NVIDIA
diff --git a/‎.github/workflows/e2e-test.yml‎
Lines changed: 34 additions & 10 deletions b/‎.github/workflows/e2e-test.yml‎
Lines changed: 34 additions & 10 deletions
diff --git a/‎distros/kubernetes/nvsentinel/Chart.lock‎
Lines changed: 11 additions & 2 deletions b/‎distros/kubernetes/nvsentinel/Chart.lock‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎distros/kubernetes/nvsentinel/Chart.yaml‎
Lines changed: 4 additions & 0 deletions b/‎distros/kubernetes/nvsentinel/Chart.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎distros/kubernetes/nvsentinel/charts/csp-health-monitor/templates/deployment.yaml‎
Lines changed: 73 additions & 6 deletions b/‎distros/kubernetes/nvsentinel/charts/csp-health-monitor/templates/deployment.yaml‎
Lines changed: 73 additions & 6 deletions
diff --git a/‎distros/kubernetes/nvsentinel/charts/csp-health-monitor/values.yaml‎
Lines changed: 3 additions & 0 deletions b/‎distros/kubernetes/nvsentinel/charts/csp-health-monitor/values.yaml‎
Lines changed: 3 additions & 0 deletions
@@ -15,12 +15,13 @@
 name: E2E Tests
 
 # This workflow runs end-to-end tests on both AMD64 and ARM64 architectures in parallel
-# to ensure compatibility across different hardware platforms.
+# with both MongoDB and PostgreSQL datastores to ensure compatibility across different
+# hardware platforms and database backends.
 #
 # Configuration:
 # - Set RUNNER_ARCH_LARGE_AMD64 variable to override default AMD64 runner
 # - Set RUNNER_ARCH_LARGE_ARM64 variable to override default ARM64 runner
-# - Each architecture gets its own isolated cluster and test artifacts
+# - Each architecture + datastore combination gets its own isolated cluster and test artifacts
 
 on:
   push:
@@ -39,18 +40,33 @@ permissions:
 
 jobs:
   e2e-test:
+    # Run E2E tests on both AMD64 and ARM64 architectures with both MongoDB and PostgreSQL
     strategy:
-      fail-fast: false  # Allow both architectures to complete even if one fails
+      fail-fast: false  # Allow all combinations to complete even if some fail
       matrix:
         include:
           - arch: amd64
             runner: ${{ vars.RUNNER_ARCH_LARGE_AMD64 || 'linux-amd64-cpu32' }}
             arch_name: "AMD64"
+            datastore: "mongodb"
+            datastore_name: "MongoDB"
           - arch: arm64
             runner: ${{ vars.RUNNER_ARCH_LARGE_ARM64 || 'linux-arm64-cpu32' }}
             arch_name: "ARM64"
+            datastore: "mongodb"
+            datastore_name: "MongoDB"
+          - arch: amd64
+            runner: ${{ vars.RUNNER_ARCH_LARGE_AMD64 || 'linux-amd64-cpu32' }}
+            arch_name: "AMD64"
+            datastore: "postgresql"
+            datastore_name: "PostgreSQL"
+          - arch: arm64
+            runner: ${{ vars.RUNNER_ARCH_LARGE_ARM64 || 'linux-arm64-cpu32' }}
+            arch_name: "ARM64"
+            datastore: "postgresql"
+            datastore_name: "PostgreSQL"
 
-    name: "E2E Tests (${{ matrix.arch_name }})"
+    name: "E2E Tests (${{ matrix.arch_name }} + ${{ matrix.datastore_name }})"
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 90
     steps:
@@ -120,24 +136,32 @@ jobs:
         env:
           CI_COMMIT_REF_NAME: ${{ steps.ref-name.outputs.value }}
           CTLPTL_YAML: .ctlptl.yaml
-          # Make cluster names unique per architecture to avoid conflicts in parallel runs
-          CLUSTER_NAME_SUFFIX: "-${{ matrix.arch }}"
+          # Make cluster names unique per architecture and datastore to avoid conflicts in parallel runs
+          CLUSTER_NAME_SUFFIX: "-${{ matrix.arch }}-${{ matrix.datastore }}"
         run: |
           make cluster-create
 
+      - name: Override MongoDB image for ARM64
+        if: matrix.arch == 'arm64' && matrix.datastore == 'mongodb'
+        run: |
+          sed -i 's/repository: "bitnamilegacy\/mongodb"/repository: "dlavrenuek\/bitnami-mongodb-arm"/' distros/kubernetes/nvsentinel/values-tilt.yaml
+          sed -i 's/tag: "8.0.3-debian-12-r1"/tag: "8.0.4"/' distros/kubernetes/nvsentinel/values-tilt.yaml
+
       - name: Run E2E tests
         env:
           CI_COMMIT_REF_NAME: ${{ steps.ref-name.outputs.value }}
           CTLPTL_YAML: .ctlptl.yaml
           # Use same cluster name suffix for consistency
-          CLUSTER_NAME_SUFFIX: "-${{ matrix.arch }}"
+          CLUSTER_NAME_SUFFIX: "-${{ matrix.arch }}-${{ matrix.datastore }}"
+          # Set USE_POSTGRESQL for PostgreSQL tests (our integrated Tiltfile approach)
+          USE_POSTGRESQL: ${{ matrix.datastore == 'postgresql' && '1' || '0' }}
         run: |
           make e2e-test-ci
 
       - name: Upload test results
         uses: ./.github/actions/upload-test-artifacts
         with:
-          component-name: e2e-test-${{ matrix.arch }}
+          component-name: e2e-test-${{ matrix.arch }}-${{ matrix.datastore }}
           file-paths: |
             tests/results/
             tests/*.log
@@ -167,15 +191,15 @@ jobs:
         if: always()
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
         with:
-          name: e2e-kind-logs-${{ matrix.arch }}-${{ github.run_id }}
+          name: e2e-kind-logs-${{ matrix.arch }}-${{ matrix.datastore }}-${{ github.run_id }}
           path: /tmp/kind-logs/
           retention-days: 7
 
       - name: Upload debug artifacts
         if: failure()
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5.0.0
         with:
-          name: e2e-debug-artifacts-${{ matrix.arch }}-${{ github.run_id }}
+          name: e2e-debug-artifacts-${{ matrix.arch }}-${{ matrix.datastore }}-${{ github.run_id }}
           path: /tmp/debug-artifacts/
           retention-days: 7
 
 
@@ -5,6 +5,9 @@ dependencies:
 - name: mongodb-store
   repository: ""
   version: 0.1.0
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 15.5.38
 - name: fault-quarantine
   repository: ""
   version: 0.1.0
@@ -29,5 +32,11 @@ dependencies:
 - name: labeler
   repository: ""
   version: 0.1.0
-digest: sha256:c10f6e7fdb0b99a47f38e210c25e610da182c94fe32d89753a34352d12c0bb22
-generated: "2025-10-15T10:37:19.739789+05:30"
+- name: janitor
+  repository: ""
+  version: 0.1.0
+- name: metadata-collector
+  repository: ""
+  version: 0.1.0
+digest: sha256:fbd3a4e221d47238452d3d157828b25b66eab2c1f02f829c3edbada6d3b11efe
+generated: "2025-11-16T11:25:12.087718-05:00"
@@ -25,6 +25,10 @@ dependencies:
   - name: mongodb-store
     version: "0.1.0"
     condition: global.mongodbStore.enabled
+  - name: postgresql
+    version: "15.5.38"
+    repository: oci://registry-1.docker.io/bitnamicharts
+    condition: postgresql.enabled
   - name: fault-quarantine
     version: "0.1.0"
     condition: global.faultQuarantine.enabled
 
@@ -36,17 +36,54 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "csp-health-monitor.fullname" . }}
+      {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+      initContainers:
+        - name: fix-cert-permissions
+          image: "docker.io/bitnamilegacy/os-shell:12-debian-12-r30"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 1001
+            runAsGroup: 1001
+          command:
+            - sh
+            - -c
+            - |
+              echo "Copying PostgreSQL client certificates with correct permissions..."
+              cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/
+              cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/
+              cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/
+              chmod 644 /etc/ssl/client-certs-fixed/tls.crt
+              chmod 644 /etc/ssl/client-certs-fixed/ca.crt
+              chmod 600 /etc/ssl/client-certs-fixed/tls.key
+              echo "Certificate permissions fixed:"
+              ls -la /etc/ssl/client-certs-fixed/
+          volumeMounts:
+            - name: postgresql-client-cert-original
+              mountPath: /etc/ssl/client-certs-original
+              readOnly: true
+            - name: client-certs-fixed
+              mountPath: /etc/ssl/client-certs-fixed
+      {{- end }}
       volumes:
       - name: config-volume
         configMap:
           name: {{ include "csp-health-monitor.fullname" . }}
           items:
           - key: config.toml
             path: config.toml
+      {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+      - name: postgresql-client-cert-original
+        secret:
+          secretName: postgresql-client-cert
+          optional: true
+      - name: client-certs-fixed
+        emptyDir: {}
+      {{- else }}
       - name: mongo-app-client-cert
         secret:
           secretName: mongo-app-client-cert-secret # Defined in mongodb-store chart
           optional: true
+      {{- end }}
       - name: platform-connector-uds
         hostPath:
           path: /var/run/nvsentinel
@@ -55,10 +92,19 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+          securityContext:
+            runAsUser: 1001
+            runAsGroup: 1001
+          {{- end }}
           args:
           - "--config=/etc/config/config.toml"
           - "--metrics-port={{ ((.Values.global).metricsPort) | default 2112 }}"
-          - "--mongo-client-cert-mount-path=/etc/ssl/mongo-client"
+          {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+          - "--mongo-client-cert-mount-path={{ .Values.clientCertMountPath }}"
+          {{- else }}
+          - "--mongo-client-cert-mount-path={{ .Values.clientCertMountPath }}"
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           ports:
@@ -68,25 +114,40 @@ spec:
           volumeMounts:
           - name: config-volume
             mountPath: /etc/config/
+          {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+          - name: client-certs-fixed
+            mountPath: {{ .Values.clientCertMountPath }}
+            readOnly: true
+          {{- else }}
           - name: mongo-app-client-cert
-            mountPath: /etc/ssl/mongo-client
+            mountPath: {{ .Values.clientCertMountPath }}
             readOnly: true
+          {{- end }}
           env:
             - name: LOG_LEVEL
               value: "{{ .Values.logLevel }}"
           envFrom:
             - configMapRef:
-                name: mongodb-config
+                name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }}
                 optional: true
 
         - name: maintenance-notifier
           image: "{{ .Values.quarantineTriggerEngine.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.quarantineTriggerEngine.image.pullPolicy | default .Values.image.pullPolicy }}
           securityContext:
+            {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+            runAsUser: 1001
+            runAsGroup: 1001
+            {{- else }}
             runAsUser: 0
+            {{- end }}
           args:
           - "--config=/etc/config/config.toml"
-          - "--mongo-client-cert-mount-path=/etc/ssl/mongo-client"
+          {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+          - "--mongo-client-cert-mount-path={{ .Values.clientCertMountPath }}"
+          {{- else }}
+          - "--mongo-client-cert-mount-path={{ .Values.clientCertMountPath }}"
+          {{- end }}
           - "--uds-path=/run/nvsentinel/nvsentinel.sock"
           - "--metrics-port=2113"
           resources:
@@ -98,17 +159,23 @@ spec:
           volumeMounts:
           - name: config-volume
             mountPath: /etc/config/
+          {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+          - name: client-certs-fixed
+            mountPath: {{ .Values.clientCertMountPath }}
+            readOnly: true
+          {{- else }}
           - name: mongo-app-client-cert
-            mountPath: /etc/ssl/mongo-client
+            mountPath: {{ .Values.clientCertMountPath }}
             readOnly: true
+          {{- end }}
           - name: platform-connector-uds
             mountPath: /run/nvsentinel
           env:
             - name: LOG_LEVEL
               value: "{{ .Values.quarantineTriggerEngine.logLevel | default .Values.logLevel }}"
           envFrom:
             - configMapRef:
-                name: mongodb-config
+                name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }}
                 optional: true
       restartPolicy: Always
       {{- with (((.Values.global).systemNodeSelector) | default .Values.nodeSelector) }}
 
@@ -52,6 +52,9 @@ podAnnotations: {}
 # Log verbosity level for the main CSP health monitor container (e.g. "debug", "info", "warn", "error")
 logLevel: info
 
+# Client certificate mount path for database connections
+clientCertMountPath: /etc/ssl/client-certs
+
 # cspName specifies the active cloud service provider. Can be "gcp" or "aws".
 cspName: ""