mosip · bhumi46 · Mar 11, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 24, 2026
diff --git a/.github/scripts/configure-backend.sh b/.github/scripts/configure-backend.sh
@@ -15,6 +15,7 @@ usage() {
     echo "  -c, --component       Component: base-infra, infra, observ-infra (required)"
     echo "  -b, --branch          Branch name for state key (required for remote)"
     echo "  -r, --remote-config   Remote backend config string (required for remote)"
+    echo "  --profile             Infrastructure profile (e.g., mosip, esignet) - included in state key"
     echo "  --enable-locking      Enable state locking (optional, for production)"
     echo "  -h, --help            Show this help message"
     echo ""
@@ -44,6 +45,7 @@ CLOUD_PROVIDER=""
 COMPONENT=""
 BRANCH_NAME=""
 REMOTE_CONFIG=""
+PROFILE=""
 ENABLE_LOCKING=false
 
 # Parse command line arguments
@@ -73,6 +75,14 @@ while [[ $# -gt 0 ]]; do
             ENABLE_LOCKING=true
             shift
             ;;
+        --profile)
+            if [[ -z "$2" || "$2" == -* ]]; then
+                echo "Error: --profile requires a non-empty argument that is not an option flag."
+                exit 1
+            fi
+            PROFILE="$2"
+            shift 2
+            ;;
         -h|--help)
             usage
             exit 0
@@ -129,6 +139,7 @@ echo "=== MOSIP Terraform Backend Configuration ==="
 echo "Backend type: $BACKEND_TYPE"
 echo "Cloud provider: $CLOUD_PROVIDER"
 echo "Component: $COMPONENT"
+echo "Profile: ${PROFILE:-none}"
 echo "Branch: $BRANCH_NAME"
 echo "============================================="
 
@@ -137,11 +148,17 @@ create_local_backend() {
     local provider="$1"
     local component="$2"
     local branch="$3"
+    local profile="$4"
 
     # Include branch name for consistency and to avoid conflicts
     # Use 'local' as default branch name if not provided
     local branch_suffix="${branch:-local}"
-    local state_file="${provider}-${component}-${branch_suffix}-terraform.tfstate"
+    local state_file
+    if [ -n "$profile" ]; then
+        state_file="${provider}-${component}-${profile}-${branch_suffix}-terraform.tfstate"
+    else
+        state_file="${provider}-${component}-${branch_suffix}-terraform.tfstate"
+    fi
 
     echo "Configuring local backend..."
     echo "State file will be: $state_file"
@@ -184,7 +201,12 @@ create_aws_backend() {
         region="$DYNAMIC_REGION"
     fi
 
-    local state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate"
+    local state_key
+    if [ -n "$PROFILE" ]; then
+        state_key="${CLOUD_PROVIDER}-${component}-${PROFILE}-${branch}-terraform.tfstate"
+    else
+        state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate"
+    fi
 
     echo "Configuring AWS S3 backend..."
     echo "Base bucket name: $bucket_base_name"
@@ -251,7 +273,12 @@ create_azure_backend() {
     fi
 
     # Include branch name in state key to avoid conflicts
-    local state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate"
+    local state_key
+    if [ -n "$PROFILE" ]; then
+        state_key="${CLOUD_PROVIDER}-${component}-${PROFILE}-${branch}-terraform.tfstate"
+    else
+        state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate"
+    fi
 
     echo "Configuring Azure Storage backend..."
     echo "Resource Group: $resource_group"
@@ -294,7 +321,12 @@ create_gcp_backend() {
     fi
 
     # Include branch name in prefix to avoid conflicts
-    local state_prefix="terraform/${CLOUD_PROVIDER}-${component}-${branch}"
+    local state_prefix
+    if [ -n "$PROFILE" ]; then
+        state_prefix="terraform/${CLOUD_PROVIDER}-${component}-${PROFILE}-${branch}"
+    else
+        state_prefix="terraform/${CLOUD_PROVIDER}-${component}-${branch}"
+    fi
 
     echo "Configuring GCS backend..."
     echo "Bucket: $bucket_name"
@@ -323,7 +355,7 @@ EOF
 # Main execution
 main() {
     if [ "$BACKEND_TYPE" = "local" ]; then
-        create_local_backend "$CLOUD_PROVIDER" "$COMPONENT" "$BRANCH_NAME"
+        create_local_backend "$CLOUD_PROVIDER" "$COMPONENT" "$BRANCH_NAME" "$PROFILE"
 
     elif [ "$BACKEND_TYPE" = "remote" ]; then
         # Parse remote configuration

diff --git a/.github/workflows/helmsman_esignet.yml b/.github/workflows/helmsman_esignet.yml
@@ -3,6 +3,15 @@ name: Deploy eSignet using Helmsman
 on:
   workflow_dispatch:
     inputs:
+      profile:
+        description: "Deployment profile to use"
+        required: true
+        default: "mosip-platform-java11"
+        type: choice
+        options:
+          - mosip-platform-java11
+          - mosip-platform-java21
+          - esignet
       mode:
         description: "Choose Helmsman mode: dry-run or apply"
         required: true
@@ -23,7 +32,7 @@ on:
         type: boolean
   push:
     paths:
-      - Helmsman/dsf/esignet-dsf.yaml
+      - Helmsman/dsf/**/esignet-dsf.yaml
 
 jobs:
   deploy:
@@ -92,7 +101,31 @@ jobs:
             echo "HELMSMAN_MODE=apply" >> $GITHUB_ENV
           else
             echo "HELMSMAN_MODE=${{ github.event.inputs.mode }}" >> $GITHUB_ENV
-          fi        
+          fi
+
+      - name: Set Profile
+        run: |
+          # Determine profile: from workflow input or detect from changed files on push
+          if [ -n "${{ github.event.inputs.profile }}" ]; then
+            PROFILE="${{ github.event.inputs.profile }}"
+          else
+            # Auto-detect profile from push trigger — extract profile dir name from changed files
+            # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone)
+            BEFORE="${{ github.event.before }}"
+            SHA="${{ github.sha }}"
+            if [[ -z "$BEFORE" || "$BEFORE" == "0000000000000000000000000000000000000000" ]]; then
+              BEFORE="HEAD~1"
+            fi
+            CHANGED_FILES=$(git diff --name-only "$BEFORE" "$SHA" -- 'Helmsman/dsf/' 2>/dev/null || \
+                            git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "")
+            PROFILE=$(echo "$CHANGED_FILES" | grep 'esignet-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|')
+            if [[ -z "$PROFILE" ]]; then
+              echo "Error: could not detect profile from changed DSF files."
+              exit 1
+            fi
+          fi
+          echo "PROFILE=$PROFILE" >> "$GITHUB_ENV"
+          echo "Using profile: $PROFILE"
 
       - name: Setup ufw firewall
         run: |
@@ -151,7 +184,7 @@ jobs:
           kubectl cluster-info
 
       - name: Check if mosip-dsf label is completed
-        if: ${{ github.event.inputs.skip_mosip_dsf_check != 'true' && vars.ESIGNET_STANDALONE_MODE != 'true' }}
+        if: ${{ github.event.inputs.skip_mosip_dsf_check != 'true' && vars.ESIGNET_STANDALONE_MODE != 'true' && github.event.inputs.profile != 'esignet' }}
         run: |
           STATUS=$(kubectl get namespace default -o jsonpath='{.metadata.labels.mosip-dsf}' 2>/dev/null || echo "")
           if [[ "$STATUS" != "completed" ]]; then
@@ -329,7 +362,8 @@ jobs:
 
           # Run helmsman with the determined mode
           # --keep-untracked-releases prevents deletion of releases managed by other DSF files (e.g., postgres-init from external-dsf)
-          helmsman --${HELMSMAN_MODE} --keep-untracked-releases -f $WORKDIR/dsf/esignet-dsf.yaml
+          echo "Using DSF: $WORKDIR/dsf/$PROFILE/esignet-dsf.yaml"
+          helmsman --${HELMSMAN_MODE} --keep-untracked-releases -f $WORKDIR/dsf/$PROFILE/esignet-dsf.yaml
 
       - name: Label namespace on successful deployment
         if: success() && env.HELMSMAN_MODE == 'apply'
@@ -343,6 +377,7 @@ jobs:
           echo "=================================="
           echo "eSignet Deployment Summary"
           echo "=================================="
+          echo "Profile: $PROFILE"
           echo "Mode: $HELMSMAN_MODE"
           echo "Branch: ${{ github.ref_name }}"
           echo "Commit: ${{ github.sha }}"

diff --git a/.github/workflows/helmsman_external.yml b/.github/workflows/helmsman_external.yml
@@ -3,18 +3,27 @@ name: Deploy External services of mosip using Helmsman
 on:
   workflow_dispatch:
     inputs:
+      profile:
+        description: "Deployment profile to use"
+        required: true
+        default: "mosip-platform-java11"
+        type: choice
+        options:
+          - mosip-platform-java11
+          - mosip-platform-java21
+          - esignet
       mode:
         description: "Choose Helmsman mode: dry-run or apply"
         required: true
         default: "dry-run"
         type: choice
         options:
           - dry-run
-          - apply   
+          - apply
   push:
     paths:
-      - Helmsman/dsf/prereq-dsf.yaml
-      - Helmsman/dsf/external-dsf.yaml
+      - Helmsman/dsf/**/prereq-dsf.yaml
+      - Helmsman/dsf/**/external-dsf.yaml
 
 permissions:
   actions: write
@@ -24,6 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
+      profile: ${{ steps.set-matrix.outputs.PROFILE }}
     steps:
       - name: Checkout repository with full history
         uses: actions/checkout@v4
@@ -35,39 +45,53 @@ jobs:
         run: |
           matrix_json='{"include":[]}'
           if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
-            matrix_json='{"include":[{"dsf_files":"prereq-dsf.yaml","wg_conf":"wg0"},{"dsf_files":"external-dsf.yaml","wg_conf":"wg1"}]}'
+            PROFILE="${{ github.event.inputs.profile }}"
+            matrix_json="{\"include\":[{\"dsf_files\":\"${PROFILE}/prereq-dsf.yaml\",\"wg_conf\":\"wg0\"},{\"dsf_files\":\"${PROFILE}/external-dsf.yaml\",\"wg_conf\":\"wg1\"}]}"
           else
             # Handle different event types properly
             if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then
-              # For push events, use GitHub's provided SHAs
-              base_sha="${{ github.event.before}}"
+              base_sha="${{ github.event.before }}"
               head_sha="${{ github.sha }}"
             elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
-              # For PRs, compare against target branch
               base_sha="${{ github.event.pull_request.base.sha }}"
               head_sha="${{ github.event.pull_request.head.sha }}"
             fi
 
-            # Get changed files safely
-            changed_files=$(git diff --name-only "$base_sha" "$head_sha" -- 'Helmsman/dsf/' || echo "")
-
+            # Get changed files safely; fall back to HEAD~1 if base_sha is unreachable
+            changed_files=$(git diff --name-only "$base_sha" "$head_sha" -- 'Helmsman/dsf/' 2>/dev/null || \
+                            git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "")
+
             entries=()
-
-            # Check for exact file paths
-            if echo "$changed_files" | grep -qx 'Helmsman/dsf/prereq-dsf.yaml'; then
-              entries+=('{"dsf_files":"prereq-dsf.yaml","wg_conf":"wg0"}')
-            fi
-
-            if echo "$changed_files" | grep -qx 'Helmsman/dsf/external-dsf.yaml'; then
-              entries+=('{"dsf_files":"external-dsf.yaml","wg_conf":"wg1"}')
+
+            # Dynamically detect changed profiles from file paths
+            changed_profiles=$(echo "$changed_files" | grep 'Helmsman/dsf/' | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|' | sort -u)
+
+            # Derive PROFILE from the changed files (all detected profile dirs, newline-separated)
+            # For workflow-caller, we only care about mosip-platform-* profiles
+            PROFILE=$(echo "$changed_profiles" | grep '^mosip-platform-' | head -1)
+            if [[ -z "$PROFILE" ]]; then
+              # No MOSIP profile detected - this is fine for esignet-only changes
+              PROFILE=""
             fi
-
+
+            for profile_dir in $changed_profiles; do
+              if echo "$changed_files" | grep -q "Helmsman/dsf/${profile_dir}/prereq-dsf.yaml"; then
+                entries+=("{\"dsf_files\":\"${profile_dir}/prereq-dsf.yaml\",\"wg_conf\":\"wg0\"}")
+              fi
+
+              if echo "$changed_files" | grep -q "Helmsman/dsf/${profile_dir}/external-dsf.yaml"; then
+                entries+=("{\"dsf_files\":\"${profile_dir}/external-dsf.yaml\",\"wg_conf\":\"wg1\"}")
+              fi
+            done
+
             if [ ${#entries[@]} -gt 0 ]; then
               matrix_json="{\"include\":[$(IFS=,; echo "${entries[*]}")]}"
             fi
           fi
 
+          echo "Using profile: $PROFILE"
           echo "matrix=$matrix_json" >> $GITHUB_OUTPUT
+          echo "PROFILE=$PROFILE" >> $GITHUB_OUTPUT
   deploy:
     runs-on: ubuntu-latest
     needs: set-matrix
@@ -240,18 +264,20 @@ jobs:
 
   workflow-caller:
     runs-on: ubuntu-latest
-    needs: deploy
-    if: ${{ github.event_name == 'workflow_dispatch' }}
+    needs: [deploy, set-matrix]
+    # Only trigger MOSIP workflow for mosip-platform profiles, not for standalone esignet
+    if: ${{ startsWith(needs.set-matrix.outputs.profile, 'mosip-platform-') }}
     steps:
       - name: Trigger helmsman mosip workflow via API
         env:
           GITHUB_REPO: ${{ github.repository }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           BRANCH: ${{ github.ref_name }}
+          MODE: ${{ github.event.inputs.mode }}
         run: |
           curl -X POST \
             -H "Accept: application/vnd.github+json" \
             -H "Authorization: Bearer $GITHUB_TOKEN" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
             https://api.github.com/repos/$GITHUB_REPO/actions/workflows/helmsman_mosip.yml/dispatches \
-            -d '{"ref":"'"$BRANCH"'","inputs":{"mode":"apply"}}'
+            -d '{"ref":"'"$BRANCH"'","inputs":{"mode":"'"${MODE:-apply}"'","profile":"'"${{ needs.set-matrix.outputs.profile }}"'"}}'
diff --git a/.github/workflows/helmsman_mosip.yml b/.github/workflows/helmsman_mosip.yml
@@ -3,6 +3,14 @@ name: Deploy Mosip services of mosip using Helmsman
 on:
   workflow_dispatch:
     inputs:
+      profile:
+        description: "Choose MOSIP platform profile"
+        required: true
+        default: "mosip-platform-java11"
+        type: choice
+        options:
+          - mosip-platform-java11
+          - mosip-platform-java21
       mode:
         description: "Choose Helmsman mode: dry-run or apply"
         required: true
@@ -13,7 +21,7 @@ on:
           - apply
   push:
     paths:
-      - Helmsman/dsf/mosip-dsf.yaml
+      - Helmsman/dsf/**/mosip-dsf.yaml
 
 jobs:
   deploy:
@@ -63,6 +71,29 @@ jobs:
             echo "HELMSMAN_MODE=${{ github.event.inputs.mode }}" >> $GITHUB_ENV
           fi        
 
+      - name: Set Profile
+        run: |
+          if [ -n "${{ github.event.inputs.profile }}" ]; then
+            PROFILE="${{ github.event.inputs.profile }}"
+          else
+            # Auto-detect profile from push trigger — extract profile dir name from changed files
+            # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone)
+            BEFORE="${{ github.event.before }}"
+            SHA="${{ github.sha }}"
+            if [[ -z "$BEFORE" || "$BEFORE" == "0000000000000000000000000000000000000000" ]]; then
+              BEFORE="HEAD~1"
+            fi
+            CHANGED_FILES=$(git diff --name-only "$BEFORE" "$SHA" -- 'Helmsman/dsf/' 2>/dev/null || \
+                            git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "")
+            PROFILE=$(echo "$CHANGED_FILES" | grep 'mosip-dsf\.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|')
+            if [[ -z "$PROFILE" ]]; then
+              echo "Error: could not detect profile from changed DSF files."
+              exit 1
+            fi
+          fi
+          echo "PROFILE=$PROFILE" >> "$GITHUB_ENV"
+          echo "Using profile: $PROFILE"
+
       - name: Setup ufw firewall
         run: |
           sudo ufw enable
@@ -134,8 +165,9 @@ jobs:
           echo "Using kubectl: $(which kubectl)"
           echo "Using kubeconfig: $KUBECONFIG"
 
-          # Run helmsman with the determined mode
-          helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/mosip-dsf.yaml
+          # Run helmsman with the determined mode and profile
+          echo "Using profile: $PROFILE"
+          helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/${PROFILE}/mosip-dsf.yaml
 
       - name: Health Check MOSIP Pods
         run: |