issue #1602 - initial commit of helm chart

Signed-off-by: Lee Surprenant <lmsurpre@us.ibm.com>
LinuxForHealth · Jan 5, 2021 · f5fbf0b · f5fbf0b
1 parent e72c096
commit f5fbf0b
Show file tree

Hide file tree

Showing 13 changed files with 866 additions and 0 deletions.
diff --git a/fhir-install/src/main/chart/Chart.yaml b/fhir-install/src/main/chart/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: Helm chart for the IBM FHIR Server
+name: ibm-fhir-server
+version: 0.0.1
diff --git a/fhir-install/src/main/chart/templates/_helpers.tpl b/fhir-install/src/main/chart/templates/_helpers.tpl
@@ -0,0 +1,16 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/fhir-install/src/main/chart/templates/config-internal.yaml b/fhir-install/src/main/chart/templates/config-internal.yaml
@@ -0,0 +1,144 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fhir-server-config-internal
+data:
+  extension-search-parameters.json: >
+    {
+      "resourceType": "Bundle",
+      "id": "searchParams",
+      "meta": {
+        "lastUpdated": "2018-12-27T22:37:54.724+11:00"
+      },
+      "type": "collection",
+      "entry": []
+    }
+  fhir-server-config.json: >
+    {
+      "__comment": "config for internal fhir-server deployments",
+      "fhirServer": {
+        "core": {
+          "tenantIdHeaderName": "X-FHIR-TENANT-ID",
+          "datastoreIdHeaderName": "X-FHIR-DSID",
+          "checkReferenceTypes": true,
+          "conditionalDeleteMaxNumber": 1,
+          "defaultPrettyPrint": true,
+          "serverRegistryResourceProviderEnabled": false
+        },
+        "resources": {
+          "open": true
+        },
+        "security": {
+          "cors": true,
+          "basic": {
+            "enabled": true
+          },
+          "certificates": {
+            "enabled": true,
+            "authFilter": {
+              "enabled": false,
+              "authorizedClientCertClientCN": "",
+              "authorizedClientCertIssuerOU": ""
+            }
+          },
+          "oauth": {
+            "enabled": false,
+            "regUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/registration",
+            "authUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/authorize",
+            "tokenUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/token",
+            "smart": {
+              "enabled": false,
+              "scopes": ["openid", "profile", "fhirUser", "launch/patient", "offline_access",
+                "patient/*.read",
+                "patient/AllergyIntolerance.read",
+                "patient/CarePlan.read",
+                "patient/CareTeam.read",
+                "patient/Condition.read",
+                "patient/Device.read",
+                "patient/DiagnosticReport.read",
+                "patient/DocumentReference.read",
+                "patient/Encounter.read",
+                "patient/ExplanationOfBenefit.read",
+                "patient/Goal.read",
+                "patient/Immunization.read",
+                "patient/Location.read",
+                "patient/Medication.read",
+                "patient/MedicationRequest.read",
+                "patient/Observation.read",
+                "patient/Organization.read",
+                "patient/Patient.read",
+                "patient/Practitioner.read",
+                "patient/PractitionerRole.read",
+                "patient/Procedure.read",
+                "patient/Provenance.read",
+                "patient/RelatedPerson.read"],
+              "capabilities": [
+                "sso-openid-connect",
+                "launch-standalone",
+                "client-public",
+                "client-confidential-symmetric",
+                "permission-offline",
+                "context-standalone-patient",
+                "permission-patient"
+              ]
+            }
+          }
+        },
+        "audit": {
+          "serviceClassName": "com.ibm.fhir.audit.logging.impl.DisabledAuditLogService",
+          "serviceProperties": {
+          }
+        },
+        "persistence": {
+          "factoryClassname": "com.ibm.fhir.persistence.jdbc.FHIRPersistenceJDBCFactory",
+          "common": {
+            "__comment": "Configuration properties common to all persistence layer implementations",
+            "updateCreateEnabled": true
+          },
+          "datasources": {
+            "default": {
+                "type": "postgresql",
+                "connectionProperties": {
+                    "serverName": "${FHIR_DB_HOSTNAME}",
+                    "portNumber": ${FHIR_DB_PORT},
+                    "ssl": true,
+                    "sslmode": "verify-full",
+                    "sslrootcert": "/opt/ol/wlp/usr/servers/fhir-server/resources/security/postgres.cert",
+                    "databaseName": "${FHIR_DB_NAME}",
+                    "user": "${FHIR_DB_USERNAME}",
+                    "password": "${FHIR_DB_PASSWORD}",
+                    "currentSchema": "${FHIR_DB_SCHEMA}"
+                }
+            }
+          },
+          "jdbc": {
+            "dataSourceJndiName": "jdbc/fhirProxyDataSource",
+            "enableCodeSystemsCache": true,
+            "enableParameterNamesCache": true,
+            "enableResourceTypesCache": true
+          }
+        },
+        "bulkdata": {
+          "bulkDataBatchJobIdEncryptionKey": "{xor}Lz4sLCgwLTs=",
+          "applicationName": "fhir-bulkimportexport-webapp",
+          "moduleName": "fhir-bulkimportexport.war",
+          "jobParameters": {
+            "cos.bucket.name": "${COS_BUCKET}",
+            "cos.location": "${COS_LOCATION}",
+            "cos.endpointurl": "${COS_ENDPOINT}",
+            "fhir.tenant": "default",
+            "cos.credential.ibm": "Y",
+            "cos.api.key": "${COS_API_KEY}",
+            "cos.srvinst.id": "${COS_INSTANCE_ID}"
+          },
+          "implementation_type": "cos",
+          "batch-uri": "https://localhost:9443/ibm/api/batch/jobinstances",
+          "batch-user": "fhiruser",
+          "batch-user-password": "change-password",
+          "batch-truststore" : "resources/security/fhirTrustStore.p12",
+          "useFhirServerTrustStore": "Y",
+          "batch-truststore-password" : "change-password",
+          "validBaseUrls": []
+        }
+      }
+    }
diff --git a/fhir-install/src/main/chart/templates/config.yaml b/fhir-install/src/main/chart/templates/config.yaml
@@ -0,0 +1,147 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fhir-server-config
+data:
+  extension-search-parameters.json: >
+    {
+      "resourceType": "Bundle",
+      "id": "searchParams",
+      "meta": {
+        "lastUpdated": "2018-12-27T22:37:54.724+11:00"
+      },
+      "type": "collection",
+      "entry": []
+    }
+  fhir-server-config.json: >
+    {
+      "__comment": "config for the externally-visible fhir deployment",
+      "fhirServer": {
+        "core": {
+          "tenantIdHeaderName": "X-FHIR-TENANT-ID",
+          "datastoreIdHeaderName": "X-FHIR-DSID",
+          "checkReferenceTypes": true,
+          "conditionalDeleteMaxNumber": 1,
+          "defaultPrettyPrint": true,
+          "originalRequestUriHeaderName": "X-FHIR-FORWARDED-URL",
+          "serverRegistryResourceProviderEnabled": false
+        },
+        "resources": {
+          "open": true,
+          "Resource": {
+            "interactions": ["read", "vread", "history", "search"]
+          }
+        },
+        "security": {
+          "cors": true,
+          "basic": {
+            "enabled": true
+          },
+          "certificates": {
+            "enabled": true,
+            "authFilter": {
+              "enabled": false
+            }
+          },
+          "oauth": {
+            "enabled": false,
+            "regUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/registration",
+            "authUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/authorize",
+            "tokenUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/token",
+            "smart": {
+              "enabled": false,
+              "scopes": ["openid", "profile", "fhirUser", "launch/patient", "offline_access",
+                "patient/*.read",
+                "patient/AllergyIntolerance.read",
+                "patient/CarePlan.read",
+                "patient/CareTeam.read",
+                "patient/Condition.read",
+                "patient/Device.read",
+                "patient/DiagnosticReport.read",
+                "patient/DocumentReference.read",
+                "patient/Encounter.read",
+                "patient/ExplanationOfBenefit.read",
+                "patient/Goal.read",
+                "patient/Immunization.read",
+                "patient/Location.read",
+                "patient/Medication.read",
+                "patient/MedicationRequest.read",
+                "patient/Observation.read",
+                "patient/Organization.read",
+                "patient/Patient.read",
+                "patient/Practitioner.read",
+                "patient/PractitionerRole.read",
+                "patient/Procedure.read",
+                "patient/Provenance.read",
+                "patient/RelatedPerson.read"
+              ],
+              "capabilities": [
+                "sso-openid-connect",
+                "launch-standalone",
+                "client-public",
+                "client-confidential-symmetric",
+                "permission-offline",
+                "context-standalone-patient",
+                "permission-patient"
+              ]
+            }
+          }
+        },
+        "audit": {
+          "serviceClassName": "com.ibm.fhir.audit.logging.impl.DisabledAuditLogService",
+          "serviceProperties": {
+          }
+        },
+        "persistence": {
+          "factoryClassname": "com.ibm.fhir.persistence.jdbc.FHIRPersistenceJDBCFactory",
+          "common": {
+            "__comment": "Configuration properties common to all persistence layer implementations",
+            "updateCreateEnabled": true
+          },
+          "datasources": {
+            "default": {
+                "type": "postgresql",
+                "connectionProperties": {
+                    "serverName": "${FHIR_DB_HOSTNAME}",
+                    "portNumber": ${FHIR_DB_PORT},
+                    "ssl": true,
+                    "sslmode": "verify-full",
+                    "sslrootcert": "/opt/ol/wlp/usr/servers/fhir-server/resources/security/postgres.cert",
+                    "databaseName": "${FHIR_DB_NAME}",
+                    "user": "${FHIR_DB_USERNAME}",
+                    "password": "${FHIR_DB_PASSWORD}",
+                    "currentSchema": "${FHIR_DB_SCHEMA}"
+                }
+            }
+          },
+          "jdbc": {
+            "dataSourceJndiName": "jdbc/fhirProxyDataSource",
+            "enableCodeSystemsCache": true,
+            "enableParameterNamesCache": true,
+            "enableResourceTypesCache": true
+          }
+        },
+        "bulkdata": {
+          "bulkDataBatchJobIdEncryptionKey": "{xor}Lz4sLCgwLTs=",
+          "applicationName": "fhir-bulkimportexport-webapp",
+          "moduleName": "fhir-bulkimportexport.war",
+          "jobParameters": {
+            "cos.bucket.name": "fhir-export-changeme",
+            "cos.location": "us",
+            "cos.endpointurl": "https://s3.private.us-south.cloud-object-storage.appdomain.cloud",
+            "fhir.tenant": "default",
+            "cos.credential.ibm": "Y",
+            "cos.api.key": "change-password",
+            "cos.srvinst.id": "crn:v1:bluemix:public:cloud-object-storage:global:a/changeme::"
+          },
+          "implementation_type": "cos",
+          "batch-uri": "https://localhost:9443/ibm/api/batch/jobinstances",
+          "batch-user": "fhiruser",
+          "batch-user-password": "change-password",
+          "batch-truststore" : "resources/security/fhirTrustStore.p12",
+          "useFhirServerTrustStore": "Y",
+          "batch-truststore-password" : "change-password",
+          "validBaseUrls": []
+        }
+      }
+    }
diff --git a/fhir-install/src/main/chart/templates/create-schemas.yaml b/fhir-install/src/main/chart/templates/create-schemas.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.schemaMigration.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-create-schemas"
+  labels:
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    # Hook weights can be positive or negative numbers but must be represented as strings.
+    # When Helm starts the execution cycle of hooks of a particular Kind it will sort those hooks in ascending order.
+    # So make sure this number is lower than the update-schemas weight.
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}-schematool"
+    spec:
+      restartPolicy: Never
+      imagePullSecrets:
+        - name: {{ .Values.image.pullSecret }}
+      containers:
+      - name: fhir-schematool
+        image: {{ .Values.schemaMigration.image.repository }}:{{ .Values.schemaMigration.image.tag }}
+        args: [
+          "--schema-name", "{{ .Values.db.schema }}",
+          "--create-schemas",
+        ]
+        volumeMounts:
+        - name: binding
+          mountPath: "/iks"
+          readOnly: true
+      volumes:
+      - name: binding
+        secret:
+          secretName: binding-postgres-fhir
+          items:
+          - key: binding
+            path: postgres-binding.json
+  backoffLimit: 4
+{{- end }}