Merge remote-tracking branch 'origin/master' into rel_6_9_tracking

.github/workflows/chart-test.yaml

@@ -15,7 +15,7 @@ jobs:
       - name: Install helm-docs
         working-directory: /tmp
         env:
-          HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.11.0/helm-docs_1.11.0_Linux_x86_64.tar.gz
+          HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.11.3/helm-docs_1.11.3_Linux_x86_64.tar.gz
         run: |
           curl -LSs $HELM_DOCS_URL | tar xz && \
           mv ./helm-docs /usr/local/bin/helm-docs && \
@@ -30,6 +30,7 @@ jobs:
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           fetch-depth: 0
+
       - name: Check if documentation is up-to-date
         run: helm-docs && git diff --exit-code HEAD
 

charts/hapi-fhir-jpaserver/Chart.yaml

@@ -10,18 +10,18 @@ dependencies:
     version: 12.5.6
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
-appVersion: 6.6.0
-version: 0.13.0
+appVersion: 6.8.3
+version: 0.14.0
 annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/changes: |
     # When using the list of objects option the valid supported kinds are
     # added, changed, deprecated, removed, fixed, and security.
     - kind: added
-      description: allow specifying application properties via yaml config
+      description: updated starter image to 6.8.3
+    - kind: fixed
+      description: incorrect handling of existing secret database config
     - kind: added
-      description: allow setting resource limits and requests for the Helm test pods
-    - kind: changed
-      description: updated curl used by helm tests to version to v8.2.0
-    - kind: changed
-      description: allow disabling the liveness-, readiness-, and startup-probes entirely
+      description: support for using a non-admin user for the postgres database
+    - kind: added
+      description: ability to create a dedicated ServiceAccount

charts/hapi-fhir-jpaserver/README.md

@@ -1,6 +1,6 @@
 # HAPI FHIR JPA Server Starter Helm Chart
 
-![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.6.0](https://img.shields.io/badge/AppVersion-6.6.0-informational?style=flat-square)
+![Version: 0.14.0](https://img.shields.io/badge/Version-0.14.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.8.3](https://img.shields.io/badge/AppVersion-6.8.3-informational?style=flat-square)
 
 This helm chart will help you install the HAPI FHIR JPA Server in a Kubernetes environment.
 
@@ -36,7 +36,7 @@ helm install hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver
 | image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy to use |
 | image.registry | string | `"docker.io"` | registry where the HAPI FHIR server image is hosted |
 | image.repository | string | `"hapiproject/hapi"` | the path inside the repository |
-| image.tag | string | `"v6.6.0@sha256:c00367865ae5dad4e171cbb68bfc1c39818854079d1565bee4c86a45e78335d0"` | the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image. |
+| image.tag | string | `"v6.8.3@sha256:6195f1116ebabfb0a608addde043b3e524c456c4d4f35b3d25025afd7dcd2e27"` | the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image. |
 | imagePullSecrets | list | `[]` | image pull secrets to use when pulling the image |
 | ingress.annotations | object | `{}` | provide any additional annotations which may be required. Evaluated as a template. |
 | ingress.enabled | bool | `false` | whether to create an Ingress to expose the FHIR server HTTP endpoint |
@@ -73,6 +73,10 @@ helm install hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver
 | securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | service.port | int | `8080` | port where the server will be exposed at |
 | service.type | string | `"ClusterIP"` | service type |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials? |
+| serviceAccount.create | bool | `false` | Specifies whether a service account should be created. |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
 | tests.resources | object | `{}` | configure the test pods resource requests and limits |
 | tolerations | list | `[]` | pod tolerations |
 | topologySpreadConstraints | list | `[]` | pod topology spread configuration see: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#api |
@@ -139,4 +143,4 @@ kubectl port-forward -n observability service/simplest-query 16686:16686
 and opening <http://localhost:16686/> in your browser.
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3)

charts/hapi-fhir-jpaserver/ci/custom-postgres-user-values.yaml

@@ -0,0 +1,7 @@
+postgresql:
+  enabled: true
+  auth:
+    username: hapi_fhir_jpaserver_starter_user
+    database: hapi_fhir_jpaserver_starter
+    password: secret_user_password
+    postgresPassword: secret_postgres_password

charts/hapi-fhir-jpaserver/templates/_helpers.tpl

@@ -50,6 +50,17 @@ app.kubernetes.io/name: {{ include "hapi-fhir-jpaserver.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "hapi-fhir-jpaserver.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "hapi-fhir-jpaserver.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create a default fully qualified postgresql name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -63,10 +74,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 Get the Postgresql credentials secret name.
 */}}
 {{- define "hapi-fhir-jpaserver.postgresql.secretName" -}}
-{{- if and (.Values.postgresql.enabled) (not .Values.postgresql.auth.existingSecret) -}}
-    {{- printf "%s" (include "hapi-fhir-jpaserver.postgresql.fullname" .) -}}
-{{- else if and (.Values.postgresql.enabled) (.Values.postgresql.auth.existingSecret) -}}
+{{- if .Values.postgresql.enabled -}}
+    {{- if .Values.postgresql.auth.existingSecret -}}
         {{- printf "%s" .Values.postgresql.auth.existingSecret -}}
+    {{- else -}}
+        {{- printf "%s" (include "hapi-fhir-jpaserver.postgresql.fullname" .) -}}
+    {{- end -}}
 {{- else }}
     {{- if .Values.externalDatabase.existingSecret -}}
         {{- printf "%s" .Values.externalDatabase.existingSecret -}}
@@ -80,10 +93,18 @@ Get the Postgresql credentials secret name.
 Get the Postgresql credentials secret key.
 */}}
 {{- define "hapi-fhir-jpaserver.postgresql.secretKey" -}}
-{{- if (.Values.externalDatabase.existingSecret) -}}
-    {{- printf "%s" .Values.externalDatabase.existingSecretKey -}}
+{{- if .Values.postgresql.enabled -}}
+    {{- if .Values.postgresql.auth.username -}}
+        {{- printf "%s" .Values.postgresql.auth.secretKeys.userPasswordKey -}}
+    {{- else -}}
+        {{- printf "%s" .Values.postgresql.auth.secretKeys.adminPasswordKey -}}
+    {{- end -}}
 {{- else }}
+    {{- if .Values.externalDatabase.existingSecret -}}
+        {{- printf "%s" .Values.externalDatabase.existingSecretKey -}}
+    {{- else -}}
         {{- printf "postgres-password" -}}
+    {{- end -}}
 {{- end -}}
 {{- end -}}
 
@@ -98,7 +119,11 @@ Add environment variables to configure database values
 Add environment variables to configure database values
 */}}
 {{- define "hapi-fhir-jpaserver.database.user" -}}
-{{- ternary "postgres" .Values.externalDatabase.user .Values.postgresql.enabled -}}
+{{- if .Values.postgresql.enabled -}}
+    {{- printf "%s" .Values.postgresql.auth.username | default "postgres" -}}
+{{- else -}}
+    {{- printf "%s" .Values.externalDatabase.user -}}
+{{- end -}}
 {{- end -}}
 
 {{/*

charts/hapi-fhir-jpaserver/templates/deployment.yaml

@@ -26,6 +26,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "hapi-fhir-jpaserver.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:

charts/hapi-fhir-jpaserver/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create  -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "hapi-fhir-jpaserver.serviceAccountName" . }}
+  labels:
+    {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

charts/hapi-fhir-jpaserver/values.yaml

@@ -7,7 +7,7 @@ image:
   # -- the path inside the repository
   repository: hapiproject/hapi
   # -- the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image.
-  tag: "v6.6.0@sha256:c00367865ae5dad4e171cbb68bfc1c39818854079d1565bee4c86a45e78335d0"
+  tag: "v6.8.3@sha256:6195f1116ebabfb0a608addde043b3e524c456c4d4f35b3d25025afd7dcd2e27"
   # -- image pullPolicy to use
   pullPolicy: IfNotPresent
 
@@ -198,6 +198,17 @@ podDisruptionBudget:
   # -- maximum unavailable instances
   maxUnavailable: ""
 
+serviceAccount:
+  # -- Specifies whether a service account should be created.
+  create: false
+  # -- Annotations to add to the service account
+  annotations: {}
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+  # -- Automatically mount a ServiceAccount's API credentials?
+  automount: true
+
 metrics:
   serviceMonitor:
     # -- if enabled, creates a ServiceMonitor instance for Prometheus Operator-based monitoring
@@ -229,7 +240,7 @@ curl:
   image:
     registry: docker.io
     repository: curlimages/curl
-    tag: 8.2.0@sha256:daf3f46a2639c1613b25e85c9ee4193af8a1d538f92483d67f9a3d7f21721827
+    tag: 8.4.0@sha256:4a3396ae573c44932d06ba33f8696db4429c419da87cbdc82965ee96a37dd0af
 
 tests:
   # -- configure the test pods resource requests and limits
@@ -242,7 +253,8 @@ tests:
   #   memory: 128Mi
 
 # -- additional Spring Boot application config. Mounted as a file and automatically loaded by the application.
-extraConfig: ""
+extraConfig:
+  ""
   # # For example:
   # |
   # hapi: