updated helm chart to use latest v6.0.1 version of the image (hapifhi…

…r#382)

* updated helm chart to use latest v6.0.1 version of the image

* updated workflow to run against multiple k8s versions

.github/workflows/chart-test.yaml

@@ -15,7 +15,7 @@ jobs:
       - name: Install helm-docs
         working-directory: /tmp
         env:
-          HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
+          HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.9.1/helm-docs_1.9.1_Linux_x86_64.tar.gz
         run: |
           curl -LSs $HELM_DOCS_URL | tar xz && \
           mv ./helm-docs /usr/local/bin/helm-docs && \
@@ -35,16 +35,19 @@ jobs:
 
   test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        k8s-version: [1.22.9, 1.23.6, 1.24.1]
     needs:
       - lint
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.1.0
+        uses: helm/chart-testing-action@v2.2.1
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -57,6 +60,10 @@ jobs:
       - name: Create k8s Kind Cluster
         uses: helm/kind-action@v1.2.0
         if: steps.list-changed.outputs.changed == 'true'
+        with:
+          version: v0.14.0
+          cluster_name: kind-cluster-k8s-${{ matrix.k8s-version }}
+          node_image: kindest/node:v${{ matrix.k8s-version }}
 
       - name: Run chart-testing (install)
         run: ct install --config .github/ct/config.yaml

charts/hapi-fhir-jpaserver/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 11.1.19
-digest: sha256:5bb38230bfa62c63547851e6f46f66a61441a4a4f18e3689827546277e34d192
-generated: "2022-04-08T21:55:34.6868891+02:00"
+  version: 11.6.2
+digest: sha256:1b96efc47b5dbe28bf34bcb694697325f3d2755a39ce2f1c371b2c9de9fac9d3
+generated: "2022-06-03T11:48:19.1684784+02:00"

charts/hapi-fhir-jpaserver/Chart.yaml

@@ -7,23 +7,39 @@ sources:
   - https://github.com/hapifhir/hapi-fhir-jpaserver-starter
 dependencies:
   - name: postgresql
-    version: 11.1.19
+    version: 11.6.2
     repository: https://charts.bitnami.com/bitnami
     condition: postgresql.enabled
+appVersion: v6.0.1
+version: 0.9.0
 annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/changes: |
     # When using the list of objects option the valid supported kinds are
     # added, changed, deprecated, removed, fixed, and security.
     - kind: changed
       description: |
-        updated HAPI FHIR starter image to 5.7.0
+        BREAKING CHANGE: updated HAPI FHIR starter image to v6.0.1.
+        See <https://github.com/hapifhir/hapi-fhir/releases/tag/v6.0.0> for all application changes.
     - kind: changed
       description: |
-        BREAKING CHANGE: updated included PostgreSQL-subchart to v11
+        updated included PostgreSQL-subchart to v11.6.2
+    - kind: fixed
+      description: |
+        use a fixed image for the wait-for-database container (docker.io/bitnami/postgresql:14.3.0-debian-10-r20)
+        instead of relying on the PostgreSQL sub-chart values
+    - kind: changed
+      description: |
+        expose actuator/metrics endpoint on a separate port (8081)
+    - kind: added
+      description: |
+        support for monitoring metrics using ServiceMonitor CRDs
     - kind: changed
       description: |
-        BREAKING CHANGE: removed ability to override the image flavor.
-        The one based on distroless is now the new default.
-appVersion: v5.7.0
-version: 0.8.0
+        switched liveness and readiness probes to Spring Boot actuator endpoints
+    - kind: changed
+      description: |
+        BREAKING CHANGE: removed included `NetworkPolicy`, which is subject to more thorough rework
+    - kind: added
+      description: |
+        allow configuring `topologySpreadConstraints` for the deployment

charts/hapi-fhir-jpaserver/README.md

@@ -1,6 +1,6 @@
 # HAPI FHIR JPA Server Starter Helm Chart
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v5.7.0](https://img.shields.io/badge/AppVersion-v5.7.0-informational?style=flat-square)
+![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v6.0.1](https://img.shields.io/badge/AppVersion-v6.0.1-informational?style=flat-square)
 
 This helm chart will help you install the HAPI FHIR JPA Server in a Kubernetes environment.
 
@@ -40,10 +40,15 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas
 | ingress.hosts[0].pathType | string | `"ImplementationSpecific"` |  |
 | ingress.hosts[0].paths[0] | string | `"/"` |  |
 | ingress.tls | list | `[]` | ingress TLS config |
+| livenessProbe.failureThreshold | int | `5` |  |
+| livenessProbe.initialDelaySeconds | int | `30` |  |
+| livenessProbe.periodSeconds | int | `20` |  |
+| livenessProbe.successThreshold | int | `1` |  |
+| livenessProbe.timeoutSeconds | int | `30` |  |
+| metrics.service.port | int | `8081` |  |
+| metrics.serviceMonitor.additionalLabels | object | `{}` | additional labels to apply to the ServiceMonitor object, e.g. `release: prometheus` |
+| metrics.serviceMonitor.enabled | bool | `false` | if enabled, creates a ServiceMonitor instance for Prometheus Operator-based monitoring |
 | nameOverride | string | `""` | override the chart name |
-| networkPolicy.allowedFrom | list | `[]` | Additional allowed NetworkPolicyPeer specs Evaluated as a template so you could do: Example: allowedFrom:   - podSelector:       matchLabels:         app.kubernetes.io/name: {{ $.Release.Name }} |
-| networkPolicy.enabled | bool | `false` | enable NetworkPolicy |
-| networkPolicy.explicitNamespacesSelector | object | `{}` | a Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed |
 | nodeSelector | object | `{}` | node selector for the pod |
 | podAnnotations | object | `{}` | annotations applied to the server pod |
 | podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget for the server pods. uses policy/v1/PodDisruptionBudget thus requiring k8s 1.21+ |
@@ -75,6 +80,7 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas
 | startupProbe.successThreshold | int | `1` |  |
 | startupProbe.timeoutSeconds | int | `30` |  |
 | tolerations | list | `[]` | pod tolerations |
+| topologySpreadConstraints | list | `[]` | pod topology spread configuration see: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#api |
 
 ## Development
 
@@ -89,4 +95,4 @@ INFO[2021-11-20T12:38:04Z] Generating README Documentation for chart /usr/src/ap
 ```
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)
+Autogenerated from chart metadata using [helm-docs v1.9.1](https://github.com/norwoodj/helm-docs/releases/v1.9.1)

charts/hapi-fhir-jpaserver/templates/deployment.yaml

@@ -30,7 +30,7 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
         - name: wait-for-db-to-be-ready
-          image: "{{ .Values.postgresql.image.registry }}/{{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}"
+          image: docker.io/bitnami/postgresql:14.3.0-debian-10-r20
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false
@@ -66,9 +66,23 @@ spec:
             - name: http
               containerPort: 8080
               protocol: TCP
+            - name: metrics
+              containerPort: 8081
+              protocol: TCP
+          startupProbe:
+            httpGet:
+              path: /readyz
+              port: http
+          {{- with .Values.startupProbe }}
+            initialDelaySeconds: {{ .initialDelaySeconds }}
+            periodSeconds: {{ .periodSeconds }}
+            timeoutSeconds: {{ .timeoutSeconds }}
+            successThreshold: {{ .successThreshold }}
+            failureThreshold: {{ .failureThreshold }}
+          {{- end }}
           readinessProbe:
             httpGet:
-              path: /
+              path: /readyz
               port: http
           {{- with .Values.readinessProbe }}
             initialDelaySeconds: {{ .initialDelaySeconds }}
@@ -77,11 +91,11 @@ spec:
             successThreshold: {{ .successThreshold }}
             failureThreshold: {{ .failureThreshold }}
           {{- end }}
-          startupProbe:
+          livenessProbe:
             httpGet:
-              path: /fhir/metadata
+              path: /livez
               port: http
-          {{- with .Values.startupProbe }}
+          {{- with .Values.livenessProbe }}
             initialDelaySeconds: {{ .initialDelaySeconds }}
             periodSeconds: {{ .periodSeconds }}
             timeoutSeconds: {{ .timeoutSeconds }}
@@ -106,6 +120,10 @@ spec:
               value: ca.uhn.fhir.jpa.model.dialect.HapiFhirPostgres94Dialect
             - name: HAPI_FHIR_USE_APACHE_ADDRESS_STRATEGY
               value: "true"
+            - name: MANAGEMENT_ENDPOINT_HEALTH_PROBES_ADD_ADDITIONAL_PATHS
+              value: "true"
+            - name: MANAGEMENT_SERVER_PORT
+              value: "8081"
             {{- if .Values.extraEnv }}
             {{ toYaml .Values.extraEnv | nindent 12 }}
             {{- end }}
@@ -126,6 +144,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         - name: tmp-volume
           emptyDir: {}

charts/hapi-fhir-jpaserver/templates/service.yaml

@@ -11,5 +11,9 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+    - port: {{ .Values.metrics.service.port }}
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
   selector:
     {{- include "hapi-fhir-jpaserver.selectorLabels" . | nindent 4 }}

charts/hapi-fhir-jpaserver/templates/servicemonitor.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "hapi-fhir-jpaserver.fullname" . }}
+  {{- if .Values.metrics.serviceMonitor.namespace }}
+  namespace: {{ .Values.metrics.serviceMonitor.namespace }}
+  {{- end }}
+  labels:
+    {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }}
+    {{- if .Values.metrics.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+spec:
+  endpoints:
+    - port: metrics
+      path: /actuator/prometheus
+      {{- if .Values.metrics.serviceMonitor.interval }}
+      interval: {{ .Values.metrics.serviceMonitor.interval }}
+      {{- end }}
+      {{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+    {{- include "hapi-fhir-jpaserver.selectorLabels" . | nindent 6 }}
+{{- end }}

charts/hapi-fhir-jpaserver/values.yaml

@@ -88,6 +88,18 @@ tolerations: []
 # -- pod affinity
 affinity: {}
 
+# -- pod topology spread configuration
+# see: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#api
+topologySpreadConstraints:
+  []
+  # - maxSkew: 1
+  #   topologyKey: topology.kubernetes.io/zone
+  #   whenUnsatisfiable: ScheduleAnyway
+  #   labelSelector:
+  #     matchLabels:
+  #       app.kubernetes.io/instance: hapi-fhir-jpaserver
+  #       app.kubernetes.io/name: hapi-fhir-jpaserver
+
 postgresql:
   # -- enable an included PostgreSQL DB.
   # see <https://github.com/bitnami/charts/tree/master/bitnami/postgresql> for details
@@ -126,6 +138,13 @@ startupProbe:
   successThreshold: 1
   timeoutSeconds: 30
 
+livenessProbe:
+  failureThreshold: 5
+  initialDelaySeconds: 30
+  periodSeconds: 20
+  successThreshold: 1
+  timeoutSeconds: 30
+
 externalDatabase:
   # -- external database host used with `postgresql.enabled=false`
   host: localhost
@@ -142,26 +161,6 @@ externalDatabase:
   # -- database name
   database: fhir
 
-networkPolicy:
-  # -- enable NetworkPolicy
-  enabled: false
-  # -- a Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed
-  explicitNamespacesSelector:
-    {}
-    # matchLabels:
-    #   team: one
-    #   test: foo
-
-  # -- Additional allowed NetworkPolicyPeer specs
-  # Evaluated as a template so you could do:
-  #
-  # Example:
-  # allowedFrom:
-  #   - podSelector:
-  #       matchLabels:
-  #         app.kubernetes.io/name: {{ $.Release.Name }}
-  allowedFrom: []
-
 # -- extra environment variables to set on the server container
 extraEnv:
   []
@@ -176,3 +175,15 @@ podDisruptionBudget:
   minAvailable: 1
   # -- maximum unavailable instances
   maxUnavailable: ""
+
+metrics:
+  serviceMonitor:
+    # -- if enabled, creates a ServiceMonitor instance for Prometheus Operator-based monitoring
+    enabled: false
+    # -- additional labels to apply to the ServiceMonitor object, e.g. `release: prometheus`
+    additionalLabels: {}
+    # namespace: monitoring
+    # interval: 30s
+    # scrapeTimeout: 10s
+  service:
+    port: 8081