updated helm chart to use v5.7.0 and latest PostgreSQL sub-chart (#346)

charts/hapi-fhir-jpaserver/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 10.12.2
+  version: 11.1.19
-digest: sha256:38ee315eae1af3e3f6eb20e1dd8ffd60d4ab7ee0c51bf26941b56c8bcb376c11
+digest: sha256:5bb38230bfa62c63547851e6f46f66a61441a4a4f18e3689827546277e34d192
-generated: "2021-10-07T00:19:18.9743522+02:00"
+generated: "2022-04-08T21:55:34.6868891+02:00"

charts/hapi-fhir-jpaserver/Chart.yaml

@@ -7,20 +7,23 @@ sources:
   - https://github.com/hapifhir/hapi-fhir-jpaserver-starter
 dependencies:
   - name: postgresql
-    version: 10.12.2
+    version: 11.1.19
     repository: https://charts.bitnami.com/bitnami
     condition: postgresql.enabled
 annotations:
   artifacthub.io/license: Apache-2.0
-  artifacthub.io/prerelease: "true"
   artifacthub.io/changes: |
     # When using the list of objects option the valid supported kinds are
     # added, changed, deprecated, removed, fixed, and security.
     - kind: changed
       description: |
-        updated HAPI FHIR starter image to 5.6.0
+        updated HAPI FHIR starter image to 5.7.0
-    - kind: added
+    - kind: changed
       description: |
-        added support for configuring PodDisruptionBudget for the server pods
+        BREAKING CHANGE: updated included PostgreSQL-subchart to v11
-appVersion: v5.6.0
+    - kind: changed
-version: 0.7.0
+      description: |
+        BREAKING CHANGE: removed ability to override the image flavor.
+        The one based on distroless is now the new default.
+appVersion: v5.7.0
+version: 0.8.0

charts/hapi-fhir-jpaserver/README.md

@@ -1,6 +1,6 @@
 # HAPI FHIR JPA Server Starter Helm Chart
 
-![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v5.6.0](https://img.shields.io/badge/AppVersion-v5.6.0-informational?style=flat-square)
+![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v5.7.0](https://img.shields.io/badge/AppVersion-v5.7.0-informational?style=flat-square)
 
 This helm chart will help you install the HAPI FHIR JPA Server in a Kubernetes environment.
 
@@ -29,11 +29,10 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas
 | externalDatabase.user | string | `"fhir"` | username for the external database |
 | extraEnv | list | `[]` | extra environment variables to set on the server container |
 | fullnameOverride | string | `""` | override the chart fullname |
-| image.flavor | string | `"distroless"` | the flavor or variant of the image to use. appended to the image tag by `-`. |
 | image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy to use |
 | image.registry | string | `"docker.io"` | registry where the HAPI FHIR server image is hosted |
 | image.repository | string | `"hapiproject/hapi"` | the path inside the repository |
-| image.tag | string | `""` | defaults to `Chart.appVersion` |
+| image.tag | string | `""` | defaults to `Chart.appVersion`. As of v5.7.0, this is the `distroless` flavor |
 | imagePullSecrets | list | `[]` | image pull secrets to use when pulling the image |
 | ingress.annotations | object | `{}` | provide any additional annotations which may be required. Evaluated as a template. |
 | ingress.enabled | bool | `false` | whether to create an Ingress to expose the FHIR server HTTP endpoint |
@@ -51,11 +50,11 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas
 | podDisruptionBudget.maxUnavailable | string | `""` | maximum unavailable instances |
 | podDisruptionBudget.minAvailable | int | `1` | minimum available instances |
 | podSecurityContext | object | `{}` | pod security context |
-| postgresql.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
+| postgresql.auth.database | string | `"fhir"` | name for a custom database to create |
-| postgresql.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| postgresql.auth.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL credentials `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret The secret must contain the keys `postgres-password` (which is the password for "postgres" admin user), `password` (which is the password for the custom user to create when `auth.username` is set), and `replication-password` (which is the password for replication user). The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. The value is evaluated as a template. |
 | postgresql.enabled | bool | `true` | enable an included PostgreSQL DB. see <https://github.com/bitnami/charts/tree/master/bitnami/postgresql> for details if set to `false`, the values under `externalDatabase` are used |
-| postgresql.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-postgres-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. |
+| postgresql.primary.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
-| postgresql.postgresqlDatabase | string | `"fhir"` | name of the database to create see: <https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run> |
+| postgresql.primary.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | readinessProbe.failureThreshold | int | `5` |  |
 | readinessProbe.initialDelaySeconds | int | `30` |  |
 | readinessProbe.periodSeconds | int | `20` |  |

charts/hapi-fhir-jpaserver/ci/enabled-ingress-values.yaml

@@ -0,0 +1,6 @@
+ingress:
+  enabled: true
+
+postgresql:
+  auth:
+    postgresPassword: secretpassword

charts/hapi-fhir-jpaserver/templates/_helpers.tpl

@@ -30,18 +30,6 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
-{{/*
-Create image tag
-*/}}
-{{- define "hapi-fhir-jpaserver.imageTag" -}}
-{{- $version := default .Chart.AppVersion .Values.image.tag -}}
-{{- if .Values.image.flavor }}
-{{- printf "%s-%s" $version .Values.image.flavor }}
-{{- else }}
-{{- printf "%s" $version }}
-{{- end }}
-{{- end }}
-
 {{/*
 Common labels
 */}}
@@ -75,10 +63,10 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 Get the Postgresql credentials secret name.
 */}}
 {{- define "hapi-fhir-jpaserver.postgresql.secretName" -}}
-{{- if and (.Values.postgresql.enabled) (not .Values.postgresql.existingSecret) -}}
+{{- if and (.Values.postgresql.enabled) (not .Values.postgresql.auth.existingSecret) -}}
     {{- printf "%s" (include "hapi-fhir-jpaserver.postgresql.fullname" .) -}}
-{{- else if and (.Values.postgresql.enabled) (.Values.postgresql.existingSecret) -}}
+{{- else if and (.Values.postgresql.enabled) (.Values.postgresql.auth.existingSecret) -}}
-    {{- printf "%s" .Values.postgresql.existingSecret -}}
+    {{- printf "%s" .Values.postgresql.auth.existingSecret -}}
 {{- else }}
     {{- if .Values.externalDatabase.existingSecret -}}
         {{- printf "%s" .Values.externalDatabase.existingSecret -}}
@@ -95,7 +83,7 @@ Get the Postgresql credentials secret key.
 {{- if (.Values.externalDatabase.existingSecret) -}}
     {{- printf "%s" .Values.externalDatabase.existingSecretKey -}}
 {{- else }}
-    {{- printf "postgresql-password" -}}
+    {{- printf "postgres-password" -}}
 {{- end -}}
 {{- end -}}
 
@@ -110,14 +98,14 @@ Add environment variables to configure database values
 Add environment variables to configure database values
 */}}
 {{- define "hapi-fhir-jpaserver.database.user" -}}
-{{- ternary .Values.postgresql.postgresqlUsername .Values.externalDatabase.user .Values.postgresql.enabled -}}
+{{- ternary "postgres" .Values.externalDatabase.user .Values.postgresql.enabled -}}
 {{- end -}}
 
 {{/*
 Add environment variables to configure database values
 */}}
 {{- define "hapi-fhir-jpaserver.database.name" -}}
-{{- ternary .Values.postgresql.postgresqlDatabase .Values.externalDatabase.database .Values.postgresql.enabled -}}
+{{- ternary .Values.postgresql.auth.database .Values.externalDatabase.database .Values.postgresql.enabled -}}
 {{- end -}}
 
 {{/*

charts/hapi-fhir-jpaserver/templates/deployment.yaml

@@ -60,7 +60,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ include "hapi-fhir-jpaserver.imageTag" . }}
+          image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
@@ -102,12 +102,10 @@ spec:
                   key: {{ include "hapi-fhir-jpaserver.postgresql.secretKey" . }}
             - name: SPRING_DATASOURCE_DRIVERCLASSNAME
               value: org.postgresql.Driver
-            - name: SPRING_JPA_PROPERTIES_HIBERNATE_DIALECT
+            - name: spring.jpa.properties.hibernate.dialect
-              value: org.hibernate.dialect.PostgreSQL10Dialect
+              value: ca.uhn.fhir.jpa.model.dialect.HapiFhirPostgres94Dialect
             - name: HAPI_FHIR_USE_APACHE_ADDRESS_STRATEGY
               value: "true"
-            - name: SPRING_JPA_DATABASE_PLATFORM
-              value: org.hibernate.dialect.PostgreSQLDialect
             {{- if .Values.extraEnv }}
             {{ toYaml .Values.extraEnv | nindent 12 }}
             {{- end }}

charts/hapi-fhir-jpaserver/templates/externaldb-secret.yaml

@@ -1,4 +1,4 @@
-{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) (not .Values.postgresql.existingSecret) }}
+{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) (not .Values.postgresql.auth.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,5 +7,5 @@ metadata:
     {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }}
 type: Opaque
 data:
-  postgresql-password: {{ .Values.externalDatabase.password | b64enc | quote }}
+  postgres-password: {{ .Values.externalDatabase.password | b64enc | quote }}
 {{- end }}

charts/hapi-fhir-jpaserver/templates/tests/test-endpoints.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: "{{ include "hapi-fhir-jpaserver.fullname" . }}-test-connection"
+  name: "{{ include "hapi-fhir-jpaserver.fullname" . }}-test-endpoints"
   labels:
     {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }}
     {{ include "hapi-fhir-jpaserver.fullname" . }}-client: "true"
@@ -10,7 +10,32 @@ metadata:
 spec:
   restartPolicy: Never
   containers:
-    - name: wget
+    - name: test-metadata-endpoint
+      image: busybox:1
+      command: ['wget', '-O', '-']
+      args: ['http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/metadata']
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        readOnlyRootFilesystem: true
+        runAsUser: 22222
+        runAsNonRoot: true
+      resources:
+        limits:
+          cpu: 100m
+          memory: 128Mi
+        requests:
+          cpu: 100m
+          memory: 128Mi
+      livenessProbe:
+        exec:
+          command: ["true"]
+      readinessProbe:
+        exec:
+          command: ["true"]
+    - name: test-patient-endpoint
       image: busybox:1
       command: ['wget', '-O', '-']
       args: ['http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/Patient?_count=1']

charts/hapi-fhir-jpaserver/values.yaml

@@ -6,11 +6,8 @@ image:
   registry: docker.io
   # -- the path inside the repository
   repository: hapiproject/hapi
-  # -- defaults to `Chart.appVersion`
+  # -- defaults to `Chart.appVersion`. As of v5.7.0, this is the `distroless` flavor
   tag: ""
-  # -- the flavor or variant of the image to use.
-  # appended to the image tag by `-`.
-  flavor: "distroless"
   # -- image pullPolicy to use
   pullPolicy: IfNotPresent
 
@@ -96,22 +93,24 @@ postgresql:
   # see <https://github.com/bitnami/charts/tree/master/bitnami/postgresql> for details
   # if set to `false`, the values under `externalDatabase` are used
   enabled: true
-  # -- name of the database to create
+  auth:
-  # see: <https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run>
+    # -- name for a custom database to create
-  postgresqlDatabase: "fhir"
+    database: "fhir"
-  # -- Name of existing secret to use for PostgreSQL passwords.
+    # -- Name of existing secret to use for PostgreSQL credentials
-  # The secret has to contain the keys `postgresql-password`
+    # `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret
-  # which is the password for `postgresqlUsername` when it is
+    # The secret must contain the keys `postgres-password` (which is the password for "postgres" admin user),
-  # different of `postgres`, `postgresql-postgres-password` which
+    # `password` (which is the password for the custom user to create when `auth.username` is set),
-  # will override `postgresqlPassword`, `postgresql-replication-password`
+    # and `replication-password` (which is the password for replication user).
-  # which will override `replication.password` and `postgresql-ldap-password`
+    # The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and
-  # which will be sed to authenticate on LDAP. The value is evaluated as a template.
+    # picked from this secret in this case.
-  existingSecret: ""
+    # The value is evaluated as a template.
-  containerSecurityContext:
+    existingSecret: ""
-    allowPrivilegeEscalation: false
+  primary:
-    capabilities:
+    containerSecurityContext:
-      drop:
+      allowPrivilegeEscalation: false
-        - ALL
+      capabilities:
+        drop:
+          - ALL
 
 readinessProbe:
   failureThreshold: 5