Merge pull request #3 from LinuxForHealth/lee-main

version bumps and related changes

Author: lmsurpre

.github/workflows/chart.yaml

@@ -22,7 +22,7 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v3
         with:
-          version: v3.7.1
+          version: v3.10.3
 
       - name: Install dependency repos
         run: |

.github/workflows/lint-and-test.yaml

@@ -40,9 +40,9 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v3
         with:
-          version: v3.7.1
+          version: v3.10.3
 
       - name: Run chart-testing (lint)
         run: |

charts/fhir-server/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 10.16.2
+  version: 11.9.13
 - name: keycloak
   repository: https://codecentric.github.io/helm-charts
-  version: 18.3.0
-digest: sha256:6608e389e9fecee483c76eb1f61534211e461c7c79140b2aaedcf8be9adc34a6
-generated: "2022-09-27T12:21:15.687118-04:00"
+  version: 18.4.0
+digest: sha256:429523c822843b4d9bd76185bb7c2c87b40bbca7479bb1016aa5015b92d1f58f
+generated: "2023-01-17T16:25:52.14111-05:00"

charts/fhir-server/Chart.yaml

@@ -1,11 +1,11 @@
 apiVersion: v2
 description: Helm chart for the LinuxForHealth FHIR Server
 name: fhir-server
-version: 0.8.3
+version: 0.9.0
 appVersion: 5.1.1
 dependencies:
   - name: postgresql
-    version: 10.16.2
+    version: 11.9.13
     repository: https://charts.bitnami.com/bitnami
     condition: postgresql.enabled
   - name: keycloak
@@ -29,3 +29,11 @@ annotations:
       description: bumped to LinuxForHealth version 5.1.1
     - kind: changed
       description: bumped to codecentric keycloak chart version 18.4.0
+    - kind: changed
+      description: bumped to bitnami postgresql chart version 11.9.13
+    - kind: changed
+      description: split db user creds in two; now uses separate admin user for schematool
+    - kind: removed
+      description: support for Db2 and all Db2-related values
+    - kind: removed
+      description: support for networking.k8s.io/v1/beta (kubernetes <1.19)

charts/fhir-server/README.md

@@ -91,15 +91,16 @@ In addition to providing a default FHIR server configuration named template, thi
 
 The deployer can specify a custom search parameters named template which will be used in the generation of the `extension-search-parameters.json` file by overriding the `extensionSearchParametersTemplate` chart value.
 
-The deployer can specify custom datasource named templates which will be used in the generation of the `datasource.xml` and `bulkdata.xml` files by overriding the `datasourcesTemplate` chart value. The default for this chart value is a datasources template for a Postgres database, but this helm chart also provides named templates for Db2, Db2 on Cloud, and Derby databases in the `_datasourcesXml.tpl` file.
+The deployer can specify custom datasource named templates which will be used in the generation of the `datasource.xml` and `bulkdata.xml` files by overriding the `datasourcesTemplate` chart value.
+The default for this chart value is a template with datasources for a single Postgres database.
 
 ## Using existing Secrets for sensitive data
 
 This helm chart specifies chart values for the following pieces of sensitive data:
 
-- Database password or api key:
+- Database user passwords:
+    - `db.adminPassword`
     - `db.password`
-    - `db.apiKey`
 - FHIR server user and admin passwords:
     - `fhirUserPassword`
     - `fhirAdminPassword`
@@ -113,13 +114,13 @@ These values can be specified directly in the `values.yaml` file, or the deploye
 
 ### Database password or api key
 
-To have the `db.password` and `db.apiKey` values read from an existing Secret, the deployer must override the following chart values:
+To have the `db.adminPassword` and `db.password` values read from an existing Secret, the deployer must override the following chart values:
 
 - `db.dbSecret` - this is set to the name of the Secret from which the database information will be read
-- `db.passwordSecretKey` - this is set to the key of the key/value pair within the Secret that contains the password
-- `db.apiKeySecretKey` - this is set to the key of the key/value pair within the Secret that contains the api key
+- `db.adminPasswordKey` - this is set to the key of the key/value pair within the Secret that contains the admin user password (for schema management)
+- `db.userPasswordKey` - this is set to the key of the key/value pair within the Secret that contains the fhir-server's user password
 
-If the `db.dbSecret` value is set, this helm chart will only look in the specified Secret for the password and api key. The `db.password` and `db.apiKey` chart values will be ignored.
+If the `db.dbSecret` value is set, this helm chart will only look in the specified Secret for the passwords. The `db.adminPassword` and `db.password` chart values will be ignored.
 
 ### FHIR server user and admin passwords
 

charts/fhir-server/README.md.gotmpl

@@ -56,110 +56,6 @@ The datasource.xml file for a Postgres DB.
     </server>
 {{- end }}
 
-{{/*
-The datasource.xml file for a Db2 DB.
-*/}}
-{{- define "defaultDb2Datasources" }}
-    <server>
-        <!-- ============================================================== -->
-        <!-- TENANT: default; DSID: default; TYPE: read-write               -->
-        <!-- ============================================================== -->
-        <dataSource id="fhirDefaultDefault" jndiName="jdbc/fhir_default_default" type="javax.sql.XADataSource" statementCacheSize="200" syncQueryTimeoutWithTransactionTimeout="true" validationTimeout="30s" isolationLevel="TRANSACTION_READ_COMMITTED">
-            <jdbcDriver javax.sql.XADataSource="com.ibm.db2.jcc.DB2XADataSource" libraryRef="sharedLibDb2"/>
-            <properties.db2.jcc
-                sslConnection="${env.FHIR_DB_SSL}"
-                serverName="${env.FHIR_DB_HOSTNAME}"
-                portNumber="${env.FHIR_DB_PORT}"
-                databaseName="${env.FHIR_DB_NAME}"
-                user="${env.FHIR_DB_USER}"
-                password="${env.FHIR_DB_PASSWORD}"
-                currentSchema="${env.FHIR_DB_SCHEMA}"
-                driverType="4"
-            />
-            <connectionManager
-                minPoolSize="${env.DS_MIN_POOL_SIZE}"
-                maxPoolSize="${env.DS_MAX_POOL_SIZE}"
-                agedTimeout="${env.DS_AGED_TIMEOUT}"
-                connectionTimeout="60s"
-                maxIdleTime="2m"
-            />
-        </dataSource>
-
-        {{- if .Values.objectStorage.enabled }}
-        <featureManager>
-            <feature>batch-1.0</feature>
-            <feature>batchManagement-1.0</feature>
-        </featureManager>
-
-        <dataSource id="fhirbatchDS" jndiName="jdbc/fhirbatchDB" type="javax.sql.XADataSource" statementCacheSize="200" syncQueryTimeoutWithTransactionTimeout="true">
-            <jdbcDriver javax.sql.XADataSource="com.ibm.db2.jcc.DB2XADataSource" libraryRef="sharedLibDb2"/>
-            <properties.db2.jcc
-                serverName="${env.BATCH_DB_HOSTNAME}"
-                currentSchema="${env.BATCH_DB_SCHEMA}"
-                databaseName="${env.BATCH_DB_NAME}"
-                driverType="4"
-                portNumber="${env.BATCH_DB_PORT}"
-                sslConnection="${env.BATCH_DB_SSL}"
-                user="${env.BATCH_DB_USER}"
-                password="${env.BATCH_DB_PASS}"/>
-        </dataSource>
-        {{- end }}
-    </server>
-{{- end }}
-
-{{/*
-The datasource.xml file for a Db2 DB on Cloud.
-*/}}
-{{- define "defaultDb2CloudDatasources" }}
-    <server>
-        <!-- ============================================================== -->
-        <!-- TENANT: default; DSID: default; TYPE: read-write               -->
-        <!-- ============================================================== -->
-        <dataSource id="fhirDefaultDefault" jndiName="jdbc/fhir_default_default" type="javax.sql.XADataSource" statementCacheSize="200" syncQueryTimeoutWithTransactionTimeout="true" validationTimeout="30s" isolationLevel="TRANSACTION_READ_COMMITTED">
-            <jdbcDriver javax.sql.XADataSource="com.ibm.db2.jcc.DB2XADataSource" libraryRef="sharedLibDb2"/>
-            <properties.db2.jcc
-                apiKey="${env.FHIR_DB_APIKEY}"
-                serverName="${env.FHIR_DB_HOSTNAME}"
-                currentSchema="${env.FHIR_DB_SCHEMA}"
-                databaseName="${env.FHIR_DB_NAME}"
-                driverType="4"
-                pluginName="${env.FHIR_DB_PLUGIN}"
-                portNumber="${env.FHIR_DB_PORT}"
-                securityMechanism="${env.FHIR_DB_SECURITY}"
-                sslConnection="${env.FHIR_DB_SSL}"
-            />
-            <connectionManager
-                minPoolSize="${env.DS_MIN_POOL_SIZE}"
-                maxPoolSize="${env.DS_MAX_POOL_SIZE}"
-                agedTimeout="${env.DS_AGED_TIMEOUT}"
-                connectionTimeout="60s"
-                maxIdleTime="2m"
-            />
-        </dataSource>
-
-        {{- if .Values.objectStorage.enabled }}
-        <featureManager>
-            <feature>batch-1.0</feature>
-            <feature>batchManagement-1.0</feature>
-        </featureManager>
-
-        <dataSource id="fhirbatchDS" jndiName="jdbc/fhirbatchDB"  type="javax.sql.XADataSource" statementCacheSize="200" syncQueryTimeoutWithTransactionTimeout="true">
-            <jdbcDriver javax.sql.XADataSource="com.ibm.db2.jcc.DB2XADataSource" libraryRef="sharedLibDb2"/>
-            <properties.db2.jcc
-                apiKey="${env.BATCH_DB_APIKEY}"
-                serverName="${env.BATCH_DB_HOSTNAME}"
-                currentSchema="${env.BATCH_DB_SCHEMA}"
-                databaseName="${env.BATCH_DB_NAME}"
-                driverType="4"
-                pluginName="${env.BATCH_DB_PLUGIN}"
-                portNumber="${env.BATCH_DB_PORT}"
-                securityMechanism="${env.BATCH_DB_SECURITY}"
-                sslConnection="${env.BATCH_DB_SSL}"/>
-        </dataSource>
-        {{- end }}
-    </server>
-{{- end }}
-
 {{/*
 The datasource.xml file for a Derby DB.
 */}}

charts/fhir-server/templates/_datasourcesXml.tpl

@@ -136,11 +136,6 @@ The default fhir-server-config.json.
                             "from_collapse_limit": 12,
                             "join_collapse_limit": 12
                         }
-                        {{- else if eq .Values.db.type "db2" }}
-                        "tenantKey": "{{ .Values.db.tenantKey }}",
-                        "hints" : {
-                          "search.reopt": "ONCE"
-                        }
                         {{- end }}
                     }
                 }

charts/fhir-server/templates/_fhirServerConfigJson.tpl

@@ -52,18 +52,6 @@ app.kubernetes.io/name: {{ include "fhir.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
-
-{{/*
-Return the appropriate apiVersion for ingress.
-*/}}
-{{- define "fhir.ingressAPIVersion" -}}
-{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
-{{- print "networking.k8s.io/v1" -}}
-{{- else -}}
-{{- print "networking.k8s.io/v1beta1" -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Create a default fully qualified PostgreSQL name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -75,28 +63,35 @@ NOTE: we should be able to replace this approach once https://github.com/helm/he
 {{- end -}}
 
 {{/*
-Get the database server's hostname
+Get the database server hostname
 */}}
 {{- define "fhir.database.host" -}}
 {{- ternary (include "fhir.postgresql.fullname" .) .Values.db.host .Values.postgresql.enabled -}}
 {{- end -}}
 
+{{/*
+Get the admin user to connect to the database server
+*/}}
+{{- define "fhir.database.adminUser" -}}
+{{- ternary "postgres" .Values.db.adminUser .Values.postgresql.enabled -}}
+{{- end -}}
+
 {{/*
 Get the user to connect to the database server
 */}}
 {{- define "fhir.database.user" -}}
-{{- ternary .Values.postgresql.postgresqlUsername .Values.db.user .Values.postgresql.enabled -}}
+{{- ternary .Values.postgresql.auth.username .Values.db.user .Values.postgresql.enabled -}}
 {{- end -}}
 
 {{/*
 Get the name of the database
 */}}
 {{- define "fhir.database.name" -}}
-{{- ternary .Values.postgresql.postgresqlDatabase .Values.db.name .Values.postgresql.enabled -}}
+{{- ternary .Values.postgresql.auth.database .Values.db.name .Values.postgresql.enabled -}}
 {{- end -}}
 
 {{/*
-Get the database server's port
+Get the database server port
 */}}
 {{- define "fhir.database.port" -}}
 {{- ternary "5432" .Values.db.port .Values.postgresql.enabled -}}
@@ -120,11 +115,24 @@ Get the database credentials secret name.
 {{/*
 Get the database credentials password secret key.
 */}}
-{{- define "fhir.database.passwordSecretKey" -}}
+{{- define "fhir.database.adminPasswordKey" -}}
+{{- if .Values.postgresql.enabled }}
+    {{- include "postgresql.adminPasswordKey" .Subcharts.postgresql }}
+{{- else if (.Values.db.dbSecret) -}}
+    {{- printf "%s" .Values.db.adminPasswordKey -}}
+{{- else }}
+    {{- printf "password" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the database credentials password secret key.
+*/}}
+{{- define "fhir.database.userPasswordKey" -}}
 {{- if .Values.postgresql.enabled }}
-    {{- printf "postgresql-password" -}}
+    {{- include "postgresql.userPasswordKey" .Subcharts.postgresql }}
 {{- else if (.Values.db.dbSecret) -}}
-    {{- printf "%s" .Values.db.passwordSecretKey -}}
+    {{- printf "%s" .Values.db.userPasswordKey -}}
 {{- else }}
     {{- printf "password" -}}
 {{- end -}}

charts/fhir-server/templates/_helpers.tpl

@@ -217,7 +217,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: "{{ include "fhir.database.secretName" $ }}"
-                  key: "{{ include "fhir.database.passwordSecretKey" $ }}"
+                  key: "{{ include "fhir.database.userPasswordKey" $ }}"
             {{- if ne .Values.db.type "postgresql" }}
             - name: FHIR_DB_APIKEY
               valueFrom:
@@ -258,7 +258,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: "{{ include "fhir.database.secretName" $ }}"
-                  key: "{{ include "fhir.database.passwordSecretKey" $ }}"
+                  key: "{{ include "fhir.database.userPasswordKey" $ }}"
             {{- if ne .Values.db.type "postgresql" }}
             - name: BATCH_DB_APIKEY
               valueFrom:

charts/fhir-server/templates/deployment.yaml

@@ -8,11 +8,11 @@ metadata:
     {{- include "fhir.labels" . | nindent 4 }}
 type: Opaque
 data:
-  {{- if .Values.db.password }}
-  password: {{ .Values.db.password | b64enc }}
+  {{- if .Values.db.adminPassword }}
+  postgres-password: {{ .Values.db.adminPassword | b64enc | quote }}
   {{- end }}
-  {{- if .Values.db.apiKey }}
-  apiKey: {{ .Values.db.apiKey | b64enc }}
+  {{- if .Values.db.password }}
+  password: {{ .Values.db.password | b64enc | quote }}
   {{- end }}
 {{- end }}
 {{- end }}

charts/fhir-server/templates/fhir-db-secret.yaml

@@ -1,6 +1,6 @@
 {{- $ingress := .Values.ingress -}}
 {{- if $ingress.enabled -}}
-apiVersion: {{ template "fhir.ingressAPIVersion" . }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ template "fhir.fullname" . }}
@@ -23,18 +23,12 @@ spec:
         paths:
           {{- range .paths }}
           - path: {{ .path }}
-            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
             pathType: {{ .pathType }}
             backend:
               service:
                 name: {{ template "fhir.fullname" $ }}
                 port:
                   name: {{ $ingress.servicePort }}
-            {{- else }}
-            backend:
-              serviceName: {{ template "fhir.fullname" $ }}
-              servicePort: {{ $ingress.servicePort }}
-            {{- end }}
           {{- end }}
     {{- end }}
   {{- if $ingress.tls }}