diff --git a/.github/workflows/chart-test.yaml b/.github/workflows/chart-test.yaml index 30d29329dd7..629789f7cef 100644 --- a/.github/workflows/chart-test.yaml +++ b/.github/workflows/chart-test.yaml @@ -15,7 +15,7 @@ jobs: - name: Install helm-docs working-directory: /tmp env: - HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.11.0/helm-docs_1.11.0_Linux_x86_64.tar.gz + HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.11.3/helm-docs_1.11.3_Linux_x86_64.tar.gz run: | curl -LSs $HELM_DOCS_URL | tar xz && \ mv ./helm-docs /usr/local/bin/helm-docs && \ @@ -30,6 +30,7 @@ jobs: uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 + - name: Check if documentation is up-to-date run: helm-docs && git diff --exit-code HEAD diff --git a/charts/hapi-fhir-jpaserver/Chart.yaml b/charts/hapi-fhir-jpaserver/Chart.yaml index a81e1082a60..ed556611b54 100644 --- a/charts/hapi-fhir-jpaserver/Chart.yaml +++ b/charts/hapi-fhir-jpaserver/Chart.yaml @@ -10,18 +10,18 @@ dependencies: version: 12.5.6 repository: oci://registry-1.docker.io/bitnamicharts condition: postgresql.enabled -appVersion: 6.6.0 -version: 0.13.0 +appVersion: 6.8.3 +version: 0.14.0 annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/changes: | # When using the list of objects option the valid supported kinds are # added, changed, deprecated, removed, fixed, and security. - kind: added - description: allow specifying application properties via yaml config + description: updated starter image to 6.8.3 + - kind: fixed + description: incorrect handling of existing secret database config - kind: added - description: allow setting resource limits and requests for the Helm test pods - - kind: changed - description: updated curl used by helm tests to version to v8.2.0 - - kind: changed - description: allow disabling the liveness-, readiness-, and startup-probes entirely + description: support for using a non-admin user for the postgres database + - kind: added + description: ability to create a dedicated ServiceAccount diff --git a/charts/hapi-fhir-jpaserver/README.md b/charts/hapi-fhir-jpaserver/README.md index 7d4d338db4d..af318f14b28 100644 --- a/charts/hapi-fhir-jpaserver/README.md +++ b/charts/hapi-fhir-jpaserver/README.md @@ -1,6 +1,6 @@ # HAPI FHIR JPA Server Starter Helm Chart -![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.6.0](https://img.shields.io/badge/AppVersion-6.6.0-informational?style=flat-square) +![Version: 0.14.0](https://img.shields.io/badge/Version-0.14.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.8.3](https://img.shields.io/badge/AppVersion-6.8.3-informational?style=flat-square) This helm chart will help you install the HAPI FHIR JPA Server in a Kubernetes environment. @@ -36,7 +36,7 @@ helm install hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver | image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy to use | | image.registry | string | `"docker.io"` | registry where the HAPI FHIR server image is hosted | | image.repository | string | `"hapiproject/hapi"` | the path inside the repository | -| image.tag | string | `"v6.6.0@sha256:c00367865ae5dad4e171cbb68bfc1c39818854079d1565bee4c86a45e78335d0"` | the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image. | +| image.tag | string | `"v6.8.3@sha256:6195f1116ebabfb0a608addde043b3e524c456c4d4f35b3d25025afd7dcd2e27"` | the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image. | | imagePullSecrets | list | `[]` | image pull secrets to use when pulling the image | | ingress.annotations | object | `{}` | provide any additional annotations which may be required. Evaluated as a template. | | ingress.enabled | bool | `false` | whether to create an Ingress to expose the FHIR server HTTP endpoint | @@ -73,6 +73,10 @@ helm install hapi-fhir-jpaserver hapifhir/hapi-fhir-jpaserver | securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | service.port | int | `8080` | port where the server will be exposed at | | service.type | string | `"ClusterIP"` | service type | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials? | +| serviceAccount.create | bool | `false` | Specifies whether a service account should be created. | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tests.resources | object | `{}` | configure the test pods resource requests and limits | | tolerations | list | `[]` | pod tolerations | | topologySpreadConstraints | list | `[]` | pod topology spread configuration see: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#api | @@ -139,4 +143,4 @@ kubectl port-forward -n observability service/simplest-query 16686:16686 and opening in your browser. ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3) diff --git a/charts/hapi-fhir-jpaserver/ci/custom-postgres-user-values.yaml b/charts/hapi-fhir-jpaserver/ci/custom-postgres-user-values.yaml new file mode 100644 index 00000000000..ca2d9fe5102 --- /dev/null +++ b/charts/hapi-fhir-jpaserver/ci/custom-postgres-user-values.yaml @@ -0,0 +1,7 @@ +postgresql: + enabled: true + auth: + username: hapi_fhir_jpaserver_starter_user + database: hapi_fhir_jpaserver_starter + password: secret_user_password + postgresPassword: secret_postgres_password diff --git a/charts/hapi-fhir-jpaserver/templates/_helpers.tpl b/charts/hapi-fhir-jpaserver/templates/_helpers.tpl index eee1ed59867..954d1e98eb4 100644 --- a/charts/hapi-fhir-jpaserver/templates/_helpers.tpl +++ b/charts/hapi-fhir-jpaserver/templates/_helpers.tpl @@ -50,6 +50,17 @@ app.kubernetes.io/name: {{ include "hapi-fhir-jpaserver.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} +{{/* +Create the name of the service account to use +*/}} +{{- define "hapi-fhir-jpaserver.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "hapi-fhir-jpaserver.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + {{/* Create a default fully qualified postgresql name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -63,10 +74,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this Get the Postgresql credentials secret name. */}} {{- define "hapi-fhir-jpaserver.postgresql.secretName" -}} -{{- if and (.Values.postgresql.enabled) (not .Values.postgresql.auth.existingSecret) -}} - {{- printf "%s" (include "hapi-fhir-jpaserver.postgresql.fullname" .) -}} -{{- else if and (.Values.postgresql.enabled) (.Values.postgresql.auth.existingSecret) -}} - {{- printf "%s" .Values.postgresql.auth.existingSecret -}} +{{- if .Values.postgresql.enabled -}} + {{- if .Values.postgresql.auth.existingSecret -}} + {{- printf "%s" .Values.postgresql.auth.existingSecret -}} + {{- else -}} + {{- printf "%s" (include "hapi-fhir-jpaserver.postgresql.fullname" .) -}} + {{- end -}} {{- else }} {{- if .Values.externalDatabase.existingSecret -}} {{- printf "%s" .Values.externalDatabase.existingSecret -}} @@ -80,10 +93,18 @@ Get the Postgresql credentials secret name. Get the Postgresql credentials secret key. */}} {{- define "hapi-fhir-jpaserver.postgresql.secretKey" -}} -{{- if (.Values.externalDatabase.existingSecret) -}} - {{- printf "%s" .Values.externalDatabase.existingSecretKey -}} +{{- if .Values.postgresql.enabled -}} + {{- if .Values.postgresql.auth.username -}} + {{- printf "%s" .Values.postgresql.auth.secretKeys.userPasswordKey -}} + {{- else -}} + {{- printf "%s" .Values.postgresql.auth.secretKeys.adminPasswordKey -}} + {{- end -}} {{- else }} - {{- printf "postgres-password" -}} + {{- if .Values.externalDatabase.existingSecret -}} + {{- printf "%s" .Values.externalDatabase.existingSecretKey -}} + {{- else -}} + {{- printf "postgres-password" -}} + {{- end -}} {{- end -}} {{- end -}} @@ -98,7 +119,11 @@ Add environment variables to configure database values Add environment variables to configure database values */}} {{- define "hapi-fhir-jpaserver.database.user" -}} -{{- ternary "postgres" .Values.externalDatabase.user .Values.postgresql.enabled -}} +{{- if .Values.postgresql.enabled -}} + {{- printf "%s" .Values.postgresql.auth.username | default "postgres" -}} +{{- else -}} + {{- printf "%s" .Values.externalDatabase.user -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/hapi-fhir-jpaserver/templates/deployment.yaml b/charts/hapi-fhir-jpaserver/templates/deployment.yaml index c15609f443d..febfdedb4dd 100644 --- a/charts/hapi-fhir-jpaserver/templates/deployment.yaml +++ b/charts/hapi-fhir-jpaserver/templates/deployment.yaml @@ -26,6 +26,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + serviceAccountName: {{ include "hapi-fhir-jpaserver.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: diff --git a/charts/hapi-fhir-jpaserver/templates/serviceaccount.yaml b/charts/hapi-fhir-jpaserver/templates/serviceaccount.yaml new file mode 100644 index 00000000000..b60d7a75913 --- /dev/null +++ b/charts/hapi-fhir-jpaserver/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "hapi-fhir-jpaserver.serviceAccountName" . }} + labels: + {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/charts/hapi-fhir-jpaserver/values.yaml b/charts/hapi-fhir-jpaserver/values.yaml index 9e9c18746b3..56332bc9646 100644 --- a/charts/hapi-fhir-jpaserver/values.yaml +++ b/charts/hapi-fhir-jpaserver/values.yaml @@ -7,7 +7,7 @@ image: # -- the path inside the repository repository: hapiproject/hapi # -- the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image. - tag: "v6.6.0@sha256:c00367865ae5dad4e171cbb68bfc1c39818854079d1565bee4c86a45e78335d0" + tag: "v6.8.3@sha256:6195f1116ebabfb0a608addde043b3e524c456c4d4f35b3d25025afd7dcd2e27" # -- image pullPolicy to use pullPolicy: IfNotPresent @@ -198,6 +198,17 @@ podDisruptionBudget: # -- maximum unavailable instances maxUnavailable: "" +serviceAccount: + # -- Specifies whether a service account should be created. + create: false + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # -- Automatically mount a ServiceAccount's API credentials? + automount: true + metrics: serviceMonitor: # -- if enabled, creates a ServiceMonitor instance for Prometheus Operator-based monitoring @@ -229,7 +240,7 @@ curl: image: registry: docker.io repository: curlimages/curl - tag: 8.2.0@sha256:daf3f46a2639c1613b25e85c9ee4193af8a1d538f92483d67f9a3d7f21721827 + tag: 8.4.0@sha256:4a3396ae573c44932d06ba33f8696db4429c419da87cbdc82965ee96a37dd0af tests: # -- configure the test pods resource requests and limits @@ -242,7 +253,8 @@ tests: # memory: 128Mi # -- additional Spring Boot application config. Mounted as a file and automatically loaded by the application. -extraConfig: "" +extraConfig: + "" # # For example: # | # hapi: