diff --git a/.github/ct/ct.yaml b/.github/ct/config.yaml similarity index 91% rename from .github/ct/ct.yaml rename to .github/ct/config.yaml index ff1135d..484e994 100644 --- a/.github/ct/ct.yaml +++ b/.github/ct/config.yaml @@ -1,6 +1,5 @@ debug: true remote: origin -lint-conf: .github/ct/lintconf.yaml chart-yaml-schema: .github/ct/chart-schema.yaml validate-maintainers: false validate-chart-schema: true diff --git a/.github/ct/lintconf.yaml b/.github/ct/lintconf.yaml deleted file mode 100644 index 8e64eb2..0000000 --- a/.github/ct/lintconf.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -rules: - braces: - min-spaces-inside: 0 - max-spaces-inside: 0 - min-spaces-inside-empty: -1 - max-spaces-inside-empty: -1 - brackets: - min-spaces-inside: 0 - max-spaces-inside: 0 - min-spaces-inside-empty: -1 - max-spaces-inside-empty: -1 - colons: - max-spaces-before: 0 - max-spaces-after: 1 - commas: - max-spaces-before: 0 - min-spaces-after: 1 - max-spaces-after: 1 - comments: - require-starting-space: true - min-spaces-from-content: 1 - document-end: disable - document-start: disable - empty-lines: - max: 2 - max-start: 0 - max-end: 0 - hyphens: - max-spaces-after: 1 - indentation: - spaces: consistent - indent-sequences: whatever - check-multi-line-strings: false - key-duplicates: enable - line-length: disable - new-line-at-end-of-file: enable - trailing-spaces: enable - truthy: - level: warning diff --git a/.github/workflows/build-images.yaml b/.github/workflows/build-images.yaml index 861519a..dae0205 100644 --- a/.github/workflows/build-images.yaml +++ b/.github/workflows/build-images.yaml @@ -4,9 +4,12 @@ on: push: tags: - "image/v*" + paths-ignore: + - "charts/**" pull_request: branches: [master] - + paths-ignore: + - "charts/**" env: IMAGES: docker.io/hapiproject/hapi PLATFORMS: linux/amd64,linux/arm64/v8 diff --git a/.github/workflows/chart-release.yaml b/.github/workflows/chart-release.yaml index 7e122f5..5d30c2f 100644 --- a/.github/workflows/chart-release.yaml +++ b/.github/workflows/chart-release.yaml @@ -15,21 +15,26 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 + - name: Configure Git run: | git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - name: Install Helm uses: azure/setup-helm@v1 with: - version: v3.4.0 + version: v3.7.0 + - name: Add bitnami repo run: helm repo add bitnami https://charts.bitnami.com/bitnami + - name: Update dependencies run: find charts/ ! -path charts/ -maxdepth 1 -type d -exec helm dependency update {} \; + - name: Run chart-releaser uses: helm/chart-releaser-action@v1.2.0 with: - config: .github/ct/ct.yaml + config: .github/ct/config.yaml env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/chart-test.yaml b/.github/workflows/chart-test.yaml index 31d8695..90bb32a 100644 --- a/.github/workflows/chart-test.yaml +++ b/.github/workflows/chart-test.yaml @@ -10,18 +10,28 @@ on: jobs: lint: runs-on: ubuntu-20.04 - container: ghcr.io/chgl/kube-powertools:latest + container: quay.io/helmpack/chart-testing:v3.4.0 steps: + - name: Install helm-docs + working-directory: /tmp + env: + HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz + run: | + curl -LSs $HELM_DOCS_URL | tar xz && \ + mv ./helm-docs /usr/local/bin/helm-docs && \ + chmod +x /usr/local/bin/helm-docs && \ + helm-docs --version + - name: Checkout uses: actions/checkout@v2 with: fetch-depth: 0 - - name: Update dependencies - run: find charts/ ! -path charts/ -maxdepth 1 -type d -exec helm dependency update {} \; + + - name: Check if documentation is up-to-date + run: helm-docs && git diff --exit-code HEAD + - name: Run chart-testing (lint) - run: ct lint --config .github/ct/ct.yaml - - name: Run Powerlint - run: chart-powerlint.sh + run: ct lint --config .github/ct/config.yaml test: runs-on: ubuntu-20.04 @@ -32,24 +42,27 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 + - name: Set up Helm uses: azure/setup-helm@v1 with: - version: v3.5.2 - - uses: actions/setup-python@v2 - with: - python-version: 3.9 + version: v3.7.0 + - name: Set up chart-testing - uses: helm/chart-testing-action@v2.0.1 + uses: helm/chart-testing-action@v2.1.0 + - name: Run chart-testing (list-changed) id: list-changed run: | - changed=$(ct list-changed) + changed=$(ct list-changed --config .github/ct/config.yaml) if [[ -n "$changed" ]]; then echo "::set-output name=changed::true" fi + - name: Create k8s Kind Cluster - uses: helm/kind-action@v1.1.0 + uses: helm/kind-action@v1.2.0 if: steps.list-changed.outputs.changed == 'true' + - name: Run chart-testing (install) - run: ct install --config .github/ct/ct.yaml + run: ct install --config .github/ct/config.yaml + if: steps.list-changed.outputs.changed == 'true' diff --git a/charts/README.md b/charts/README.md deleted file mode 100644 index 22e6ed8..0000000 --- a/charts/README.md +++ /dev/null @@ -1,41 +0,0 @@ -# Charts - -> A collection of Helm charts - -```sh -helm repo add hapifhir https://hapifhir.github.io/charts -helm repo update -``` - -## Development - -1. Make changes to the charts - -1. Mount the folder in the [kube-powertools](https://github.com/chgl/kube-powertools) container to easily run linters and checks - - ```sh - docker run --rm -it -v $PWD:/usr/src/app ghcr.io/chgl/kube-powertools:latest - ``` - -1. Run chart-testing and the `chart-powerlint.sh` script to lint the chart - - ```sh - ct lint --config .github/ct/ct.yaml && chart-powerlint.sh - ``` - -1. (Optional) View the results of the [polaris audit check](https://github.com/FairwindsOps/polaris) in your browser - - ```sh - $ docker run --rm -it -p 9090:8080 -v $PWD:/usr/src/app ghcr.io/chgl/kube-powertools:latest - bash-5.0: helm template charts/fhir-server/ | polaris dashboard --audit-path - - ``` - - You can now open your browser at and see the results and recommendations. - -1. Run `generate-docs.sh` to auto-generate an updated README - - ```sh - generate-docs.sh - ``` - -1. Bump the version in the changed Chart.yaml according to SemVer (The `ct lint` step above will complain if you forget to update the version.) diff --git a/charts/hapi-fhir-jpaserver/Chart.lock b/charts/hapi-fhir-jpaserver/Chart.lock index 3229d8b..0db0f3a 100644 --- a/charts/hapi-fhir-jpaserver/Chart.lock +++ b/charts/hapi-fhir-jpaserver/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 10.3.16 -digest: sha256:a45816f0855c6d4b1d66384ac36db99e0378f24663d02791006f815ff9d49245 -generated: "2021-04-09T15:11:17.790703505Z" + version: 10.12.2 +digest: sha256:38ee315eae1af3e3f6eb20e1dd8ffd60d4ab7ee0c51bf26941b56c8bcb376c11 +generated: "2021-10-07T00:19:18.9743522+02:00" diff --git a/charts/hapi-fhir-jpaserver/Chart.yaml b/charts/hapi-fhir-jpaserver/Chart.yaml index 486f828..0b83915 100644 --- a/charts/hapi-fhir-jpaserver/Chart.yaml +++ b/charts/hapi-fhir-jpaserver/Chart.yaml @@ -7,7 +7,17 @@ sources: - https://github.com/hapifhir/hapi-fhir-jpaserver-starter dependencies: - name: postgresql - version: 10.3.16 + version: 10.12.2 repository: https://charts.bitnami.com/bitnami condition: postgresql.enabled -version: 0.2.0 +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + artifacthub.io/changes: | + # When using the list of objects option the valid supported kinds are + # added, changed, deprecated, removed, fixed, and security. + - kind: changed + description: | + updated HAPI FHIR starter image to 5.5.1 +appVersion: v5.5.1 +version: 0.6.0 diff --git a/charts/hapi-fhir-jpaserver/README.md b/charts/hapi-fhir-jpaserver/README.md index a23e070..e1e5496 100644 --- a/charts/hapi-fhir-jpaserver/README.md +++ b/charts/hapi-fhir-jpaserver/README.md @@ -1,101 +1,74 @@ -# hapi-fhir-jpaserver +# HAPI FHIR JPA Server Starter Helm Chart -[HAPI FHIR JPA Server](https://github.com/hapifhir/hapi-fhir-jpaserver-starter) - Helm chart for deploying the HAPI FHIR JPA starter server +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v5.5.1](https://img.shields.io/badge/AppVersion-v5.5.1-informational?style=flat-square) -## TL;DR; +This helm chart will help you install the HAPI FHIR JPA Server in a Kubernetes environment. -```console -$ helm repo add hapifhir https://hapifhir.github.io/hapi-fhir-jpaserver-starter -$ helm repo update -$ helm install hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver -n fhir +## Sample usage + +```sh +helm repo add hapifhir https://hapifhir.github.io/hapi-fhir-jpaserver-starter/ +helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver ``` -## Introduction +## Values -This chart deploys the HAPI FHIR JPA starter server. on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | pod affinity | +| deploymentAnnotations | object | `{}` | annotations applied to the server deployment | +| externalDatabase.database | string | `"fhir"` | database name | +| externalDatabase.existingSecret | string | `""` | name of an existing secret resource containing the DB password in the `existingSecretKey` key | +| externalDatabase.existingSecretKey | string | `"postgresql-password"` | name of the key inside the `existingSecret` | +| externalDatabase.host | string | `"localhost"` | external database host used with `postgresql.enabled=false` | +| externalDatabase.password | string | `""` | database password | +| externalDatabase.port | int | `5432` | database port number | +| externalDatabase.user | string | `"fhir"` | username for the external database | +| fullnameOverride | string | `""` | override the chart fullname | +| image.flavor | string | `"distroless"` | the flavor or variant of the image to use. appended to the image tag by `-`. | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.registry | string | `"docker.io"` | | +| image.repository | string | `"hapiproject/hapi"` | | +| image.tag | string | `""` | defaults to `Chart.appVersion` | +| imagePullSecrets | list | `[]` | image pull secrets to use when pulling the image | +| ingress.annotations | object | `{}` | provide any additional annotations which may be required. Evaluated as a template. | +| ingress.enabled | bool | `false` | whether to create an Ingress to expose the FHIR server HTTP endpoint | +| ingress.hosts[0].host | string | `"fhir-server.127.0.0.1.nip.io"` | | +| ingress.hosts[0].pathType | string | `"ImplementationSpecific"` | | +| ingress.hosts[0].paths[0] | string | `"/"` | | +| ingress.tls | list | `[]` | ingress TLS config | +| nameOverride | string | `""` | override the chart name | +| networkPolicy.allowedFrom | list | `[]` | Additional allowed NetworkPolicyPeer specs Evaluated as a template so you could do: Example: allowedFrom: - podSelector: matchLabels: app.kubernetes.io/name: {{ $.Release.Name }} | +| networkPolicy.enabled | bool | `false` | enable NetworkPolicy | +| networkPolicy.explicitNamespacesSelector | object | `{}` | a Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | +| nodeSelector | object | `{}` | node selector for the pod | +| podAnnotations | object | `{}` | annotations applied to the server pod | +| podSecurityContext | object | `{}` | pod security context | +| postgresql.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| postgresql.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| postgresql.enabled | bool | `true` | enable an included PostgreSQL DB. see for details if set to `false`, the values under `externalDatabase` are used | +| postgresql.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-postgres-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | +| postgresql.postgresqlDatabase | string | `"fhir"` | name of the database to create see: | +| readinessProbe.failureThreshold | int | `5` | | +| readinessProbe.initialDelaySeconds | int | `30` | | +| readinessProbe.periodSeconds | int | `20` | | +| readinessProbe.successThreshold | int | `1` | | +| readinessProbe.timeoutSeconds | int | `20` | | +| replicaCount | int | `1` | number of replicas to deploy | +| resources | object | `{}` | configure the FHIR server's resource requests and limits | +| securityContext.allowPrivilegeEscalation | bool | `false` | | +| securityContext.capabilities.drop[0] | string | `"ALL"` | | +| securityContext.readOnlyRootFilesystem | bool | `true` | | +| securityContext.runAsNonRoot | bool | `true` | | +| securityContext.runAsUser | int | `65532` | | +| service.port | int | `8080` | | +| service.type | string | `"ClusterIP"` | | +| startupProbe.failureThreshold | int | `10` | | +| startupProbe.initialDelaySeconds | int | `60` | | +| startupProbe.periodSeconds | int | `30` | | +| startupProbe.successThreshold | int | `1` | | +| startupProbe.timeoutSeconds | int | `30` | | +| tolerations | list | `[]` | pod tolerations | -## Prerequisites - -- Kubernetes v1.18+ -- Helm v3 - -## Installing the Chart - -To install the chart with the release name `hapi-fhir-jpaserver`: - -```console -$ helm install hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver -n fhir -``` - -The command deploys the HAPI FHIR JPA starter server. on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `hapi-fhir-jpaserver`: - -```console -$ helm delete hapi-fhir-jpaserver -n fhir -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the `hapi-fhir-jpaserver` chart and their default values. - -| Parameter | Description | Default | -| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | -| replicaCount | | `1` | -| imagePullSecrets | image pull secrets | `[]` | -| nameOverride | | `""` | -| fullnameOverride | | `""` | -| deploymentAnnotations | annotations applied to the server deployment | `{}` | -| podAnnotations | annotations applied to the server pod | `{}` | -| podSecurityContext | PodSecurityContext applied to the pod | `{}` | -| service.type | | `ClusterIP | -| | | # service port` | -| service.port | | `8080` | -| ingress.enabled | | `false | -| | | # provide any additional annotations which may be required. Evaluated as a template.` | -| ingress.annotations | | `{}` | -| ingress.tls | | `[]` | -| resources | resource requests and limits | `{}` | -| nodeSelector | choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi node labels for pods assignment see: | `{}` | -| tolerations | tolerations for pods assignment see: | `[]` | -| affinity | affinity for pods assignment see: | `{}` | -| postgresql.enabled | if set to `false`, the values under `webApi.db` are used | `true | -| | | # update the default Postgres version to 13.2` | -| postgresql.image | | `{"tag":"13.2.0"}` | -| postgresql.postgresqlDatabase | see: | `"fhir"` | -| postgresql.existingSecret | The secret has to contain the keys `postgresql-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-postgres-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `""` | -| postgresql.replication.enabled | | `false | -| | | # number of read replicas` | -| postgresql.replication.readReplicas | | `2` | -| postgresql.replication.synchronousCommit | | `"on"` | -| postgresql.replication.numSynchronousReplicas | | `1` | -| postgresql.metrics.enabled | | `false` | -| postgresql.metrics.serviceMonitor.enabled | | `false | -| | | # the labels used for Prometheus autodiscover, e.g. could be `release: prometheus`` | -| postgresql.metrics.serviceMonitor.additionalLabels | | `{}` | -| externalDatabase.host | | `localhost | -| | | # non-root Username for FHIR Database` | -| externalDatabase.user | | `fhir` | -| externalDatabase.password | | `""` | -| externalDatabase.existingSecret | | `""` | -| externalDatabase.database | | `fhir` | -| externalDatabase.port | | `5432` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: - -```console -$ helm install hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver -n fhir --set replicaCount=1 -``` - -Alternatively, a YAML file that specifies the values for the parameters can be provided while -installing the chart. For example: - -```console -$ helm install hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver -n fhir --values values.yaml -``` +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/charts/hapi-fhir-jpaserver/README.md.gotmpl b/charts/hapi-fhir-jpaserver/README.md.gotmpl new file mode 100644 index 0000000..c599d14 --- /dev/null +++ b/charts/hapi-fhir-jpaserver/README.md.gotmpl @@ -0,0 +1,16 @@ +# HAPI FHIR JPA Server Starter Helm Chart + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +This helm chart will help you install the HAPI FHIR JPA Server in a Kubernetes environment. + +## Sample usage + +```sh +helm repo add hapifhir https://hapifhir.github.io/hapi-fhir-jpaserver-starter/ +helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver +``` + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/hapi-fhir-jpaserver/doc.yaml b/charts/hapi-fhir-jpaserver/doc.yaml deleted file mode 100644 index 5a85b4a..0000000 --- a/charts/hapi-fhir-jpaserver/doc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -project: - name: HAPI FHIR JPA Server - shortName: hapi-fhir-jpaserver - url: https://github.com/hapifhir/hapi-fhir-jpaserver-starter - description: Helm chart for deploying the HAPI FHIR JPA starter server - app: the HAPI FHIR JPA starter server. -repository: - url: https://hapifhir.github.io/hapi-fhir-jpaserver-starter - name: hapifhir -chart: - name: hapi-fhir-jpaserver - values: "-- generate from values file --" - valuesExample: "-- generate from values file --" -prerequisites: - - "Kubernetes v1.18+" - - "Helm v3" -release: - name: hapi-fhir-jpaserver - namespace: fhir diff --git a/charts/hapi-fhir-jpaserver/templates/_helpers.tpl b/charts/hapi-fhir-jpaserver/templates/_helpers.tpl index d5e1c7a..178d840 100644 --- a/charts/hapi-fhir-jpaserver/templates/_helpers.tpl +++ b/charts/hapi-fhir-jpaserver/templates/_helpers.tpl @@ -30,6 +30,18 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Create image tag +*/}} +{{- define "hapi-fhir-jpaserver.imageTag" -}} +{{- $version := default .Chart.AppVersion .Values.image.tag -}} +{{- if .Values.image.flavor }} +{{- printf "%s-%s" $version .Values.image.flavor }} +{{- else }} +{{- printf "%s" $version }} +{{- end }} +{{- end }} + {{/* Common labels */}} @@ -60,7 +72,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{/* -Get the Postgresql credentials secret. +Get the Postgresql credentials secret name. */}} {{- define "hapi-fhir-jpaserver.postgresql.secretName" -}} {{- if and (.Values.postgresql.enabled) (not .Values.postgresql.existingSecret) -}} @@ -71,11 +83,22 @@ Get the Postgresql credentials secret. {{- if .Values.externalDatabase.existingSecret -}} {{- printf "%s" .Values.externalDatabase.existingSecret -}} {{- else -}} - {{ printf "%s-%s" .Release.Name "externaldb" }} + {{ printf "%s-%s" (include "hapi-fhir-jpaserver.fullname" .) "external-db" }} {{- end -}} {{- end -}} {{- end -}} +{{/* +Get the Postgresql credentials secret key. +*/}} +{{- define "hapi-fhir-jpaserver.postgresql.secretKey" -}} +{{- if (.Values.externalDatabase.existingSecret) -}} + {{- printf "%s" .Values.externalDatabase.existingSecretKey -}} +{{- else }} + {{- printf "postgresql-password" -}} +{{- end -}} +{{- end -}} + {{/* Add environment variables to configure database values */}} @@ -87,7 +110,7 @@ Add environment variables to configure database values Add environment variables to configure database values */}} {{- define "hapi-fhir-jpaserver.database.user" -}} -{{- ternary .Values.postgresql.postgresqlUsername .Values.externalDatabase.user .Values.postgresql.enabled | quote -}} +{{- ternary .Values.postgresql.postgresqlUsername .Values.externalDatabase.user .Values.postgresql.enabled -}} {{- end -}} {{/* @@ -111,5 +134,6 @@ Create the JDBC URL from the host, port and database name. {{- $host := (include "hapi-fhir-jpaserver.database.host" .) -}} {{- $port := (include "hapi-fhir-jpaserver.database.port" .) -}} {{- $name := (include "hapi-fhir-jpaserver.database.name" .) -}} -{{ printf "jdbc:postgresql://%s:%d/%s" $host (int $port) $name }} +{{- $appName := .Release.Name -}} +{{ printf "jdbc:postgresql://%s:%d/%s?ApplicationName=%s" $host (int $port) $name $appName }} {{- end -}} diff --git a/charts/hapi-fhir-jpaserver/templates/deployment.yaml b/charts/hapi-fhir-jpaserver/templates/deployment.yaml index 24ba02f..a58024c 100644 --- a/charts/hapi-fhir-jpaserver/templates/deployment.yaml +++ b/charts/hapi-fhir-jpaserver/templates/deployment.yaml @@ -28,10 +28,9 @@ spec: {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if .Values.postgresql.enabled }} initContainers: - - name: wait-for-db - image: busybox:1.32 + - name: wait-for-db-to-be-ready + image: "{{ .Values.postgresql.image.registry }}/{{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -41,15 +40,27 @@ spec: drop: - ALL runAsNonRoot: true - runAsUser: 11111 - runAsGroup: 11111 - command: ["sh", "-c", "while ! nc -z {{ .Release.Name }}-postgresql 5432 -w 5; do echo $(date) waiting for database; sleep 5; done;"] - {{- end }} + runAsUser: 1001 + runAsGroup: 1001 + env: + - name: PGHOST + value: "{{ include "hapi-fhir-jpaserver.database.host" . }}" + - name: PGPORT + value: "{{ include "hapi-fhir-jpaserver.database.port" . }}" + - name: PGUSER + value: "{{ include "hapi-fhir-jpaserver.database.user" . }}" + command: ["/bin/sh", "-c"] + args: + - | + until pg_isready; do + echo "Waiting for DB ${PGUSER}@${PGHOST}:${PGPORT} to be up"; + sleep 15; + done; containers: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ include "hapi-fhir-jpaserver.imageTag" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http @@ -68,7 +79,7 @@ spec: {{- end }} startupProbe: httpGet: - path: /fhir/Patient?_count=1 + path: /fhir/metadata port: http {{- with .Values.startupProbe }} initialDelaySeconds: {{ .initialDelaySeconds }} @@ -88,7 +99,7 @@ spec: valueFrom: secretKeyRef: name: {{ include "hapi-fhir-jpaserver.postgresql.secretName" . }} - key: postgresql-password + key: {{ include "hapi-fhir-jpaserver.postgresql.secretKey" . }} - name: SPRING_DATASOURCE_DRIVERCLASSNAME value: org.postgresql.Driver - name: SPRING_JPA_PROPERTIES_HIBERNATE_DIALECT diff --git a/charts/hapi-fhir-jpaserver/templates/externaldb-secret.yaml b/charts/hapi-fhir-jpaserver/templates/externaldb-secret.yaml index 408383a..e3a35d8 100644 --- a/charts/hapi-fhir-jpaserver/templates/externaldb-secret.yaml +++ b/charts/hapi-fhir-jpaserver/templates/externaldb-secret.yaml @@ -1,8 +1,8 @@ -{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) (not .Values.postgresql.existingSecret)}} +{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) (not .Values.postgresql.existingSecret) }} apiVersion: v1 kind: Secret metadata: - name: {{ printf "%s-%s" .Release.Name "externaldb" }} + name: {{ include "hapi-fhir-jpaserver.fullname" . }}-external-db labels: {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }} type: Opaque diff --git a/charts/hapi-fhir-jpaserver/templates/ingress.yaml b/charts/hapi-fhir-jpaserver/templates/ingress.yaml index df4862b..6b7b354 100644 --- a/charts/hapi-fhir-jpaserver/templates/ingress.yaml +++ b/charts/hapi-fhir-jpaserver/templates/ingress.yaml @@ -1,6 +1,5 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "hapi-fhir-jpaserver.fullname" . -}} -{{- $svcPort := .Values.service.port -}} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} apiVersion: networking.k8s.io/v1 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} @@ -44,10 +43,10 @@ spec: service: name: {{ $fullName }} port: - number: {{ $svcPort }} + name: http {{ else }} serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} + servicePort: http {{- end }} {{- end }} {{- end }} diff --git a/charts/hapi-fhir-jpaserver/templates/networkpolicy.yaml b/charts/hapi-fhir-jpaserver/templates/networkpolicy.yaml new file mode 100644 index 0000000..d051950 --- /dev/null +++ b/charts/hapi-fhir-jpaserver/templates/networkpolicy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ include "hapi-fhir-jpaserver.fullname" . }} + labels: + {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "hapi-fhir-jpaserver.selectorLabels" . | nindent 6 }} + ingress: + # Allow inbound connections from pods with the "hapi-fhir-jpaserver-client: true" label + - ports: + - port: http + from: + - podSelector: + matchLabels: + {{ include "hapi-fhir-jpaserver.fullname" . }}-client: "true" + {{- with .Values.networkPolicy.explicitNamespacesSelector }} + namespaceSelector: + {{ toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.networkPolicy.allowedFrom }} + {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/hapi-fhir-jpaserver/templates/tests/test-connection.yaml b/charts/hapi-fhir-jpaserver/templates/tests/test-connection.yaml index ba58956..eac503d 100644 --- a/charts/hapi-fhir-jpaserver/templates/tests/test-connection.yaml +++ b/charts/hapi-fhir-jpaserver/templates/tests/test-connection.yaml @@ -4,6 +4,7 @@ metadata: name: "{{ include "hapi-fhir-jpaserver.fullname" . }}-test-connection" labels: {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }} + {{ include "hapi-fhir-jpaserver.fullname" . }}-client: "true" annotations: "helm.sh/hook": test spec: @@ -11,7 +12,6 @@ spec: containers: - name: wget image: busybox:1 - imagePullPolicy: Always command: ['wget', '-O', '-'] args: ['http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/Patient?_count=1'] securityContext: diff --git a/charts/hapi-fhir-jpaserver/values.yaml b/charts/hapi-fhir-jpaserver/values.yaml index 11f0a2a..5e3c63b 100644 --- a/charts/hapi-fhir-jpaserver/values.yaml +++ b/charts/hapi-fhir-jpaserver/values.yaml @@ -1,33 +1,37 @@ -# Default values for hapi-fhir-jpaserver. -# This is a YAML-formatted file. - -# number of replicas +# -- number of replicas to deploy replicaCount: 1 -image: # +doc-gen:ignore - registry: ghcr.io - repository: chgl/hapifhir/hapi-fhir-jpaserver-starter - tag: v5.3.0-distroless +image: + registry: docker.io + repository: hapiproject/hapi + # -- defaults to `Chart.appVersion` + tag: "" + # -- the flavor or variant of the image to use. + # appended to the image tag by `-`. + flavor: "distroless" pullPolicy: IfNotPresent -# image pull secrets +# -- image pull secrets to use when pulling the image imagePullSecrets: [] + +# -- override the chart name nameOverride: "" + +# -- override the chart fullname fullnameOverride: "" -# annotations applied to the server deployment +# -- annotations applied to the server deployment deploymentAnnotations: {} -# annotations applied to the server pod +# -- annotations applied to the server pod podAnnotations: {} -# PodSecurityContext applied to the pod +# -- pod security context podSecurityContext: {} # fsGroup: 2000 -# ContainerSecurityContext applied to the container -securityContext: # +doc-gen:ignore +securityContext: allowPrivilegeEscalation: false capabilities: drop: @@ -36,31 +40,30 @@ securityContext: # +doc-gen:ignore runAsNonRoot: true runAsUser: 65532 +# service to expose the server service: - # type of service to expose the server type: ClusterIP - # service port port: 8080 ingress: - # whether to create an Ingress to expose the FHIR server web interface + # -- whether to create an Ingress to expose the FHIR server HTTP endpoint enabled: false - # provide any additional annotations which may be required. Evaluated as a template. + # -- provide any additional annotations which may be required. Evaluated as a template. annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: - - host: fhir-server.127.0.0.1.xip.io + - host: fhir-server.127.0.0.1.nip.io pathType: ImplementationSpecific paths: ["/"] - # ingress TLS config + # -- ingress TLS config tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local -# resource requests and limits +# -- configure the FHIR server's resource requests and limits resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -74,30 +77,24 @@ resources: # cpu: 100m # memory: 128Mi -# node labels for pods assignment -# see: +# -- node selector for the pod nodeSelector: {} -# tolerations for pods assignment -# see: +# -- pod tolerations tolerations: [] -# affinity for pods assignment -# see: +# -- pod affinity affinity: {} -# see for details postgresql: - # enable an included PostgreSQL DB. - # if set to `false`, the values under `webApi.db` are used + # -- enable an included PostgreSQL DB. + # see for details + # if set to `false`, the values under `externalDatabase` are used enabled: true - # update the default Postgres version to 13.2 - image: # +doc-gen:break - tag: 13.2.0 - # name of the database to create + # -- name of the database to create # see: postgresqlDatabase: "fhir" - # Name of existing secret to use for PostgreSQL passwords. + # -- Name of existing secret to use for PostgreSQL passwords. # The secret has to contain the keys `postgresql-password` # which is the password for `postgresqlUsername` when it is # different of `postgres`, `postgresql-postgres-password` which @@ -105,55 +102,58 @@ postgresql: # which will override `replication.password` and `postgresql-ldap-password` # which will be sed to authenticate on LDAP. The value is evaluated as a template. existingSecret: "" - replication: - # should be true for production use - enabled: false - # number of read replicas - readReplicas: 2 - # set synchronous commit mode: on, off, remote_apply, remote_write and local - synchronousCommit: "on" - # from the number of `readReplicas` defined above, set the number of those that will have synchronous replication - numSynchronousReplicas: 1 - metrics: - # should also be true for production use - enabled: false - serviceMonitor: - # create a Prometheus Operator ServiceMonitor resource - enabled: false - # the labels used for Prometheus autodiscover, e.g. could be `release: prometheus` - additionalLabels: {} - containerSecurityContext: # +doc-gen:ignore + containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL -# readiness probe -readinessProbe: # +doc-gen:ignore +readinessProbe: failureThreshold: 5 initialDelaySeconds: 30 periodSeconds: 20 successThreshold: 1 timeoutSeconds: 20 -# startup probe -startupProbe: # +doc-gen:ignore + +startupProbe: failureThreshold: 10 initialDelaySeconds: 60 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 30 -# only used if `postgresql.enabeld=false` externalDatabase: - # Database host + # -- external database host used with `postgresql.enabled=false` host: localhost - # non-root Username for FHIR Database - user: fhir - # Database password - password: "" - # Name of an existing secret resource containing the DB password in a 'postgresql-password' key - existingSecret: "" - # Database name - database: fhir - # Database port number + # -- database port number port: 5432 + # -- username for the external database + user: fhir + # -- database password + password: "" + # -- name of an existing secret resource containing the DB password in the `existingSecretKey` key + existingSecret: "" + # -- name of the key inside the `existingSecret` + existingSecretKey: "postgresql-password" + # -- database name + database: fhir + +networkPolicy: + # -- enable NetworkPolicy + enabled: false + # -- a Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed + explicitNamespacesSelector: + {} + # matchLabels: + # team: one + # test: foo + + # -- Additional allowed NetworkPolicyPeer specs + # Evaluated as a template so you could do: + # + # Example: + # allowedFrom: + # - podSelector: + # matchLabels: + # app.kubernetes.io/name: {{ $.Release.Name }} + allowedFrom: []