 lines)
- .github/workflows/ci.yml: strict lan.yml validation + lab-02-smoke job
  (waits for primary:5432 + replica:5433, runs full test suite)

Author: RedjiJB

.github/workflows/ci.yml

@@ -23,10 +23,13 @@ jobs:
           echo "Validating: docker/docker-compose.standalone.yml"
           docker compose -f docker/docker-compose.standalone.yml config -q
           echo "OK: docker/docker-compose.standalone.yml"
-          # Parse-check remaining scaffold files (may contain placeholder vars)
-          for f in docker/docker-compose.lan.yml docker/docker-compose.advanced.yml \
-                   docker/docker-compose.sso.yml docker/docker-compose.integration.yml \
-                   docker/docker-compose.production.yml; do
+          # Strictly validate lan.yml (Lab 02 — fully built out)
+          echo "Validating: docker/docker-compose.lan.yml"
+          docker compose -f docker/docker-compose.lan.yml config -q
+          echo "OK: docker/docker-compose.lan.yml"
+          # Parse-check remaining scaffold files
+          for f in docker/docker-compose.advanced.yml docker/docker-compose.sso.yml \
+                   docker/docker-compose.integration.yml docker/docker-compose.production.yml; do
             echo "Checking scaffold: $f"
             docker compose -f "$f" config --no-interpolate -q 2>&1 && echo "OK: $f" \
               || echo "WARN: $f has placeholder variables (scaffold — not yet built out)"
@@ -111,3 +114,41 @@ jobs:
       - name: Cleanup
         if: always()
         run: docker compose -f docker/docker-compose.standalone.yml down -v
+
+  lab-02-smoke:
+    name: Lab 02 — Streaming Replication
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install PostgreSQL client tools
+        run: sudo apt-get install -y postgresql-client netcat-openbsd curl
+
+      - name: Start LAN stack (primary + replica + pgAdmin)
+        run: docker compose -f docker/docker-compose.lan.yml up -d
+
+      - name: Wait for primary PostgreSQL
+        run: |
+          echo "Waiting for primary..."
+          timeout 120 bash -c 'until pg_isready -h localhost -p 5432 -U labadmin; do sleep 3; done'
+
+      - name: Wait for replica PostgreSQL
+        run: |
+          echo "Waiting for replica (base backup ~30s)..."
+          timeout 180 bash -c 'until pg_isready -h localhost -p 5433 -U labadmin; do echo -n "."; sleep 5; done'
+          echo ""
+
+      - name: Run Lab 03-02 test script
+        env:
+          ADMIN_PASS: "Lab02Password!"
+        run: bash tests/labs/test-lab-03-02.sh
+
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.lan.yml logs
+
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.lan.yml down -v

docker/docker-compose.lan.yml

@@ -1,36 +1,115 @@
-# Lab 02 — External Dependencies: postgresql with external PostgreSQL and Redis
----
+# Lab 03-02: External Dependencies — PostgreSQL Streaming Replication
+# Purpose: Primary + streaming standby replica + pgAdmin UI
+#          Proves HA readiness before Phase 2 services rely on this DB tier.
+#
+# Usage:
+#   docker compose -f docker/docker-compose.lan.yml up -d
+#   Primary:     localhost:5432  (read-write)
+#   Replica:     localhost:5433  (read-only, hot standby)
+#   pgAdmin UI:  http://localhost:5050  (admin@lab.localhost / Lab02Password!)
+#
+# Architecture:
+#   pg-primary ── streaming replication ──► pg-replica
+#        └──── pgAdmin (management UI) ────────────────┘
+
 services:
-  postgresql:
-    image: postgres:16
-    container_name: it-stack-postgresql
+
+  # ─── PRIMARY ─────────────────────────────────────────────────────────────
+  pg-primary:
+    image: postgres:16-alpine
+    container_name: it-stack-pg-primary
     restart: unless-stopped
+    environment:
+      POSTGRES_USER: labadmin
+      POSTGRES_PASSWORD: Lab02Password!
+      POSTGRES_DB: labdb
+      POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=en_US.UTF-8"
+    command: >
+      postgres
+        -c wal_level=replica
+        -c max_wal_senders=5
+        -c max_replication_slots=5
+        -c hot_standby=on
+        -c wal_keep_size=256
+        -c listen_addresses='*'
+        -c log_replication_commands=on
     ports:
-      - "5432:$firstPort"
+      - "5432:5432"
+    volumes:
+      - pg-primary-data:/var/lib/postgresql/data
+      - ./replication/primary-init.sh:/docker-entrypoint-initdb.d/99-replication.sh:ro
+    networks:
+      - pg-net
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "labadmin", "-d", "labdb"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+
+  # ─── REPLICA ─────────────────────────────────────────────────────────────
+  pg-replica:
+    image: postgres:16-alpine
+    container_name: it-stack-pg-replica
+    restart: unless-stopped
+    user: postgres
     environment:
-      - IT_STACK_ENV=lab-02-lan
-      - DB_HOST=
-      - DB_PORT=5432
-      - REDIS_HOST=
+      PGPASSWORD: Lab02Password!
+    command: >
+      sh -c "
+        if [ ! -f /var/lib/postgresql/data/PG_VERSION ]; then
+          until pg_basebackup
+            --host=pg-primary --port=5432 --username=replicator
+            --pgdata=/var/lib/postgresql/data
+            --wal-method=stream --checkpoint=fast --progress --no-password; do
+            sleep 5
+          done
+          touch /var/lib/postgresql/data/standby.signal
+          echo \"primary_conninfo = 'host=pg-primary port=5432 user=replicator password=Lab02Password!'\" \
+            >> /var/lib/postgresql/data/postgresql.auto.conf
+        fi
+        exec postgres -c hot_standby=on -c listen_addresses='*'
+      "
+    ports:
+      - "5433:5432"
+    volumes:
+      - pg-replica-data:/var/lib/postgresql/data
     networks:
-      - it-stack-net
+      - pg-net
+    depends_on:
+      pg-primary:
+        condition: service_healthy
 
-  # Lightweight local DB for lab (replace with lab-db1 in real env)
-  postgres:
-    image: postgres:16
-    container_name: it-stack-postgresql-db
+  # ─── pgADMIN ─────────────────────────────────────────────────────────────
+  pgadmin:
+    image: dpage/pgadmin4:latest
+    container_name: it-stack-pgadmin
+    restart: unless-stopped
     environment:
-      POSTGRES_DB: postgresql_db
-      POSTGRES_USER: postgresql_user
-      POSTGRES_PASSWORD: postgresql_pass
+      PGADMIN_DEFAULT_EMAIL: admin@lab.localhost
+      PGADMIN_DEFAULT_PASSWORD: Lab02Password!
+      PGADMIN_DISABLE_POSTFIX: "true"
+      PGADMIN_CONFIG_SERVER_MODE: "False"
+    ports:
+      - "5050:80"
     volumes:
-      - postgresql_pg_data:/var/lib/postgresql/data
+      - pgadmin-data:/var/lib/pgadmin
+      - ./pgadmin/servers.json:/pgadmin4/servers.json:ro
     networks:
-      - it-stack-net
+      - pg-net
+    depends_on:
+      pg-primary:
+        condition: service_healthy
+
+volumes:
+  pg-primary-data:
+    name: it-stack-pg-primary-data
+  pg-replica-data:
+    name: it-stack-pg-replica-data
+  pgadmin-data:
+    name: it-stack-pgadmin-data
 
 networks:
-  it-stack-net:
+  pg-net:
+    name: it-stack-pg-net
     driver: bridge
-
-volumes:
-  postgresql_pg_data:

docker/pgadmin/servers.json

@@ -0,0 +1,25 @@
+{
+  "Servers": {
+    "1": {
+      "Name": "it-stack-primary (read-write)",
+      "Group": "IT-Stack Lab 02",
+      "Host": "pg-primary",
+      "Port": 5432,
+      "MaintenanceDB": "labdb",
+      "Username": "labadmin",
+      "SSLMode": "prefer",
+      "PassFile": "/pgpassfile",
+      "Comment": "Primary node — all writes go here"
+    },
+    "2": {
+      "Name": "it-stack-replica (read-only)",
+      "Group": "IT-Stack Lab 02",
+      "Host": "pg-replica",
+      "Port": 5432,
+      "MaintenanceDB": "labdb",
+      "Username": "labadmin",
+      "SSLMode": "prefer",
+      "Comment": "Streaming replica — read-only hot standby"
+    }
+  }
+}

docker/replication/primary-init.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# primary-init.sh
+# Run once at PostgreSQL primary init via docker-entrypoint-initdb.d
+# Creates the replication user used by pg-replica for streaming replication.
+set -euo pipefail
+
+echo "==> Creating replicator user for streaming replication..."
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+  DO \$\$
+  BEGIN
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'replicator') THEN
+      CREATE ROLE replicator WITH REPLICATION LOGIN PASSWORD 'Lab02Password!';
+      RAISE NOTICE 'Created replicator role';
+    ELSE
+      RAISE NOTICE 'replicator role already exists';
+    END IF;
+  END
+  \$\$;
+
+  -- Grant pg_monitor to replicator so monitoring tools can authenticate
+  GRANT pg_monitor TO replicator;
+EOSQL
+
+echo "==> Configuring pg_hba.conf for replication connections..."
+# Allow replicator from any host on the pg-net Docker network
+cat >> "$PGDATA/pg_hba.conf" <<-EOF
+# Streaming replication (added by primary-init.sh)
+host  replication  replicator  0.0.0.0/0  scram-sha-256
+EOF
+
+echo "==> Replication setup complete."