diff --git a/.github/workflows/chart-test.yaml b/.github/workflows/chart-test.yaml index b3eb576bf83..1d32194682f 100644 --- a/.github/workflows/chart-test.yaml +++ b/.github/workflows/chart-test.yaml @@ -15,7 +15,7 @@ jobs: - name: Install helm-docs working-directory: /tmp env: - HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz + HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.9.1/helm-docs_1.9.1_Linux_x86_64.tar.gz run: | curl -LSs $HELM_DOCS_URL | tar xz && \ mv ./helm-docs /usr/local/bin/helm-docs && \ @@ -35,16 +35,19 @@ jobs: test: runs-on: ubuntu-20.04 + strategy: + matrix: + k8s-version: [1.22.9, 1.23.6, 1.24.1] needs: - lint steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.1.0 + uses: helm/chart-testing-action@v2.2.1 - name: Run chart-testing (list-changed) id: list-changed @@ -57,6 +60,10 @@ jobs: - name: Create k8s Kind Cluster uses: helm/kind-action@v1.2.0 if: steps.list-changed.outputs.changed == 'true' + with: + version: v0.14.0 + cluster_name: kind-cluster-k8s-${{ matrix.k8s-version }} + node_image: kindest/node:v${{ matrix.k8s-version }} - name: Run chart-testing (install) run: ct install --config .github/ct/config.yaml diff --git a/charts/hapi-fhir-jpaserver/Chart.lock b/charts/hapi-fhir-jpaserver/Chart.lock index bfb87acb260..e8c97e8edcc 100644 --- a/charts/hapi-fhir-jpaserver/Chart.lock +++ b/charts/hapi-fhir-jpaserver/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 11.1.19 -digest: sha256:5bb38230bfa62c63547851e6f46f66a61441a4a4f18e3689827546277e34d192 -generated: "2022-04-08T21:55:34.6868891+02:00" + version: 11.6.2 +digest: sha256:1b96efc47b5dbe28bf34bcb694697325f3d2755a39ce2f1c371b2c9de9fac9d3 +generated: "2022-06-03T11:48:19.1684784+02:00" diff --git a/charts/hapi-fhir-jpaserver/Chart.yaml b/charts/hapi-fhir-jpaserver/Chart.yaml index 3cb702b205b..9cebc38656e 100644 --- a/charts/hapi-fhir-jpaserver/Chart.yaml +++ b/charts/hapi-fhir-jpaserver/Chart.yaml @@ -7,9 +7,11 @@ sources: - https://github.com/hapifhir/hapi-fhir-jpaserver-starter dependencies: - name: postgresql - version: 11.1.19 + version: 11.6.2 repository: https://charts.bitnami.com/bitnami condition: postgresql.enabled +appVersion: v6.0.1 +version: 0.9.0 annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/changes: | @@ -17,13 +19,27 @@ annotations: # added, changed, deprecated, removed, fixed, and security. - kind: changed description: | - updated HAPI FHIR starter image to 5.7.0 + BREAKING CHANGE: updated HAPI FHIR starter image to v6.0.1. + See for all application changes. - kind: changed description: | - BREAKING CHANGE: updated included PostgreSQL-subchart to v11 + updated included PostgreSQL-subchart to v11.6.2 + - kind: fixed + description: | + use a fixed image for the wait-for-database container (docker.io/bitnami/postgresql:14.3.0-debian-10-r20) + instead of relying on the PostgreSQL sub-chart values + - kind: changed + description: | + expose actuator/metrics endpoint on a separate port (8081) + - kind: added + description: | + support for monitoring metrics using ServiceMonitor CRDs - kind: changed description: | - BREAKING CHANGE: removed ability to override the image flavor. - The one based on distroless is now the new default. -appVersion: v5.7.0 -version: 0.8.0 + switched liveness and readiness probes to Spring Boot actuator endpoints + - kind: changed + description: | + BREAKING CHANGE: removed included `NetworkPolicy`, which is subject to more thorough rework + - kind: added + description: | + allow configuring `topologySpreadConstraints` for the deployment diff --git a/charts/hapi-fhir-jpaserver/README.md b/charts/hapi-fhir-jpaserver/README.md index 288e2ce517c..20d0d6f9410 100644 --- a/charts/hapi-fhir-jpaserver/README.md +++ b/charts/hapi-fhir-jpaserver/README.md @@ -1,6 +1,6 @@ # HAPI FHIR JPA Server Starter Helm Chart -![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v5.7.0](https://img.shields.io/badge/AppVersion-v5.7.0-informational?style=flat-square) +![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v6.0.1](https://img.shields.io/badge/AppVersion-v6.0.1-informational?style=flat-square) This helm chart will help you install the HAPI FHIR JPA Server in a Kubernetes environment. @@ -40,10 +40,15 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas | ingress.hosts[0].pathType | string | `"ImplementationSpecific"` | | | ingress.hosts[0].paths[0] | string | `"/"` | | | ingress.tls | list | `[]` | ingress TLS config | +| livenessProbe.failureThreshold | int | `5` | | +| livenessProbe.initialDelaySeconds | int | `30` | | +| livenessProbe.periodSeconds | int | `20` | | +| livenessProbe.successThreshold | int | `1` | | +| livenessProbe.timeoutSeconds | int | `30` | | +| metrics.service.port | int | `8081` | | +| metrics.serviceMonitor.additionalLabels | object | `{}` | additional labels to apply to the ServiceMonitor object, e.g. `release: prometheus` | +| metrics.serviceMonitor.enabled | bool | `false` | if enabled, creates a ServiceMonitor instance for Prometheus Operator-based monitoring | | nameOverride | string | `""` | override the chart name | -| networkPolicy.allowedFrom | list | `[]` | Additional allowed NetworkPolicyPeer specs Evaluated as a template so you could do: Example: allowedFrom: - podSelector: matchLabels: app.kubernetes.io/name: {{ $.Release.Name }} | -| networkPolicy.enabled | bool | `false` | enable NetworkPolicy | -| networkPolicy.explicitNamespacesSelector | object | `{}` | a Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | | nodeSelector | object | `{}` | node selector for the pod | | podAnnotations | object | `{}` | annotations applied to the server pod | | podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget for the server pods. uses policy/v1/PodDisruptionBudget thus requiring k8s 1.21+ | @@ -75,6 +80,7 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas | startupProbe.successThreshold | int | `1` | | | startupProbe.timeoutSeconds | int | `30` | | | tolerations | list | `[]` | pod tolerations | +| topologySpreadConstraints | list | `[]` | pod topology spread configuration see: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#api | ## Development @@ -89,4 +95,4 @@ INFO[2021-11-20T12:38:04Z] Generating README Documentation for chart /usr/src/ap ``` ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.9.1](https://github.com/norwoodj/helm-docs/releases/v1.9.1) diff --git a/charts/hapi-fhir-jpaserver/templates/deployment.yaml b/charts/hapi-fhir-jpaserver/templates/deployment.yaml index 187ee9d2816..741eb71add2 100644 --- a/charts/hapi-fhir-jpaserver/templates/deployment.yaml +++ b/charts/hapi-fhir-jpaserver/templates/deployment.yaml @@ -30,7 +30,7 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: - name: wait-for-db-to-be-ready - image: "{{ .Values.postgresql.image.registry }}/{{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}" + image: docker.io/bitnami/postgresql:14.3.0-debian-10-r20 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -66,9 +66,23 @@ spec: - name: http containerPort: 8080 protocol: TCP + - name: metrics + containerPort: 8081 + protocol: TCP + startupProbe: + httpGet: + path: /readyz + port: http + {{- with .Values.startupProbe }} + initialDelaySeconds: {{ .initialDelaySeconds }} + periodSeconds: {{ .periodSeconds }} + timeoutSeconds: {{ .timeoutSeconds }} + successThreshold: {{ .successThreshold }} + failureThreshold: {{ .failureThreshold }} + {{- end }} readinessProbe: httpGet: - path: / + path: /readyz port: http {{- with .Values.readinessProbe }} initialDelaySeconds: {{ .initialDelaySeconds }} @@ -77,11 +91,11 @@ spec: successThreshold: {{ .successThreshold }} failureThreshold: {{ .failureThreshold }} {{- end }} - startupProbe: + livenessProbe: httpGet: - path: /fhir/metadata + path: /livez port: http - {{- with .Values.startupProbe }} + {{- with .Values.livenessProbe }} initialDelaySeconds: {{ .initialDelaySeconds }} periodSeconds: {{ .periodSeconds }} timeoutSeconds: {{ .timeoutSeconds }} @@ -106,6 +120,10 @@ spec: value: ca.uhn.fhir.jpa.model.dialect.HapiFhirPostgres94Dialect - name: HAPI_FHIR_USE_APACHE_ADDRESS_STRATEGY value: "true" + - name: MANAGEMENT_ENDPOINT_HEALTH_PROBES_ADD_ADDITIONAL_PATHS + value: "true" + - name: MANAGEMENT_SERVER_PORT + value: "8081" {{- if .Values.extraEnv }} {{ toYaml .Values.extraEnv | nindent 12 }} {{- end }} @@ -126,6 +144,10 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: tmp-volume emptyDir: {} diff --git a/charts/hapi-fhir-jpaserver/templates/networkpolicy.yaml b/charts/hapi-fhir-jpaserver/templates/networkpolicy.yaml deleted file mode 100644 index d051950e0e1..00000000000 --- a/charts/hapi-fhir-jpaserver/templates/networkpolicy.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: {{ include "hapi-fhir-jpaserver.fullname" . }} - labels: - {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "hapi-fhir-jpaserver.selectorLabels" . | nindent 6 }} - ingress: - # Allow inbound connections from pods with the "hapi-fhir-jpaserver-client: true" label - - ports: - - port: http - from: - - podSelector: - matchLabels: - {{ include "hapi-fhir-jpaserver.fullname" . }}-client: "true" - {{- with .Values.networkPolicy.explicitNamespacesSelector }} - namespaceSelector: - {{ toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.networkPolicy.allowedFrom }} - {{ tpl (toYaml .) $ | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/hapi-fhir-jpaserver/templates/service.yaml b/charts/hapi-fhir-jpaserver/templates/service.yaml index 90a05a291e8..d7ecaa5d25e 100644 --- a/charts/hapi-fhir-jpaserver/templates/service.yaml +++ b/charts/hapi-fhir-jpaserver/templates/service.yaml @@ -11,5 +11,9 @@ spec: targetPort: http protocol: TCP name: http + - port: {{ .Values.metrics.service.port }} + targetPort: metrics + protocol: TCP + name: metrics selector: {{- include "hapi-fhir-jpaserver.selectorLabels" . | nindent 4 }} diff --git a/charts/hapi-fhir-jpaserver/templates/servicemonitor.yaml b/charts/hapi-fhir-jpaserver/templates/servicemonitor.yaml new file mode 100644 index 00000000000..e161feeb5c9 --- /dev/null +++ b/charts/hapi-fhir-jpaserver/templates/servicemonitor.yaml @@ -0,0 +1,30 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "hapi-fhir-jpaserver.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + {{- include "hapi-fhir-jpaserver.labels" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: metrics + path: /actuator/prometheus + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "hapi-fhir-jpaserver.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/hapi-fhir-jpaserver/values.yaml b/charts/hapi-fhir-jpaserver/values.yaml index e89a5c4dd72..55863c89d23 100644 --- a/charts/hapi-fhir-jpaserver/values.yaml +++ b/charts/hapi-fhir-jpaserver/values.yaml @@ -88,6 +88,18 @@ tolerations: [] # -- pod affinity affinity: {} +# -- pod topology spread configuration +# see: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#api +topologySpreadConstraints: + [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: hapi-fhir-jpaserver + # app.kubernetes.io/name: hapi-fhir-jpaserver + postgresql: # -- enable an included PostgreSQL DB. # see for details @@ -126,6 +138,13 @@ startupProbe: successThreshold: 1 timeoutSeconds: 30 +livenessProbe: + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 20 + successThreshold: 1 + timeoutSeconds: 30 + externalDatabase: # -- external database host used with `postgresql.enabled=false` host: localhost @@ -142,26 +161,6 @@ externalDatabase: # -- database name database: fhir -networkPolicy: - # -- enable NetworkPolicy - enabled: false - # -- a Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed - explicitNamespacesSelector: - {} - # matchLabels: - # team: one - # test: foo - - # -- Additional allowed NetworkPolicyPeer specs - # Evaluated as a template so you could do: - # - # Example: - # allowedFrom: - # - podSelector: - # matchLabels: - # app.kubernetes.io/name: {{ $.Release.Name }} - allowedFrom: [] - # -- extra environment variables to set on the server container extraEnv: [] @@ -176,3 +175,15 @@ podDisruptionBudget: minAvailable: 1 # -- maximum unavailable instances maxUnavailable: "" + +metrics: + serviceMonitor: + # -- if enabled, creates a ServiceMonitor instance for Prometheus Operator-based monitoring + enabled: false + # -- additional labels to apply to the ServiceMonitor object, e.g. `release: prometheus` + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + service: + port: 8081