diff --git a/README.md b/README.md index 69857c5..f453b40 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,9 @@ To deploy EHRbase using the default configuration, run the following command: helm install ehrbase oci://ghcr.io/konateq/charts/ehrbase --namespace ehrbase --create-namespace ``` +For more information on how to use or customize this chart, please refer to the [README.md](./charts/ehrbase/README.md) +and [values.yaml](./charts/ehrbase/values.yaml) files. + ## Contributing We would love to have you contribute to this project. Please open an issue or a pull request with your ideas. \ No newline at end of file diff --git a/charts/ehrbase/Chart.yaml b/charts/ehrbase/Chart.yaml index 4ac73d9..1d9297f 100644 --- a/charts/ehrbase/Chart.yaml +++ b/charts/ehrbase/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: ehrbase -version: 0.3.0 +version: 0.4.0 kubeVersion: ">=1.26" description: EHRbase is an open source software backend for clinical application systems and electronic health records. type: application diff --git a/charts/ehrbase/README.md b/charts/ehrbase/README.md new file mode 100644 index 0000000..a3789b6 --- /dev/null +++ b/charts/ehrbase/README.md @@ -0,0 +1,144 @@ +# EHRbase + +[EHRbase]() serves as the backend for clinical application systems and electronic health records. It is built upon the +openEHR specifications, an open-platform architecture that allows for the development of flexible and interoperable +health systems. OpenEHR-based applications have a shared information architecture, enabling seamless interoperability +between them. + +## Prerequisites + +- Kubernetes 1.26+ +- Helm 3.14.0+ + +## Dependencies + +This chart depends on the following Bitnami Helm charts: + +- [PostgreSQL](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) 20.x.x +- [Redis](https://github.com/bitnami/charts/tree/main/bitnami/redis) 15.x.x + +## Usage + +### Installing + +To deploy EHRbase using the default configuration, run the following command: + +```bash +helm install oci://ghcr.io/konateq/charts/ehrbase --namespace --create-namespace +``` + +To deploy EHRbase with a custom configuration, create a `values.yaml` file with your desired configuration and run the +following command: + +```bash +helm install oci://ghcr.io/konateq/charts/ehrbase --namespace --create-namespace -f values.yaml +``` + +### Uninstalling + +To uninstall the EHRbase deployment, run the following command: + +```bash +helm uninstall --namespace +``` + +### Upgrading + +To upgrade the EHRbase deployment, run the following command: + +```bash +helm upgrade oci://ghcr.io/konateq/charts/ehrbase --install --namespace -f values.yaml +``` + +## Configuration + +If you look for concrete examples of how to configure this chart in real-world scenarios, please refer to the Wiki page +of this repository. + +## Parameters + +The following table lists the configurable parameters of the EHRbase chart and their default values. + +> [!NOTE] +> For more information on how to customize the PostgreSQL and Redis dependencies, please refer to the respective charts' +> documentation. The PostgreSQL chart documentation can be +> found [here](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) and the Redis chart documentation can be +> found [here](https://github.com/bitnami/charts/tree/main/bitnami/redis). + +| Parameter | Description | Default | +|----------------------------------------------|-----------------------------------------|--------------------------------| +| `auth.enabled` | Enable basic authentication | `true` | +| `auth.username` | Username | `ehrbase-user` | +| `auth.password` | Password | `""` | +| `auth.adminUsername` | Admin username | `ehrbase-admin` | +| `auth.adminPassword` | Admin password | `""` | +| `auth.existingSecret` | Existing secret for user passwords | `""` | +| `configuration` | EHRbase configuration | `""` | +| `tls.enabled` | Enable TLS | `false` | +| `tls.existingSecret` | Existing secret for TLS | `""` | +| `replicaCount` | Number of replicas | `1` | +| `image.repository` | EHRbase image repository | `ehrbase/ehrbase` | +| `image.pullPolicy` | EHRbase image pull policy | `IfNotPresent` | +| `image.tag` | EHRbase image tag | `""` | +| `imagePullSecrets` | Image pull secrets | `[]` | +| `nameOverride` | Override the chart name | `""` | +| `fullnameOverride` | Override the full name | `""` | +| `serviceAccount.create` | Create service account | `true` | +| `serviceAccount.automount` | Automount service account token | `true` | +| `serviceAccount.annotations` | Service account annotations | `{}` | +| `serviceAccount.name` | Service account name | `""` | +| `podAnnotations` | Pod annotations | `{}` | +| `podLabels` | Pod labels | `{}` | +| `podSecurityContext` | Pod security context | `{}` | +| `securityContext.allowPrivilegeEscalation` | Allow privilege escalation | `false` | +| `securityContext.capabilities.drop` | Drop capabilities | `["ALL"]` | +| `securityContext.readOnlyRootFilesystem` | Read-only root filesystem | `true` | +| `securityContext.runAsNonRoot` | Run as non-root | `true` | +| `securityContext.runAsUser` | Run as user | `1001` | +| `securityContext.seccompProfile.type` | Seccomp profile type | `RuntimeDefault` | +| `service.type` | Service type | `ClusterIP` | +| `service.port` | Service port | `8080` | +| `service.managementPort` | Management port | `9000` | +| `service.annotations` | Service annotations | `{}` | +| `ingress.enabled` | Enable ingress | `false` | +| `ingress.className` | Ingress class name | `""` | +| `ingress.annotations` | Ingress annotations | `{}` | +| `ingress.hosts[0].host` | Ingress host | `ehrbase.local` | +| `ingress.hosts[0].paths[0].path` | Ingress path | `/` | +| `ingress.hosts[0].paths[0].pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.tls` | Ingress TLS | `[]` | +| `resources` | Pod resources | `{}` | +| `livenessProbe.httpGet.path` | Liveness probe path | `/management/health/liveness` | +| `livenessProbe.httpGet.port` | Liveness probe port | `management` | +| `livenessProbe.initialDelaySeconds` | Liveness probe initial delay | `15` | +| `readinessProbe.httpGet.path` | Readiness probe path | `/management/health/readiness` | +| `readinessProbe.httpGet.port` | Readiness probe port | `management` | +| `readinessProbe.initialDelaySeconds` | Readiness probe initial delay | `15` | +| `autoscaling.enabled` | Enable horizontal pod autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum replicas | `1` | +| `autoscaling.maxReplicas` | Maximum replicas | `10` | +| `autoscaling.targetCPU` | Target CPU utilization percentage | `80` | +| `autoscaling.targetMemory` | Target memory utilization percentage | | +| `extraEnvVars` | Extra environment variables | `[]` | +| `extraEnvVarsSecret` | Extra environment variables from secret | `""` | +| `extraVolumes` | Extra volumes | `[]` | +| `extraVolumeMounts` | Extra volume mounts | `[]` | +| `nodeSelector` | Node selector | `{}` | +| `tolerations` | Tolerations | `[]` | +| `affinity` | Affinity | `{}` | +| `postgresql.enabled` | Enable PostgreSQL dependency chart | `true` | +| `externalDatabase.host` | External database host | `""` | +| `externalDatabase.port` | External database port | `5432` | +| `externalDatabase.username` | External database user | `ehrbase` | +| `externalDatabase.password` | External database password | `""` | +| `externalDatabase.database` | External database name | `ehrbase` | +| `externalDatabase.existingSecret` | Existing secret for external database | `""` | +| `externalDatabase.existingSecretPasswordKey` | Existing secret password key | `""` | +| `redis.enabled` | Enable Redis dependency chart | `false` | +| `externalRedis.enabled` | Enable external Redis | `false` | +| `externalRedis.host` | External Redis host | `""` | +| `externalRedis.port` | External Redis port | `6379` | +| `externalRedis.password` | External Redis password | `""` | +| `externalRedis.existingSecret` | Existing secret for external Redis | `""` | +| `externalRedis.existingSecretPasswordKey` | Existing secret password key | `""` | + diff --git a/charts/ehrbase/templates/_helpers.tpl b/charts/ehrbase/templates/_helpers.tpl index 17800c3..21de9de 100644 --- a/charts/ehrbase/templates/_helpers.tpl +++ b/charts/ehrbase/templates/_helpers.tpl @@ -206,3 +206,25 @@ Return the Redis password key {{- printf "redis-password" -}} {{- end -}} {{- end -}} + +{{/* +Return the TLS secret name +*/}} +{{- define "ehrbase.tlsSecretName" -}} +{{- if .Values.tls.existingSecret }} +{{- .Values.tls.existingSecret }} +{{- else }} +{{- printf "%s-tls" (include "ehrbase.fullname" .) }} +{{- end }} +{{- end }} + +{{/* +Return the port to use +*/}} +{{- define "ehrbase.portName" -}} +{{- if .Values.tls.enabled }} +{{- printf "https" }} +{{- else }} +{{- printf "http" }} +{{- end }} +{{- end }} diff --git a/charts/ehrbase/templates/configmap-env-vars.yaml b/charts/ehrbase/templates/configmap-env-vars.yaml index 3ad4b5f..14fe347 100644 --- a/charts/ehrbase/templates/configmap-env-vars.yaml +++ b/charts/ehrbase/templates/configmap-env-vars.yaml @@ -11,6 +11,15 @@ data: MANAGEMENT_ENDPOINT_HEALTH_ENABLED: "true" MANAGEMENT_ENDPOINTS_WEB_ACCESS: "PUBLIC" MANAGEMENT_SERVER_PORT: {{ .Values.service.managementPort | quote }} + SERVER_PORT: {{ .Values.service.port | quote }} + {{- if .Values.auth.enabled }} + SECURITY_AUTHTYPE: "BASIC" + {{- end }} + {{- if .Values.tls.enabled }} + SERVER_SSL_ENABLED: "true" + SERVER_SSL_CERTIFICATE: "/app/certs/tls.crt" + SERVER_SSL_CERTIFICATEPRIVATEKEY: "/app/certs/tls.key" + {{- end }} {{- if or .Values.redis.enabled .Values.externalRedis.enabled }} SPRING_CACHE_TYPE: "redis" SPRING_DATA_REDIS_HOST: {{ include "ehrbase.redisHost" . | quote }} diff --git a/charts/ehrbase/templates/deployment.yaml b/charts/ehrbase/templates/deployment.yaml index 44daaa0..700502e 100644 --- a/charts/ehrbase/templates/deployment.yaml +++ b/charts/ehrbase/templates/deployment.yaml @@ -55,8 +55,6 @@ spec: key: {{ include "ehrbase.redisSecretPasswordKey" . }} {{- end }} {{- if .Values.auth.enabled }} - - name: SECURITY_AUTHTYPE - value: BASIC - name: SECURITY_AUTHUSER valueFrom: secretKeyRef: @@ -89,7 +87,7 @@ spec: name: {{ .Values.extraEnvVarsSecret }} {{- end }} ports: - - name: http + - name: {{ include "ehrbase.portName" . }} containerPort: {{ .Values.service.port }} protocol: TCP - name: management @@ -110,6 +108,11 @@ spec: subPath: application.yml readOnly: true {{- end }} + {{- if .Values.tls.enabled }} + - name: tls-certs + mountPath: /app/certs + readOnly: true + {{- end }} {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} @@ -121,6 +124,11 @@ spec: configMap: name: {{ include "ehrbase.fullname" . }}-configuration {{- end }} + {{- if .Values.tls.enabled }} + - name: tls-certs + secret: + secretName: {{ include "ehrbase.tlsSecretName" . }} + {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/ehrbase/templates/ingress.yaml b/charts/ehrbase/templates/ingress.yaml index 69c69ef..6dede6f 100644 --- a/charts/ehrbase/templates/ingress.yaml +++ b/charts/ehrbase/templates/ingress.yaml @@ -1,5 +1,6 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "ehrbase.fullname" . -}} +{{- $portName := include "ehrbase.portName" . -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -34,7 +35,7 @@ spec: service: name: {{ $fullName }} port: - name: http + name: {{ $portName }} {{- end }} {{- end }} {{- end }} diff --git a/charts/ehrbase/templates/service.yaml b/charts/ehrbase/templates/service.yaml index ef20c20..8e131e1 100644 --- a/charts/ehrbase/templates/service.yaml +++ b/charts/ehrbase/templates/service.yaml @@ -4,12 +4,16 @@ metadata: name: {{ include "ehrbase.fullname" . }} labels: {{- include "ehrbase.labels" . | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.service.type }} ports: - - name: http + - name: {{ include "ehrbase.portName" . }} port: {{ .Values.service.port }} - targetPort: http + targetPort: {{ include "ehrbase.portName" . }} protocol: TCP selector: {{- include "ehrbase.selectorLabels" . | nindent 4 }} diff --git a/charts/ehrbase/templates/tls-secret.yaml b/charts/ehrbase/templates/tls-secret.yaml new file mode 100644 index 0000000..6c750bb --- /dev/null +++ b/charts/ehrbase/templates/tls-secret.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) -}} +{{- $altDnsNames := list ( printf "%s.%s" (include "ehrbase.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "ehrbase.name" .) .Release.Namespace ) -}} +{{- $cert := genSelfSignedCert (include "ehrbase.name" .) nil $altDnsNames 365 -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "ehrbase.fullname" . }}-tls + labels: + {{- include "ehrbase.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +{{- end }} \ No newline at end of file diff --git a/charts/ehrbase/values.yaml b/charts/ehrbase/values.yaml index 3795cb9..e069a7a 100644 --- a/charts/ehrbase/values.yaml +++ b/charts/ehrbase/values.yaml @@ -12,6 +12,10 @@ auth: configuration: "" +tls: + enabled: false + existingSecret: "" + replicaCount: 1 image: @@ -49,6 +53,7 @@ service: type: ClusterIP port: 8080 managementPort: 9000 + annotations: {} ingress: enabled: false