Skip to main content
Version: 1.11.x

Kubernetes deployment

This chart bootstraps an Dossier Organizer on a Kubernetes cluster using the Helm package manager.

Dossier Organizer is a scalable web based solution for viewing and structuring documents, and other media. The structure and relations between elements can be configured freely to match your needs. Fusion provides various features to modify paged documents without altering the original data.

As you can see, the chart provisions four deployments (subchart names in brackets):

  • Dossier Organizer backend ("organizer")
  • jadice web viewer ("viewer")

Sample configuration

Prior to installing the Helm chart, you need to provide some required parameters. A minimal values.yaml with these required parameters looks like this:

my-values.yaml

##
# Global configuration to be used by all sub components
##
global:
imageRegistry: "registry.jadice.com" # Global Docker image registry

# Two external ingress configuration have defined for your organizer application.
urls:
fusion:
externalUrl: https://my-dossier-organizer.com
viewer:
externalUrl: https://my-dossier-organizer-viewer.com

##
# Secrets for sensitive information:
# -> to use encrypted 'sealed-secrets' see: https://github.com/bitnami-labs/sealed-secrets
##
secrets:
useSealedSecrets: true
## Secrets for the DB to store fusion collections in. (this section depends on the configured DB - default is MariaDB)
db:
username: "***"
password: "***"
rootPassword: "***"
replicationPassword: "***"
# Depending on your configuration of secrets.useSealedSecrets this config has to be configured differently.
# If you don't use sealed secrets the registry credentials can be put here in the fields 'server', 'username' and
# 'password'.
# If you use sealed secrets you have to create a docker config JSON string, seal it and put it in the
# 'dockerconfigjson' field.
imageRegistry:
# Option 1:
server: "***"
username: "***"
password: "***"
# Option 2:
dockerconfigjson: "***"

##
# Organizer specific configuration
##
organizer:
ingress:
# insert your ingress config here.
resources:
# insert your resources config here.

# These settings are dependent on the configuration of your OAuth provider. The credentials have to be created beforehand.
oauth:
enabled: true
clientId: "***"
scope: "***"
issuer: "***"
appIdUri: "***"
redirectUrl: "***"

##
# Viewer specific configuration
##
viewer:
ingress:
# insert your ingress config here.
resources:
# insert your resources config here.


Install the helm chart with your values applied:

$ helm repo add levigo https://artifacts.jadice.com/repository/helm-charts/ --username <username> --password <password>
$ helm upgrade --install --namespace my-namespace --values my-values.yaml my-release levigo/fusion-dossier-organizer

Prerequisites

Kubernetes

  • Kubernetes 1.14+
  • Helm 3.1.0+
  • (optional but recommended: sealed secrets )

Container Image Access

Because the images used in this chart are from a private container registry, you need to have access to the container registry registry.jadice.com or access to a proxy of the same registry.

For details see image pull secrets.


Installing the Chart

To install the chart with the release name my-release from levigo helm repository:

$ helm repo add levigo https://artifacts.jadice.com/repository/helm-charts/ --username <username> --password <password>
$ helm install --namespace my-namespace --values my-values.yaml my-release levigo/fusion-dossier-organizer

The command deploys fusion-dossier-organizer on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.


Configuration

The following tables lists the configurable parameters of the fusion-dossier-organizer chart and their default values.

Universal service settings

Let's start with universal settings for Kubernetes. These can be applied to every service in the values file. The <service>placeholder has to be replaced with a deployed kubernetes service alias like organizer, viewer, etc. these Aliases can be found in the chart.yaml and as prefix in the values file.

ParameterDescription
<service>.resources.requests.cpuCPU units for the service to be allocated initially.
<service>.resources.requests.memoryMemory size for the service to be allocated initially.
<service>.resources.limits.cpuMaximum CPU units that can be used by the service.
<service>.resources.limits.memoryMaximum Memory size that can be used by the service.
<service>.ingress.enabledEnable / Disable the ingress for a service. In order for this service to work, user access is needed, hence some kind of access for an operator has to be provided.
<service>.ingress.annotationsAdditional annotations for configuring the ingress.
<service>.ingress.hostsThe hostname of the service and eventual path rewrites.
<service>.ingress.tlsFor configuring the corresponding TLS secrets of the previously defined hostnames.
<service>.ingress.ingressClassNameThe ingress class name.
<service>.management.endpoints.web.exposure.includeSet which endpoints are exposed.
<service>.management.prometheus.metrics.export.enabledExport prometheus metrics.
<service>.management.jmx.metrics.export.enabledExport JMX metrics.
<service>.startupProbe.initialDelaySecondsInitial delay of the startup probe in seconds.
<service>.startupProbe.periodSecondsTime between requests for the startup probe in seconds.
<service>.startupProbe.timeoutSecondsMaximum response time for the startup probe in seconds.
<service>.startupProbe.successThresholdHow often a startup probe has to succeed for the pod to be considered healthy.
<service>.startupProbe.failureThresholdHow often a startup probe is allowed to fail before the pod is considered unhealthy.
<service>.livenessProbe.initialDelaySecondsInitial delay of the liveness probe in seconds.
<service>.livenessProbe.periodSecondsTime between requests for the liveness probe in seconds.
<service>.livenessProbe.timeoutSecondsMaximum response time for the liveness probe in seconds.
<service>.livenessProbe.successThresholdHow often a liveness probe has to succeed for the pod to be considered healthy.
<service>.livenessProbe.failureThresholdHow often a liveness probe is allowed to fail before the pod is considered unhealthy.
<service>.readinessProbe.initialDelaySecondsInitial delay of the readiness probe in seconds.
<service>.readinessProbe.periodSecondsTime between requests for the readiness probe in seconds.
<service>.readinessProbe.timeoutSecondsMaximum response time for the readiness probe in seconds.
<service>.readinessProbe.successThresholdHow often a readiness probe has to succeed for the pod to be considered healthy.
<service>.readinessProbe.failureThresholdHow often a readiness probe is allowed to fail before the pod is considered unhealthy.
<service>.securityContextContains general security information for an individual pod depending on your environment5
<service>.podSecurityContextContains security information for an individual pod depending on your environment5
<service>.affinityConfiguration for service pod affinity6
<service>.nodeSelectorConfiguration for service pod node selection6
<service>.tolerationsConfiguration for service pod tolerations6

Secrets

The chart also supports the use of Sealed Secrets instead of regular Kubernetes secrets. Sealed Secret values can also be specified directly in the Helm values.yaml. Simply set secrets.useSealedSecrets to true and use the encrypted values for all parameters in the section "secrets". For further information on how to encrypt secrets see table in the Sealed Secrets section.

Image pull secrets

To access the container registry you have the following three options:

  1. Provide the name of an existing Kubernetes registry-secret via global.imagePullSecrets.

    For instructions on how to create a Kubernetes docker-registry secret check out the Documentation or the output of kubectl create secret docker-registry --help

  2. Provide the credentials to the registry via the following parameters:

ParameterDescriptionDefault
secrets.imageRegistry.serverServer of the container registryregistry.jadice.com
secrets.imageRegistry.usernameUsername for the container registrynil
secrets.imageRegistry.passwordPassword for the container registrynil
  1. For sealed secrets, you can encrypt the content of a ~/.docker/config.json file as a String and provide this as the value for the parameter secrets.imageRegistry.dockerconfigjson.

    To create this String you could run the following command

    kubectl create secret docker-registry registry-secret \
    --docker-username=<user> \
    --docker-password=<password> \
    --docker-server=registry.jadice.com \
    --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d | kubeseal --raw --from-file=/dev/stdin --namespace <namespace> --name registry-secret

    Note:

    • Requires jq and kubeseal
    • Replace <user>, <password>, <namespace> with the respective values.

Other secrets

Other secrets containing credentials for the database.

ParameterDescriptionDefault
secrets.db.userMariaDB usernil
secrets.db.passwordMariaDB passwordnil

Global Parameters

These values can be defined globally, overwriting the values defined for each component, including MariaDB.

ParameterDescriptionDefault
global.imageRegistryGlobal Docker image registrynil
global.imagePullSecretsGlobal Docker registry secret names as an array["registry-secret"]
global.storageClassGlobal storage class for dynamic provisioningnil
global.urls.fusion.externalUrlExternal url for the fusion backend configured by ingressnil
global.urls.fusion.serviceUrlKubernetes service url fot accessing the fusion service cluster internallyhttp://fusion-dossier-organizer
global.urls.viewer.externalUrlExternal url for the viewer backend configured by ingressnil
global.config.annotationProfileAnnotation configuration profile used by all Fusion Service in the cluster see<Default Profile ...>

Dossier Organizer ("organizer")

The base configuration of dossier organizer includes all necessary configuration setting to run the fusion backend as is. If you like to customize your deployment the following configuration settings can be used:

ParameterDescriptionDefault
organizer.config.gradationsEnabledEnables the option to change the radation curve of the displayed document in JWT.true
organizer.config.idValidationModeConfiguration for which IDs to validate as a UUID - Options: 'ALL', 'ELEMENT', 'COLLECTION', 'NONE'ALL
organizer.config.zoomAutoFitconfigures the default zoom behaviour. 'true' adjusts zoom automatically depending on the size of the document, 'false' simply sets the zoom level to 100%.true
organizer.loaders.basicAuthenticatedStore.enabledToggle to enable basic authentication for document content loading.false
organizer.loaders.basicAuthenticatedStore.baseUrlBase url for documents to be secured with basic auth.nil
organizer.loaders.bearerAuthenticatedStore.enabledToggle to enable bearer authentication for document content loading.false
organizer.loaders.bearerAuthenticatedStore.baseUrlBase url for documents to be secured with bearerAuth, e.g. https://example.com for document URLs https://example.com/path/to/document/.nil
organizer.loaders.contentHostWhitelistBase urls for hosts that are exclusively allowed for content loading.[]
organizer.loaders.contentHostBlacklistBase urls for hosts that are explicitely disallowed to load content from.[]
organizer.exportNotification.enabledFlag to enable export notificationfalse
organizer.exportNotification.urlThe url of the endpoint
organizer.exportNotification.auth.userAuth.enabledFlag to use user auth for the to be notified servicefalse
organizer.exportNotification.auth.basicAuthenticated.enabledFlag to enable Basic auth for the to be notified servicefalse
organizer.exportNotification.auth.basicAuthenticated.usernameBasic auth username
organizer.exportNotification.auth.basicAuthenticated.passwordBasic auth password
organizer.exportNotification.auth.bearerAuthenticated.enabledBearer auth for the to be notified servicefalse
organizer.exportNotification.auth.bearerAuthenticated.bearerTokenBearer auth token
organizer.saveNotification.enabledFlag to enable save notificationfalse
organizer.saveNotification.urlThe url of the endpoint
organizer.saveNotification.typeIdsWhitelistArray collection type ids to be notified
organizer.saveNotification.auth.basicAuthenticated.enabledFlag to enable Basic auth for the to be notified servicefalse
organizer.saveNotification.auth.basicAuthenticated.usernameBasic auth username
organizer.saveNotification.auth.basicAuthenticated.passwordBasic auth password
organizer.saveNotification.auth.bearerAuthenticated.enabledFlag to enable Bearer authfalse
organizer.saveNotification.auth.bearerAuthenticated.bearerTokenBearer auth token
organizer.db.jdbcURLDatabase JDBC-URL"jdbc:mariadb://fusion-dossier-organizer-mariadb/fusion"
organizer.db.driverClassNameDatabase Driver name"org.mariadb.jdbc.Driver"
organizer.db.databasePlatformDatabase language dialect"org.hibernate.dialect.MariaDBDialect"
organizer.pringBootAdmin.enabledEnable Spring Boot Admin supportfalse
organizer.logging.patternAllows you to define a custom logging pattern (see)
organizer.logging.level.*Allows you to configure logging levels on a package or class basis (see)
organizer.contextPathAllows you to configure the context path of the application (e.g. /foobar.mycompany.de/levigo/organizer)/
organizer.oauth.enabledEnable OAuth 2.0 authenticationtrue
organizer.oauth.clientIdOAuth fusion client id``
organizer.oauth.scopeOAuth access scope(s)``
organizer.oauth.issuerOAuth issuer url``
organizer.oauth.appIdUriYour app ID registered at the auth provider``
organizer.oauth.redirectUrlRedirect URL for OAuth``
organizer.truststore.enabledenable a custom truststore for the container.false
organizer.truststore.cacertsTruststore with custom (root) certificatessee.
organizer.truststore.fileNameConfigurable key name, allowing users to specify a different key name instead of the default cacerts.cacerts
organizer.index.enabledEnables metadata indexing for collections.true
organizer.jobs.deletion.enabledEnable the cron deletion job. (see)false
organizer.jobs.deletion.cronThe cron expression that defines the schedule for the deletion job."0 0 0 * * ?"
organizer.jobs.deletion.gracePeriodInDaysThe number of days to retain documents before they are eligible for deletion.1

Recommendation when using h2 as database: Note that pod replication is automatically set to 1 when H2 is used. Since H2 is an in-memory database, it may not be suitable for high load scenarios. Therefore, consider using MariaDB instead of H2 for better scalability and multiple instances. If scalability is an issue, switch to MariaDB and adjust the configuration accordingly.

Metadata Indexing

Indexing is used to enhance search efficiency by creating indexes on metadata attributes. This allows for rapid retrieval when performing queries based on metadata attributes, which is beneficial for complex search operations across large datasets. However, if indexing is not required for your use case, it can be disabled to reduce the overhead associated with maintaining these indexes. The following key can be used to enable or disable metadata indexing:

keyDescriptionDefault
organizer.index.enabledEnables metadata indexing for collectionstrue

Jadice web viewer ("viewer")

Jadice web viewer provides the document viewer to display most file formats in the browser frontend.

Configuration

here are the configuration settings for the jadice web viewer:

ParameterDescriptionDefault
viewer.contextPathAllows you to configure the context path of the application (e.g. /foobar.mycompany.de/levigo/viewer)/
viewer.serverConnectionConnection type for communication between the viewer client and its backend server. Possible values: WebSocket, LongPoll, ServerSentEventsWebSocket

MariaDB

While MariaDB is a popular choice, it's important to note that it's not mandatory; you can set it to false and use an alternative database solution instead.

For detailed information about each parameter and its usage, you can refer to the official documentation provided by Bitnami.

Sealed Secrets

To encrypt sealed secrets you need to provide the cluster namespace, secret name, secret key and a secret value. The namespace can be chosen freely, the rest can be filled according to the following table. (All placeholders in the value fields have to be replaced with the actual values.)

secret-namesecret-keysecret-value
registry-secret.dockerconfigjson\{'auths':\{'registry.jadice.com':\{'username':'[USER]','password':'[PASSWORD]','email':'[EMAIL]','auth':'[TOKEN]'}}}
database-secretpassword[PASSWORD]
database-secretusername[USERNAME]
mariadb-secretmariadb-password[PASSWORD]
mariadb-secretmariadb-replication-password[PASSWORD]
mariadb-secretmariadb-root-password[PASSWORD]
loader-auth-secretloader-password[PASSWORD]
loader-auth-secretloader-user[USER]
loader-auth-secretloader-token[TOKEN]
s3-secrets3-access-key[KEY]
s3-secrets3-bucket[NAME]
s3-secrets3-endpoint[URL]
s3-secrets3-secret-key[KEY]
sba-secretsba-password[PASSWORD]
sba-secretsba-user[USER]
save-notification-auth-secretsave-notification-username[USERNAME]
save-notification-auth-secretsave-notification-password[PASSWORD]
save-notification-auth-secretsave-notification-bearer-token[TOKEN]