Skip to content

Commit

Permalink
Add support to run EHRbase pods using TLS (#9)
Browse files Browse the repository at this point in the history
  • Loading branch information
@subigre
subigre authored Sep 18, 2024
1 parent 5a76186 commit 77c57fe
Show file tree
Hide file tree
Showing 10 changed files with 217 additions and 7 deletions.
3 changes: 3 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ To deploy EHRbase using the default configuration, run the following command:
helm install ehrbase oci://ghcr.io/konateq/charts/ehrbase --namespace ehrbase --create-namespace
```

For more information on how to use or customize this chart, please refer to the [README.md](./charts/ehrbase/README.md)
and [values.yaml](./charts/ehrbase/values.yaml) files.

## Contributing

We would love to have you contribute to this project. Please open an issue or a pull request with your ideas.
2 changes: 1 addition & 1 deletion charts/ehrbase/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: ehrbase
version: 0.3.0
version: 0.4.0
kubeVersion: ">=1.26"
description: EHRbase is an open source software backend for clinical application systems and electronic health records.
type: application
Expand Down
144 changes: 144 additions & 0 deletions charts/ehrbase/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
# EHRbase

[EHRbase]() serves as the backend for clinical application systems and electronic health records. It is built upon the
openEHR specifications, an open-platform architecture that allows for the development of flexible and interoperable
health systems. OpenEHR-based applications have a shared information architecture, enabling seamless interoperability
between them.

## Prerequisites

- Kubernetes 1.26+
- Helm 3.14.0+

## Dependencies

This chart depends on the following Bitnami Helm charts:

- [PostgreSQL](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) 20.x.x
- [Redis](https://github.com/bitnami/charts/tree/main/bitnami/redis) 15.x.x

## Usage

### Installing

To deploy EHRbase using the default configuration, run the following command:

```bash
helm install <RELEASE_NAME> oci://ghcr.io/konateq/charts/ehrbase --namespace <NAMESPACE> --create-namespace
```

To deploy EHRbase with a custom configuration, create a `values.yaml` file with your desired configuration and run the
following command:

```bash
helm install <RELEASE_NAME> oci://ghcr.io/konateq/charts/ehrbase --namespace <NAMESPACE> --create-namespace -f values.yaml
```

### Uninstalling

To uninstall the EHRbase deployment, run the following command:

```bash
helm uninstall <RELEASE_NAME> --namespace <NAMESPACE>
```

### Upgrading

To upgrade the EHRbase deployment, run the following command:

```bash
helm upgrade <RELEASE_NAME> oci://ghcr.io/konateq/charts/ehrbase --install --namespace <NAMESPACE> -f values.yaml
```

## Configuration

If you look for concrete examples of how to configure this chart in real-world scenarios, please refer to the Wiki page
of this repository.

## Parameters

The following table lists the configurable parameters of the EHRbase chart and their default values.

> [!NOTE]
> For more information on how to customize the PostgreSQL and Redis dependencies, please refer to the respective charts'
> documentation. The PostgreSQL chart documentation can be
> found [here](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) and the Redis chart documentation can be
> found [here](https://github.com/bitnami/charts/tree/main/bitnami/redis).
| Parameter | Description | Default |
|----------------------------------------------|-----------------------------------------|--------------------------------|
| `auth.enabled` | Enable basic authentication | `true` |
| `auth.username` | Username | `ehrbase-user` |
| `auth.password` | Password | `""` |
| `auth.adminUsername` | Admin username | `ehrbase-admin` |
| `auth.adminPassword` | Admin password | `""` |
| `auth.existingSecret` | Existing secret for user passwords | `""` |
| `configuration` | EHRbase configuration | `""` |
| `tls.enabled` | Enable TLS | `false` |
| `tls.existingSecret` | Existing secret for TLS | `""` |
| `replicaCount` | Number of replicas | `1` |
| `image.repository` | EHRbase image repository | `ehrbase/ehrbase` |
| `image.pullPolicy` | EHRbase image pull policy | `IfNotPresent` |
| `image.tag` | EHRbase image tag | `""` |
| `imagePullSecrets` | Image pull secrets | `[]` |
| `nameOverride` | Override the chart name | `""` |
| `fullnameOverride` | Override the full name | `""` |
| `serviceAccount.create` | Create service account | `true` |
| `serviceAccount.automount` | Automount service account token | `true` |
| `serviceAccount.annotations` | Service account annotations | `{}` |
| `serviceAccount.name` | Service account name | `""` |
| `podAnnotations` | Pod annotations | `{}` |
| `podLabels` | Pod labels | `{}` |
| `podSecurityContext` | Pod security context | `{}` |
| `securityContext.allowPrivilegeEscalation` | Allow privilege escalation | `false` |
| `securityContext.capabilities.drop` | Drop capabilities | `["ALL"]` |
| `securityContext.readOnlyRootFilesystem` | Read-only root filesystem | `true` |
| `securityContext.runAsNonRoot` | Run as non-root | `true` |
| `securityContext.runAsUser` | Run as user | `1001` |
| `securityContext.seccompProfile.type` | Seccomp profile type | `RuntimeDefault` |
| `service.type` | Service type | `ClusterIP` |
| `service.port` | Service port | `8080` |
| `service.managementPort` | Management port | `9000` |
| `service.annotations` | Service annotations | `{}` |
| `ingress.enabled` | Enable ingress | `false` |
| `ingress.className` | Ingress class name | `""` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.hosts[0].host` | Ingress host | `ehrbase.local` |
| `ingress.hosts[0].paths[0].path` | Ingress path | `/` |
| `ingress.hosts[0].paths[0].pathType` | Ingress path type | `ImplementationSpecific` |
| `ingress.tls` | Ingress TLS | `[]` |
| `resources` | Pod resources | `{}` |
| `livenessProbe.httpGet.path` | Liveness probe path | `/management/health/liveness` |
| `livenessProbe.httpGet.port` | Liveness probe port | `management` |
| `livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `15` |
| `readinessProbe.httpGet.path` | Readiness probe path | `/management/health/readiness` |
| `readinessProbe.httpGet.port` | Readiness probe port | `management` |
| `readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `15` |
| `autoscaling.enabled` | Enable horizontal pod autoscaling | `false` |
| `autoscaling.minReplicas` | Minimum replicas | `1` |
| `autoscaling.maxReplicas` | Maximum replicas | `10` |
| `autoscaling.targetCPU` | Target CPU utilization percentage | `80` |
| `autoscaling.targetMemory` | Target memory utilization percentage | |
| `extraEnvVars` | Extra environment variables | `[]` |
| `extraEnvVarsSecret` | Extra environment variables from secret | `""` |
| `extraVolumes` | Extra volumes | `[]` |
| `extraVolumeMounts` | Extra volume mounts | `[]` |
| `nodeSelector` | Node selector | `{}` |
| `tolerations` | Tolerations | `[]` |
| `affinity` | Affinity | `{}` |
| `postgresql.enabled` | Enable PostgreSQL dependency chart | `true` |
| `externalDatabase.host` | External database host | `""` |
| `externalDatabase.port` | External database port | `5432` |
| `externalDatabase.username` | External database user | `ehrbase` |
| `externalDatabase.password` | External database password | `""` |
| `externalDatabase.database` | External database name | `ehrbase` |
| `externalDatabase.existingSecret` | Existing secret for external database | `""` |
| `externalDatabase.existingSecretPasswordKey` | Existing secret password key | `""` |
| `redis.enabled` | Enable Redis dependency chart | `false` |
| `externalRedis.enabled` | Enable external Redis | `false` |
| `externalRedis.host` | External Redis host | `""` |
| `externalRedis.port` | External Redis port | `6379` |
| `externalRedis.password` | External Redis password | `""` |
| `externalRedis.existingSecret` | Existing secret for external Redis | `""` |
| `externalRedis.existingSecretPasswordKey` | Existing secret password key | `""` |

22 changes: 22 additions & 0 deletions charts/ehrbase/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,3 +206,25 @@ Return the Redis password key
{{- printf "redis-password" -}}
{{- end -}}
{{- end -}}

{{/*
Return the TLS secret name
*/}}
{{- define "ehrbase.tlsSecretName" -}}
{{- if .Values.tls.existingSecret }}
{{- .Values.tls.existingSecret }}
{{- else }}
{{- printf "%s-tls" (include "ehrbase.fullname" .) }}
{{- end }}
{{- end }}

{{/*
Return the port to use
*/}}
{{- define "ehrbase.portName" -}}
{{- if .Values.tls.enabled }}
{{- printf "https" }}
{{- else }}
{{- printf "http" }}
{{- end }}
{{- end }}
9 changes: 9 additions & 0 deletions charts/ehrbase/templates/configmap-env-vars.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,15 @@ data:
MANAGEMENT_ENDPOINT_HEALTH_ENABLED: "true"
MANAGEMENT_ENDPOINTS_WEB_ACCESS: "PUBLIC"
MANAGEMENT_SERVER_PORT: {{ .Values.service.managementPort | quote }}
SERVER_PORT: {{ .Values.service.port | quote }}
{{- if .Values.auth.enabled }}
SECURITY_AUTHTYPE: "BASIC"
{{- end }}
{{- if .Values.tls.enabled }}
SERVER_SSL_ENABLED: "true"
SERVER_SSL_CERTIFICATE: "/app/certs/tls.crt"
SERVER_SSL_CERTIFICATEPRIVATEKEY: "/app/certs/tls.key"
{{- end }}
{{- if or .Values.redis.enabled .Values.externalRedis.enabled }}
SPRING_CACHE_TYPE: "redis"
SPRING_DATA_REDIS_HOST: {{ include "ehrbase.redisHost" . | quote }}
Expand Down
14 changes: 11 additions & 3 deletions charts/ehrbase/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,6 @@ spec:
key: {{ include "ehrbase.redisSecretPasswordKey" . }}
{{- end }}
{{- if .Values.auth.enabled }}
- name: SECURITY_AUTHTYPE
value: BASIC
- name: SECURITY_AUTHUSER
valueFrom:
secretKeyRef:
Expand Down Expand Up @@ -89,7 +87,7 @@ spec:
name: {{ .Values.extraEnvVarsSecret }}
{{- end }}
ports:
- name: http
- name: {{ include "ehrbase.portName" . }}
containerPort: {{ .Values.service.port }}
protocol: TCP
- name: management
Expand All @@ -110,6 +108,11 @@ spec:
subPath: application.yml
readOnly: true
{{- end }}
{{- if .Values.tls.enabled }}
- name: tls-certs
mountPath: /app/certs
readOnly: true
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
Expand All @@ -121,6 +124,11 @@ spec:
configMap:
name: {{ include "ehrbase.fullname" . }}-configuration
{{- end }}
{{- if .Values.tls.enabled }}
- name: tls-certs
secret:
secretName: {{ include "ehrbase.tlsSecretName" . }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand Down
3 changes: 2 additions & 1 deletion charts/ehrbase/templates/ingress.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "ehrbase.fullname" . -}}
{{- $portName := include "ehrbase.portName" . -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
Expand Down Expand Up @@ -34,7 +35,7 @@ spec:
service:
name: {{ $fullName }}
port:
name: http
name: {{ $portName }}
{{- end }}
{{- end }}
{{- end }}
8 changes: 6 additions & 2 deletions charts/ehrbase/templates/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,16 @@ metadata:
name: {{ include "ehrbase.fullname" . }}
labels:
{{- include "ehrbase.labels" . | nindent 4 }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- name: http
- name: {{ include "ehrbase.portName" . }}
port: {{ .Values.service.port }}
targetPort: http
targetPort: {{ include "ehrbase.portName" . }}
protocol: TCP
selector:
{{- include "ehrbase.selectorLabels" . | nindent 4 }}
14 changes: 14 additions & 0 deletions charts/ehrbase/templates/tls-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) -}}
{{- $altDnsNames := list ( printf "%s.%s" (include "ehrbase.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "ehrbase.name" .) .Release.Namespace ) -}}
{{- $cert := genSelfSignedCert (include "ehrbase.name" .) nil $altDnsNames 365 -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ehrbase.fullname" . }}-tls
labels:
{{- include "ehrbase.labels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end }}
5 changes: 5 additions & 0 deletions charts/ehrbase/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ auth:

configuration: ""

tls:
enabled: false
existingSecret: ""

replicaCount: 1

image:
Expand Down Expand Up @@ -49,6 +53,7 @@ service:
type: ClusterIP
port: 8080
managementPort: 9000
annotations: {}

ingress:
enabled: false
Expand Down

0 comments on commit 77c57fe

Please sign in to comment.