Personal-Twin/hapi-fhir-jpaserver-starter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Minor Helm chart dependency updates and security improvements

Browse Source
This commit is contained in:
chgl
2022-08-25 02:34:02 +02:00
committed by Jens Kristian Villadsen
parent 001bc9c57a
commit 68e64f2f33
9 changed files with 90 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
charts/hapi-fhir-jpaserver/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 11.6.2
digest: sha256:1b96efc47b5dbe28bf34bcb694697325f3d2755a39ce2f1c371b2c9de9fac9d3
generated: "2022-06-03T11:48:19.1684784+02:00"
version: 11.8.1
digest: sha256:671325f8b3d0b85183fa241190e72705fb124a41254a5db6445bcc105e1ca7ec
generated: "2022-08-25T02:14:58.3432514+02:00"

32
charts/hapi-fhir-jpaserver/Chart.yaml
View File

@@ -7,11 +7,11 @@ sources:
- https://github.com/hapifhir/hapi-fhir-jpaserver-starter
dependencies:
- name: postgresql
version: 11.6.2
version: 11.8.1
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled
appVersion: v6.0.1
version: 0.9.0
appVersion: v6.x
version: 0.10.0
annotations:
artifacthub.io/license: Apache-2.0
artifacthub.io/changes: |
@@ -19,27 +19,21 @@ annotations:
# added, changed, deprecated, removed, fixed, and security.
- kind: changed
description: |
BREAKING CHANGE: updated HAPI FHIR starter image to v6.0.1.
See <https://github.com/hapifhir/hapi-fhir/releases/tag/v6.0.0> for all application changes.
updated included PostgreSQL-subchart to v11.8.1.
Fixes `coalesce.go:220: warning: cannot overwrite table with non table for fhirserver.postgresql.primary.topologySpreadConstraints (map[])` warning
- kind: changed
description: |
updated included PostgreSQL-subchart to v11.6.2
- kind: fixed
description: |
use a fixed image for the wait-for-database container (docker.io/bitnami/postgresql:14.3.0-debian-10-r20)
instead of relying on the PostgreSQL sub-chart values
set `securityContext.seccompProfile.type=RuntimeDefault` for included PostgreSQL as well as all `initContainer` and Helm
test pods to comply with the "restricted" Pod Security Standard: <https://kubernetes.io/docs/concepts/security/pod-security-standards/>
- kind: changed
description: |
expose actuator/metrics endpoint on a separate port (8081)
use curl as the image for running Helm test pods
- kind: changed
description: |
renamed `metrics` port to `http-metrics` for istio compliant naming
- kind: added
description: |
support for monitoring metrics using ServiceMonitor CRDs
Helm test job to test metrics endpoint
- kind: changed
description: |
switched liveness and readiness probes to Spring Boot actuator endpoints
- kind: changed
description: |
BREAKING CHANGE: removed included `NetworkPolicy`, which is subject to more thorough rework
- kind: added
description: |
allow configuring `topologySpreadConstraints` for the deployment
use full digest instead of just a tag for the server image reference

11
charts/hapi-fhir-jpaserver/README.md
View File

@@ -1,6 +1,6 @@
# HAPI FHIR JPA Server Starter Helm Chart
![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v6.0.1](https://img.shields.io/badge/AppVersion-v6.0.1-informational?style=flat-square)
![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v6.x](https://img.shields.io/badge/AppVersion-v6.x-informational?style=flat-square)
This helm chart will help you install the HAPI FHIR JPA Server in a Kubernetes environment.
@@ -32,7 +32,7 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas
| image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy to use |
| image.registry | string | `"docker.io"` | registry where the HAPI FHIR server image is hosted |
| image.repository | string | `"hapiproject/hapi"` | the path inside the repository |
| image.tag | string | `""` | defaults to `Chart.appVersion`. As of v5.7.0, this is the `distroless` flavor |
| image.tag | string | `"v6.0.1@sha256:63c98d8be3dadc77b47dca3115490f22bf99512f363f779f7bbcb42f569aeac3"` | the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image. |
| imagePullSecrets | list | `[]` | image pull secrets to use when pulling the image |
| ingress.annotations | object | `{}` | provide any additional annotations which may be required. Evaluated as a template. |
| ingress.enabled | bool | `false` | whether to create an Ingress to expose the FHIR server HTTP endpoint |
@@ -60,6 +60,8 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas
| postgresql.enabled | bool | `true` | enable an included PostgreSQL DB. see <https://github.com/bitnami/charts/tree/master/bitnami/postgresql> for details if set to `false`, the values under `externalDatabase` are used |
| postgresql.primary.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| postgresql.primary.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| postgresql.primary.containerSecurityContext.runAsNonRoot | bool | `true` | |
| postgresql.primary.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| readinessProbe.failureThreshold | int | `5` | |
| readinessProbe.initialDelaySeconds | int | `30` | |
| readinessProbe.periodSeconds | int | `20` | |
@@ -69,9 +71,12 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas
| resources | object | `{}` | configure the FHIR server's resource requests and limits |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
| securityContext.privileged | bool | `false` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| securityContext.runAsGroup | int | `65532` | |
| securityContext.runAsNonRoot | bool | `true` | |
| securityContext.runAsUser | int | `65532` | |
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| service.port | int | `8080` | port where the server will be exposed at |
| service.type | string | `"ClusterIP"` | service type |
| startupProbe.failureThreshold | int | `10` | |
@@ -95,4 +100,4 @@ INFO[2021-11-20T12:38:04Z] Generating README Documentation for chart /usr/src/ap
```
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.9.1](https://github.com/norwoodj/helm-docs/releases/v1.9.1)
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

18
charts/hapi-fhir-jpaserver/templates/deployment.yaml
View File

@@ -30,18 +30,12 @@ spec:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
- name: wait-for-db-to-be-ready
image: docker.io/bitnami/postgresql:14.3.0-debian-10-r20
image: docker.io/bitnami/postgresql:14.5.0@sha256:4355265e33e9c2a786aa145884d4b36ffd4c41c516b35d60df0b7495141ec738
imagePullPolicy: IfNotPresent
{{- with .Values.restrictedContainerSecurityContext }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
privileged: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: PGHOST
value: "{{ include "hapi-fhir-jpaserver.database.host" . }}"
@@ -60,13 +54,13 @@ spec:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: metrics
- name: http-metrics
containerPort: 8081
protocol: TCP
startupProbe:

4
charts/hapi-fhir-jpaserver/templates/service.yaml
View File

@@ -12,8 +12,8 @@ spec:
protocol: TCP
name: http
- port: {{ .Values.metrics.service.port }}
targetPort: metrics
targetPort: http-metrics
protocol: TCP
name: metrics
name: http-metrics
selector:
{{- include "hapi-fhir-jpaserver.selectorLabels" . | nindent 4 }}

2
charts/hapi-fhir-jpaserver/templates/servicemonitor.yaml
View File

@@ -13,7 +13,7 @@ metadata:
{{- end }}
spec:
endpoints:
- port: metrics
- port: http-metrics
path: /actuator/prometheus
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}

53
charts/hapi-fhir-jpaserver/templates/tests/test-endpoints.yaml
View File

@@ -11,17 +11,13 @@ spec:
restartPolicy: Never
containers:
- name: test-metadata-endpoint
image: busybox:1
command: ['wget', '-O', '-']
args: ['http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/metadata']
image: docker.io/curlimages/curl:7.84.0@sha256:5a2a25d96aa941ea2fc47acc50122f7c3d007399a075df61a82d6d2c3a567a2b
command: ["curl", "--fail-with-body"]
args: ["http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/metadata?_summary=true"]
{{- with .Values.restrictedContainerSecurityContext }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 22222
runAsNonRoot: true
{{- toYaml . | nindent 8 }}
{{- end }}
resources:
limits:
cpu: 100m
@@ -36,17 +32,34 @@ spec:
exec:
command: ["true"]
- name: test-patient-endpoint
image: busybox:1
command: ['wget', '-O', '-']
args: ['http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/Patient?_count=1']
image: docker.io/curlimages/curl:7.84.0@sha256:5a2a25d96aa941ea2fc47acc50122f7c3d007399a075df61a82d6d2c3a567a2b
command: ["curl", "--fail-with-body"]
args: ["http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/Patient?_count=1&_summary=true"]
{{- with .Values.restrictedContainerSecurityContext }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 22222
runAsNonRoot: true
{{- toYaml . | nindent 8 }}
{{- end }}
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
livenessProbe:
exec:
command: ["true"]
readinessProbe:
exec:
command: ["true"]
- name: test-metrics-endpoint
image: docker.io/curlimages/curl:7.84.0@sha256:5a2a25d96aa941ea2fc47acc50122f7c3d007399a075df61a82d6d2c3a567a2b
command: ["curl", "--fail-with-body"]
args: ["http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.metrics.service.port }}/actuator/prometheus"]
{{- with .Values.restrictedContainerSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
resources:
limits:
cpu: 100m

25
charts/hapi-fhir-jpaserver/values.yaml
View File

@@ -6,8 +6,8 @@ image:
registry: docker.io
# -- the path inside the repository
repository: hapiproject/hapi
# -- defaults to `Chart.appVersion`. As of v5.7.0, this is the `distroless` flavor
tag: ""
# -- the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image.
tag: "v6.0.1@sha256:63c98d8be3dadc77b47dca3115490f22bf99512f363f779f7bbcb42f569aeac3"
# -- image pullPolicy to use
pullPolicy: IfNotPresent
@@ -39,6 +39,10 @@ securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
privileged: false
seccompProfile:
type: RuntimeDefault
# service to expose the server
service:
@@ -123,6 +127,9 @@ postgresql:
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
readinessProbe:
failureThreshold: 5
@@ -187,3 +194,17 @@ metrics:
# scrapeTimeout: 10s
service:
port: 8081
# @ignore
restrictedContainerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
privileged: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault