Add Kubernetes auth and workspace deployment support

Author: evanriley00

.env.example

@@ -7,5 +7,7 @@ AI_SQL_ANALYST_QUERY_LOG_PATH=./data/query_log.jsonl
 AI_SQL_ANALYST_MAX_QUERY_ROWS=100
 AI_SQL_ANALYST_DATABASE_BACKEND=sqlite
 AI_SQL_ANALYST_POSTGRES_DSN=postgresql://ai_sql:ai_sql_password@localhost:5432/ai_sql_analyst
+AI_SQL_ANALYST_API_KEYS=dev-api-key
+AI_SQL_ANALYST_BROWSER_API_KEY=dev-api-key
 OPENAI_API_KEY=
 AI_SQL_ANALYST_MODEL=gpt-5-mini

.github/workflows/ai-sql-analyst-ci.yml

@@ -34,3 +34,48 @@ jobs:
 
       - name: Run text-to-SQL evals
         run: python manage.py evals
+
+  postgres-integration:
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_DB: ai_sql_analyst
+          POSTGRES_USER: ai_sql
+          POSTGRES_PASSWORD: ai_sql_password
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U ai_sql -d ai_sql_analyst"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 10
+
+    defaults:
+      run:
+        working-directory: ai-sql-analyst
+
+    env:
+      AI_SQL_ANALYST_DATABASE_BACKEND: postgres
+      AI_SQL_ANALYST_POSTGRES_DSN: postgresql://ai_sql:ai_sql_password@localhost:5432/ai_sql_analyst
+      AI_SQL_ANALYST_API_KEYS: dev-api-key
+      AI_SQL_ANALYST_BROWSER_API_KEY: dev-api-key
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: Initialize Postgres schema
+        run: python manage.py init-db
+
+      - name: Run evals against Postgres
+        run: python manage.py evals

.gitignore

@@ -2,3 +2,7 @@ data/*.db
 data/*.jsonl
 __pycache__/
 .pytest_cache/
+.terraform/
+*.tfstate
+*.tfstate.*
+*.tfvars

README.md

@@ -10,6 +10,8 @@ It is designed to show:
 - Observable analytics workflows
 - PostgreSQL-backed application architecture
 - Dockerized local infrastructure
+- Kubernetes manifests with probes, services, secrets, and autoscaling
+- Terraform Kubernetes deployment option
 - Automated tests and text-to-SQL evals
 
 ## What It Does
@@ -39,9 +41,11 @@ It then:
 - Heuristic fallback when no OpenAI API key is configured
 - Analyst console served by the API
 - Query history and aggregate system metrics
+- API key authentication
+- Workspace-scoped SQL guardrails for multi-tenant analytics
 - Built-in SQL evaluation suite
 - Automated tests for API behavior and guardrails
-- CI workflow for tests and evals
+- CI workflow for tests, evals, and Postgres integration
 
 ## Project Structure
 
@@ -64,6 +68,10 @@ ai-sql-analyst/
       index.html
       styles.css
   tests/
+  k8s/
+    base/
+  terraform/
+    kubernetes/
   evals.py
   manage.py
   docker-compose.yml
@@ -117,6 +125,8 @@ Key options:
 ```bash
 AI_SQL_ANALYST_DATABASE_BACKEND=sqlite
 AI_SQL_ANALYST_POSTGRES_DSN=postgresql://ai_sql:ai_sql_password@localhost:5432/ai_sql_analyst
+AI_SQL_ANALYST_API_KEYS=dev-api-key
+AI_SQL_ANALYST_BROWSER_API_KEY=dev-api-key
 OPENAI_API_KEY=your-key-here
 ```
 
@@ -152,10 +162,17 @@ Request:
 
 ```json
 {
-  "question": "Show the top 5 customers by revenue"
+  "question": "Show the top 5 customers by revenue",
+  "workspace_id": "demo"
 }
 ```
 
+Protected API endpoints require:
+
+```text
+X-API-Key: dev-api-key
+```
+
 ### `GET /history`
 
 Returns recent query log entries.
@@ -184,6 +201,42 @@ python ai-sql-analyst/evals.py
 
 The GitHub Actions workflow in `.github/workflows/ai-sql-analyst-ci.yml` runs both tests and evals.
 
+## Kubernetes
+
+The Kubernetes base manifests live in `k8s/base`.
+
+Apply with Kustomize:
+
+```bash
+kubectl apply -k ai-sql-analyst/k8s/base
+```
+
+The base includes:
+- Namespace
+- ConfigMap
+- Secret example
+- PostgreSQL StatefulSet and Service
+- API Deployment and Service
+- Readiness and liveness probes
+- HorizontalPodAutoscaler
+- Optional ingress example
+
+For a real environment, replace `k8s/base/secret.example.yaml` with a sealed secret, external secret, or cluster-managed secret.
+
+## Terraform
+
+The Terraform Kubernetes example lives in `terraform/kubernetes`.
+
+```bash
+cd ai-sql-analyst/terraform/kubernetes
+terraform init
+terraform plan \
+  -var="api_keys=replace-me" \
+  -var="postgres_password=replace-me"
+```
+
+This provisions the namespace, app config, secret, PostgreSQL StatefulSet, and API Deployment/Service into an existing Kubernetes cluster.
+
 Response shape:
 
 ```json
@@ -222,6 +275,6 @@ This keeps the project business-facing and makes the SQL portfolio signal much c
 
 ## Next Up
 
-- Role-based query scopes
+- Role-based workspace permissions
 - Retrieval over metric definitions and BI docs
-- Cloud deployment and infrastructure as code
+- Cloud deployment walkthrough

ai_sql_analyst/auth.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+from fastapi import Header, HTTPException, status
+
+from ai_sql_analyst.config import settings
+
+
+@dataclass(frozen=True, slots=True)
+class Principal:
+    api_key: str
+    workspace_id: str = "demo"
+
+
+def require_api_key(x_api_key: str = Header(default="")) -> Principal:
+    allowed_keys = settings.allowed_api_keys()
+    if not allowed_keys:
+        return Principal(api_key="", workspace_id="demo")
+    if x_api_key not in allowed_keys:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Missing or invalid X-API-Key header.",
+        )
+    return Principal(api_key=x_api_key, workspace_id="demo")

ai_sql_analyst/config.py

@@ -34,8 +34,13 @@ class Settings(BaseSettings):
         default="postgresql://ai_sql:ai_sql_password@localhost:5432/ai_sql_analyst",
         alias="AI_SQL_ANALYST_POSTGRES_DSN",
     )
+    api_keys: str = Field(default="dev-api-key", alias="AI_SQL_ANALYST_API_KEYS")
+    browser_api_key: str = Field(default="dev-api-key", alias="AI_SQL_ANALYST_BROWSER_API_KEY")
     openai_api_key: str = Field(default="", alias="OPENAI_API_KEY")
     model_name: str = Field(default="gpt-5-mini", alias="AI_SQL_ANALYST_MODEL")
 
+    def allowed_api_keys(self) -> set[str]:
+        return {key.strip() for key in self.api_keys.split(",") if key.strip()}
+
 
 settings = Settings()

ai_sql_analyst/db/migrations.py

@@ -4,6 +4,7 @@
 SQLITE_SCHEMA = """
 CREATE TABLE IF NOT EXISTS customers (
     customer_id INTEGER PRIMARY KEY,
+    workspace_id TEXT NOT NULL DEFAULT 'demo',
     customer_name TEXT NOT NULL,
     segment TEXT NOT NULL,
     region TEXT NOT NULL,
@@ -12,6 +13,7 @@
 
 CREATE TABLE IF NOT EXISTS invoices (
     invoice_id INTEGER PRIMARY KEY,
+    workspace_id TEXT NOT NULL DEFAULT 'demo',
     customer_id INTEGER NOT NULL,
     invoice_month TEXT NOT NULL,
     amount_usd REAL NOT NULL,
@@ -21,6 +23,7 @@
 
 CREATE TABLE IF NOT EXISTS support_tickets (
     ticket_id INTEGER PRIMARY KEY,
+    workspace_id TEXT NOT NULL DEFAULT 'demo',
     customer_id INTEGER NOT NULL,
     created_at TEXT NOT NULL,
     priority TEXT NOT NULL,
@@ -34,6 +37,7 @@
 POSTGRES_SCHEMA = """
 CREATE TABLE IF NOT EXISTS customers (
     customer_id INTEGER PRIMARY KEY,
+    workspace_id TEXT NOT NULL DEFAULT 'demo',
     customer_name TEXT NOT NULL,
     segment TEXT NOT NULL,
     region TEXT NOT NULL,
@@ -42,6 +46,7 @@
 
 CREATE TABLE IF NOT EXISTS invoices (
     invoice_id INTEGER PRIMARY KEY,
+    workspace_id TEXT NOT NULL DEFAULT 'demo',
     customer_id INTEGER NOT NULL REFERENCES customers(customer_id),
     invoice_month DATE NOT NULL,
     amount_usd NUMERIC(12, 2) NOT NULL,
@@ -50,6 +55,7 @@
 
 CREATE TABLE IF NOT EXISTS support_tickets (
     ticket_id INTEGER PRIMARY KEY,
+    workspace_id TEXT NOT NULL DEFAULT 'demo',
     customer_id INTEGER NOT NULL REFERENCES customers(customer_id),
     created_at DATE NOT NULL,
     priority TEXT NOT NULL,
@@ -58,7 +64,9 @@
 );
 
 CREATE INDEX IF NOT EXISTS idx_invoices_customer_id ON invoices(customer_id);
+CREATE INDEX IF NOT EXISTS idx_invoices_workspace_id ON invoices(workspace_id);
 CREATE INDEX IF NOT EXISTS idx_invoices_month ON invoices(invoice_month);
 CREATE INDEX IF NOT EXISTS idx_support_tickets_customer_id ON support_tickets(customer_id);
+CREATE INDEX IF NOT EXISTS idx_support_tickets_workspace_id ON support_tickets(workspace_id);
 CREATE INDEX IF NOT EXISTS idx_support_tickets_priority ON support_tickets(priority);
 """

ai_sql_analyst/db/seeds.py

@@ -1,39 +1,39 @@
 from __future__ import annotations
 
 CUSTOMERS = [
-    (1, "Northstar Health", "Enterprise", "Midwest", "2024-01-15"),
-    (2, "Blue River Logistics", "Mid-Market", "South", "2024-02-20"),
-    (3, "Summit Retail Group", "SMB", "West", "2024-03-08"),
-    (4, "Atlas Insurance", "Enterprise", "Northeast", "2024-04-11"),
-    (5, "Brightline Energy", "Mid-Market", "West", "2024-05-03"),
+    (1, "demo", "Northstar Health", "Enterprise", "Midwest", "2024-01-15"),
+    (2, "demo", "Blue River Logistics", "Mid-Market", "South", "2024-02-20"),
+    (3, "demo", "Summit Retail Group", "SMB", "West", "2024-03-08"),
+    (4, "demo", "Atlas Insurance", "Enterprise", "Northeast", "2024-04-11"),
+    (5, "demo", "Brightline Energy", "Mid-Market", "West", "2024-05-03"),
 ]
 
 INVOICES = [
-    (1, 1, "2026-01-01", 12400.0, "Enterprise Pro"),
-    (2, 1, "2026-02-01", 12400.0, "Enterprise Pro"),
-    (3, 1, "2026-03-01", 11800.0, "Enterprise Pro"),
-    (4, 2, "2026-01-01", 7300.0, "Growth"),
-    (5, 2, "2026-02-01", 7300.0, "Growth"),
-    (6, 2, "2026-03-01", 6900.0, "Growth"),
-    (7, 3, "2026-01-01", 2100.0, "Starter"),
-    (8, 3, "2026-02-01", 2400.0, "Starter"),
-    (9, 3, "2026-03-01", 2400.0, "Starter"),
-    (10, 4, "2026-01-01", 9800.0, "Enterprise Pro"),
-    (11, 4, "2026-02-01", 9800.0, "Enterprise Pro"),
-    (12, 4, "2026-03-01", 10200.0, "Enterprise Pro"),
-    (13, 5, "2026-01-01", 5800.0, "Growth"),
-    (14, 5, "2026-02-01", 5800.0, "Growth"),
-    (15, 5, "2026-03-01", 5200.0, "Growth"),
+    (1, "demo", 1, "2026-01-01", 12400.0, "Enterprise Pro"),
+    (2, "demo", 1, "2026-02-01", 12400.0, "Enterprise Pro"),
+    (3, "demo", 1, "2026-03-01", 11800.0, "Enterprise Pro"),
+    (4, "demo", 2, "2026-01-01", 7300.0, "Growth"),
+    (5, "demo", 2, "2026-02-01", 7300.0, "Growth"),
+    (6, "demo", 2, "2026-03-01", 6900.0, "Growth"),
+    (7, "demo", 3, "2026-01-01", 2100.0, "Starter"),
+    (8, "demo", 3, "2026-02-01", 2400.0, "Starter"),
+    (9, "demo", 3, "2026-03-01", 2400.0, "Starter"),
+    (10, "demo", 4, "2026-01-01", 9800.0, "Enterprise Pro"),
+    (11, "demo", 4, "2026-02-01", 9800.0, "Enterprise Pro"),
+    (12, "demo", 4, "2026-03-01", 10200.0, "Enterprise Pro"),
+    (13, "demo", 5, "2026-01-01", 5800.0, "Growth"),
+    (14, "demo", 5, "2026-02-01", 5800.0, "Growth"),
+    (15, "demo", 5, "2026-03-01", 5200.0, "Growth"),
 ]
 
 SUPPORT_TICKETS = [
-    (1, 1, "2026-03-03", "High", "Closed", 14.0),
-    (2, 1, "2026-03-18", "Medium", "Closed", 8.0),
-    (3, 2, "2026-03-06", "High", "Closed", 19.0),
-    (4, 2, "2026-03-27", "Low", "Open", 36.0),
-    (5, 3, "2026-03-10", "Medium", "Closed", 6.0),
-    (6, 4, "2026-03-11", "Critical", "Closed", 22.0),
-    (7, 4, "2026-03-19", "High", "Open", 41.0),
-    (8, 5, "2026-03-20", "Medium", "Closed", 9.0),
-    (9, 5, "2026-03-22", "Low", "Closed", 5.0),
+    (1, "demo", 1, "2026-03-03", "High", "Closed", 14.0),
+    (2, "demo", 1, "2026-03-18", "Medium", "Closed", 8.0),
+    (3, "demo", 2, "2026-03-06", "High", "Closed", 19.0),
+    (4, "demo", 2, "2026-03-27", "Low", "Open", 36.0),
+    (5, "demo", 3, "2026-03-10", "Medium", "Closed", 6.0),
+    (6, "demo", 4, "2026-03-11", "Critical", "Closed", 22.0),
+    (7, "demo", 4, "2026-03-19", "High", "Open", 41.0),
+    (8, "demo", 5, "2026-03-20", "Medium", "Closed", 9.0),
+    (9, "demo", 5, "2026-03-22", "Low", "Closed", 5.0),
 ]