Skip to main content
Version: 1.25

Kubernetes deployment

This chart bootstraps an Dossier Organizer on a Kubernetes cluster using the Helm package manager.

Dossier Organizer is a scalable web based solution for viewing and structuring documents, and other media. The structure and relations between elements can be configured freely to match your needs. Fusion provides various features to modify paged documents without altering the original data.

As you can see, the chart provisions four deployments (subchart names in brackets):

  • Dossier Organizer backend ("organizer")
  • jadice web viewer ("viewer")

Sample configuration

Prior to installing the Helm chart, you need to provide some required parameters. A minimal values.yaml with these required parameters looks like this:

my-values.yaml

##
# Global configuration to be used by all sub components
##
global:
imageRegistry: "registry.jadice.com" # Global Docker image registry

# Two external ingress configuration have defined for your organizer application.
urls:
fusion:
externalUrl: https://my-dossier-organizer.com
viewer:
externalUrl: https://my-dossier-organizer-viewer.com

##
# Secrets for sensitive information:
# -> to use encrypted 'sealed-secrets' see: https://github.com/bitnami-labs/sealed-secrets
##
secrets:
useSealedSecrets: true
## Secrets for the DB to store fusion collections in. (this section depends on the configured DB - default is MariaDB)
db:
username: "***"
password: "***"
rootPassword: "***"
replicationPassword: "***"
# Depending on your configuration of secrets.useSealedSecrets this config has to be configured differently.
# If you don't use sealed secrets the registry credentials can be put here in the fields 'server', 'username' and
# 'password'.
# If you use sealed secrets you have to create a docker config JSON string, seal it and put it in the
# 'dockerconfigjson' field.
imageRegistry:
# Option 1:
server: "***"
username: "***"
password: "***"
# Option 2:
dockerconfigjson: "***"

##
# Organizer specific configuration
##
organizer:
ingress:
# insert your ingress config here.
resources:
# insert your resources config here.

# These settings are dependent on the configuration of your OAuth provider. The credentials have to be created beforehand.
oauth:
enabled: true
clientId: "***"
scope: "***"
issuer: "***"
appIdUri: "***"
redirectUrl: "***"

##
# Viewer specific configuration
##
viewer:
ingress:
# insert your ingress config here.
resources:
# insert your resources config here.


Install the helm chart with your values applied:

$ helm repo add levigo https://artifacts.jadice.com/repository/helm-charts/ --username <username> --password <password>
$ helm upgrade --install --namespace my-namespace --values my-values.yaml my-release levigo/fusion-dossier-organizer

Prerequisites

Kubernetes

  • Kubernetes 1.14+
  • Helm 3.1.0+
  • (optional but recommended: sealed secrets )

Container Image Access

Because the images used in this chart are from a private container registry, you need to have access to the container registry registry.jadice.com or access to a proxy of the same registry.

Information on how to provide login credentials as a secret can be found here: image pull secrets.

All the deployments have an individual configurable registry or image name and tag. If the images are not provided directly through the jadice registry you can configure the these settings through:

# Global override for all images
global.imageRegistry: registry.jadice.com

#individual overrides for all images
organizer:
image:
name: fusion-output-organizer
registry: registry.jadice.com
pullPolicy: IfNotPresent
tag: ""
initContainer:
repository: flyway/flyway
registry: docker.io
pullPolicy: IfNotPresent
tag: ""
viewer:
image:
repository: neverpile-fusion-jwt-viewer
registry: registry.jadice.com
pullPolicy: IfNotPresent
tag: ""

Installing the Chart

To install the chart with the release name my-release from levigo helm repository:

$ helm repo add levigo https://artifacts.jadice.com/repository/helm-charts/ --username <username> --password <password>
$ helm install --namespace my-namespace --values my-values.yaml my-release levigo/fusion-dossier-organizer

The command deploys fusion-dossier-organizer on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.


Configuration

The following tables lists the configurable parameters of the fusion-dossier-organizer chart and their default values.

Universal service settings

Let's start with universal settings for Kubernetes. These can be applied to every service in the values file. The <service>placeholder has to be replaced with a deployed kubernetes service alias like organizer, viewer, etc. these Aliases can be found in the chart.yaml and as prefix in the values file.

ParameterDescription
<service>.resources.requests.cpuCPU units for the service to be allocated initially.
<service>.resources.requests.memoryMemory size for the service to be allocated initially.
<service>.resources.limits.cpuMaximum CPU units that can be used by the service.
<service>.resources.limits.memoryMaximum Memory size that can be used by the service.
<service>.ingress.enabledEnable / Disable the ingress for a service. In order for this service to work, user access is needed, hence some kind of access for an operator has to be provided.
<service>.ingress.annotationsAdditional annotations for configuring the ingress.
<service>.ingress.hostsThe hostname of the service and eventual path rewrites.
<service>.ingress.tlsFor configuring the corresponding TLS secrets of the previously defined hostnames.
<service>.ingress.ingressClassNameThe ingress class name.
<service>.management.endpoints.web.exposure.includeSet which endpoints are exposed.
<service>.management.prometheus.metrics.export.enabledExport prometheus metrics.
<service>.management.jmx.metrics.export.enabledExport JMX metrics.
<service>.startupProbe.initialDelaySecondsInitial delay of the startup probe in seconds.
<service>.startupProbe.periodSecondsTime between requests for the startup probe in seconds.
<service>.startupProbe.timeoutSecondsMaximum response time for the startup probe in seconds.
<service>.startupProbe.successThresholdHow often a startup probe has to succeed for the pod to be considered healthy.
<service>.startupProbe.failureThresholdHow often a startup probe is allowed to fail before the pod is considered unhealthy.
<service>.livenessProbe.initialDelaySecondsInitial delay of the liveness probe in seconds.
<service>.livenessProbe.periodSecondsTime between requests for the liveness probe in seconds.
<service>.livenessProbe.timeoutSecondsMaximum response time for the liveness probe in seconds.
<service>.livenessProbe.successThresholdHow often a liveness probe has to succeed for the pod to be considered healthy.
<service>.livenessProbe.failureThresholdHow often a liveness probe is allowed to fail before the pod is considered unhealthy.
<service>.readinessProbe.initialDelaySecondsInitial delay of the readiness probe in seconds.
<service>.readinessProbe.periodSecondsTime between requests for the readiness probe in seconds.
<service>.readinessProbe.timeoutSecondsMaximum response time for the readiness probe in seconds.
<service>.readinessProbe.successThresholdHow often a readiness probe has to succeed for the pod to be considered healthy.
<service>.readinessProbe.failureThresholdHow often a readiness probe is allowed to fail before the pod is considered unhealthy.
<service>.securityContextContains general security information for an individual pod depending on your environment5
<service>.podSecurityContextContains security information for an individual pod depending on your environment5
<service>.affinityConfiguration for service pod affinity6
<service>.nodeSelectorConfiguration for service pod node selection6
<service>.tolerationsConfiguration for service pod tolerations6

Secrets

The chart also supports the use of Sealed Secrets instead of regular Kubernetes secrets. Sealed Secret values can also be specified directly in the Helm values.yaml. Simply set secrets.useSealedSecrets to true and use the encrypted values for all parameters in the section "secrets". For further information on how to encrypt secrets see table in the Sealed Secrets section.

Existing Secrets

Instead of automatically creating secrets within the Dossier Organizer deployment Helm chart you can replace these secrets with existing Kubernetes secrets created and maintained manually or by other systems.

Configuring Existing Secrets

To use an existing secret, you need to specify the name of the secret in the values.yaml file under the secrets section. The name of the secret can be chosen freely but the key within the secrets have to follow our definition seen in the Sealed Secrets table Here is an example configuration:

secrets:
imageRegistry:
existingSecret: "registry-secret"
db:
existingSecret: "database-secret"
loader:
existingSecret: "loader-auth-secret"
s3:
existingSecret: "s3-secret"
token:
existingSecret: "token-secret"
saveNotification:
existingSecret: "save-notification-auth-secret"
exportNotification:
existingSecret: "export-notification-auth-secret"

Image pull secrets

To access the container registry you have the following three options:

  1. Provide the name of an existing Kubernetes registry-secret via global.imagePullSecrets.

    For instructions on how to create a Kubernetes docker-registry secret check out the Documentation or the output of kubectl create secret docker-registry --help

  2. Provide the credentials to the registry via the following parameters:

ParameterDescriptionDefault
secrets.imageRegistry.serverServer of the container registryregistry.jadice.com
secrets.imageRegistry.usernameUsername for the container registrynil
secrets.imageRegistry.passwordPassword for the container registrynil
  1. For sealed secrets, you can encrypt the content of a ~/.docker/config.json file as a String and provide this as the value for the parameter secrets.imageRegistry.dockerconfigjson.

    To create this String you could run the following command

    kubectl create secret docker-registry registry-secret \
    --docker-username=<user> \
    --docker-password=<password> \
    --docker-server=registry.jadice.com \
    --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d | kubeseal --raw --from-file=/dev/stdin --namespace <namespace> --name registry-secret

    Note:

    • Requires jq and kubeseal
    • Replace <user>, <password>, <namespace> with the respective values.

Other secrets

Other secrets containing credentials for the database.

ParameterDescriptionDefault
secrets.db.userMariaDB usernil
secrets.db.passwordMariaDB passwordnil

Global Parameters

These values can be defined globally, overwriting the values defined for each component, including MariaDB.

ParameterDescriptionDefault
global.imageRegistryGlobal Docker image registrynil
global.imagePullSecretsGlobal Docker registry secret names as an array["registry-secret"]
global.storageClassGlobal storage class for dynamic provisioningnil
global.urls.fusion.externalUrlExternal url for the fusion backend configured by ingressnil
global.urls.fusion.serviceUrlKubernetes service url fot accessing the fusion service cluster internallyhttp://fusion-dossier-organizer
global.urls.viewer.externalUrlExternal url for the viewer backend configured by ingressnil
global.config.annotationProfileAnnotation configuration profile used by all Fusion Service in the cluster see<Default Profile ...>
global.extraEnvVarsAdditional environment variables to set for all containers. For example, to set the timezone:
- name: TZ
value: "Europe/Berlin"
[]
global.jadiceFlow.extraEnvVarsAdditional environment variables for Jadice Flow components only. For example, to set the timezone:
- name: TZ
value: "Europe/Berlin"
[]

Dossier Organizer ("organizer")

The base configuration of dossier organizer includes all necessary configuration setting to run the fusion backend as is. If you like to customize your deployment the following configuration settings can be used:

ParameterDescriptionDefault
organizer.config.gradationsEnabledEnables the option to change the radation curve of the displayed document in JWT.true
organizer.config.idValidationModeConfiguration for which IDs to validate as a UUID - Options: 'ALL', 'ELEMENT', 'COLLECTION', 'NONE'ALL
organizer.config.zoomAutoFitconfigures the default zoom behaviour. 'true' adjusts zoom automatically depending on the size of the document, 'false' simply sets the zoom level to 100%.true
organizer.loaders.basicAuthenticatedStore.enabledToggle to enable basic authentication for document content loading.false
organizer.loaders.basicAuthenticatedStore.baseUrlBase url for documents to be secured with basic auth.nil
organizer.loaders.bearerAuthenticatedStore.enabledToggle to enable bearer authentication for document content loading.false
organizer.loaders.bearerAuthenticatedStore.baseUrlBase url for documents to be secured with bearerAuth, e.g. https://example.com for document URLs https://example.com/path/to/document/.nil
organizer.loaders.contentHostWhitelistBase urls for hosts that are exclusively allowed for content loading.[]
organizer.loaders.contentHostBlacklistBase urls for hosts that are explicitely disallowed to load content from.[]
organizer.exportNotification.enabledFlag to enable export notificationfalse
organizer.exportNotification.urlThe url of the endpoint
organizer.exportNotification.auth.userAuth.enabledFlag to use user auth for the to be notified servicefalse
organizer.exportNotification.auth.basicAuthenticated.enabledFlag to enable Basic auth for the to be notified servicefalse
organizer.exportNotification.auth.basicAuthenticated.usernameBasic auth username
organizer.exportNotification.auth.basicAuthenticated.passwordBasic auth password
organizer.exportNotification.auth.bearerAuthenticated.enabledBearer auth for the to be notified servicefalse
organizer.exportNotification.auth.bearerAuthenticated.bearerTokenBearer auth token
organizer.saveNotification.enabledFlag to enable save notificationfalse
organizer.saveNotification.urlThe url of the endpoint
organizer.saveNotification.typeIdsWhitelistArray collection type ids to be notified
organizer.saveNotification.auth.basicAuthenticated.enabledFlag to enable Basic auth for the to be notified servicefalse
organizer.saveNotification.auth.basicAuthenticated.usernameBasic auth username
organizer.saveNotification.auth.basicAuthenticated.passwordBasic auth password
organizer.saveNotification.auth.bearerAuthenticated.enabledFlag to enable Bearer authfalse
organizer.saveNotification.auth.bearerAuthenticated.bearerTokenBearer auth token
organizer.db.jdbcURLDatabase JDBC-URL"jdbc:mariadb://fusion-dossier-organizer-mariadb/fusion"
organizer.db.driverClassNameDatabase Driver name"org.mariadb.jdbc.Driver"
organizer.db.databasePlatformDatabase language dialect"org.hibernate.dialect.MariaDBDialect"
organizer.logging.patternAllows you to define a custom logging pattern (see)
organizer.logging.level.*Allows you to configure logging levels on a package or class basis (see)
organizer.contextPathAllows you to configure the context path of the application (e.g. /foobar.mycompany.de/levigo/organizer)/
organizer.oauth.enabledEnable OAuth 2.0 authenticationtrue
organizer.oauth.clientIdOAuth fusion client id``
organizer.oauth.scopeOAuth access scope(s)``
organizer.oauth.issuerOAuth issuer url``
organizer.oauth.appIdUriYour app ID registered at the auth provider``
organizer.oauth.redirectUrlRedirect URL for OAuth``
organizer.oauth.jwkSetUri(Optional) If the authorization server endpoint is different that the issuer URL then the jwk-set-uri can be supplied``
organizer.truststore.enabledenable a custom truststore for the container.false
organizer.truststore.cacertsTruststore with custom (root) certificatessee.
organizer.truststore.fileNameConfigurable key name, allowing users to specify a different key name instead of the default cacerts.cacerts
organizer.index.enabledEnables metadata indexing for collections.true
organizer.jobs.deletion.enabledEnable the cron deletion job. (see)false
organizer.jobs.deletion.cronThe cron expression that defines the schedule for the deletion job."0 0 0 * * ?"
organizer.jobs.deletion.gracePeriodInDaysThe number of days to retain documents before they are eligible for deletion.1
organizer.jobs.compactHistory.enabledEnable the cron compact history job. (see)false
organizer.jobs.compactHistory.cronThe cron expression that defines the schedule for the compact history job."0 0 3 * * ?"
organizer.jobs.compactHistory.keepDaysNumber of recent days for which all versions are retained.30
organizer.jobs.compactHistory.batchSizeThe number of history entries to process in each batch.5000
organizer.jobs.compactHistory.maxDurationInHoursThe maximum duration in hours for the compact history job to run.3
organizer.jobs.compactHistory.transactionTimeoutInSecondsTimeout per deletion transaction (in seconds)300
organizer.locking.enabledToggle to configure if locking should be done while working with collections through the client application.
Enabled = pessimistic locking
Disabled = optimistic locking.
true
organizer.enableJsonLoggingEnable JSON logging for the application.false
organizer.config.frameAncestorsConfigures the Content-Security-Policy header to allow embedding the application in an iframe. Possible values: 'none', 'self', 'https://example.com'.
organizer.config.xframeOptionsConfigures the X-Frame-Options header. Possible values: 'deny', 'sameorigin', 'disable'. Please use in combination with organizer.config.frameAncestors.

Recommendation when using h2 as database: Note that pod replication is automatically set to 1 when H2 is used. Since H2 is an in-memory database, it may not be suitable for high load scenarios. Therefore, consider using MariaDB instead of H2 for better scalability and multiple instances. If scalability is an issue, switch to MariaDB and adjust the configuration accordingly.

Metadata Indexing

Indexing is used to enhance search efficiency by creating indexes on metadata attributes. This allows for rapid retrieval when performing queries based on metadata attributes, which is beneficial for complex search operations across large datasets. However, if indexing is not required for your use case, it can be disabled to reduce the overhead associated with maintaining these indexes. The following key can be used to enable or disable metadata indexing:

keyDescriptionDefault
organizer.index.enabledEnables metadata indexing for collectionstrue

Metadata Indexing Status

The easiest way to check if metadata indexing is enabled is to send a functioning POST request to the following URL:

<Host>/api/v1/index/metadata/query

If the feature is enabled and your request is valid, you should receive a 2xx HTTP status code (such as 200 OK or 201 Created).
If the feature is disabled, you will receive a 404 Not Found error (the endpoint does not exist).

For example, you can use curl to send a POST request with a minimal valid body:

curl -X POST <Host>/api/v1/index/metadata/query \
-H "Content-Type: application/json" \
-d '{}' -i

The HTTP status code will indicate the state:

  • 2xx: Indexing is enabled.
  • 404: Indexing is disabled.

Jadice web viewer ("viewer")

Jadice web viewer provides the document viewer to display most file formats in the browser frontend.

Configuration

here are the configuration settings for the jadice web viewer:

ParameterDescriptionDefault
viewer.contextPathAllows you to configure the context path of the application (e.g. /foobar.mycompany.de/levigo/viewer)/
viewer.serverConnectionConnection type for communication between the viewer client and its backend server. Possible values: WebSocket, LongPoll, ServerSentEventsWebSocket
viewer.jadiceStreamCache.expirationTimeThe time in hours after which the cache entries are removed.PT2H
viewer.enableJsonLoggingEnable JSON logging for the application.false
viewer.annotationConfigMapConfigurable ConfigMap name for the Jadice annotation profile.anno-profile
viewer.tileSecurityFilterEnabledToggle to disable session matching when requesting tiles.true
viewer.fusion.compositePagedCache.entitySizeThresholdThe maximum size of the composite paged. Any entity larger than this size will be stored in a local cache to avoid having long urls.50000
viewer.fusion.documentLoader.threadPoolSizeNumber of threads used to request documents. This is mainly used to troubleshoot performance problems.16
viewer.fusion.documentLoader.timeoutInSecondsTimeout for a single document to load. Should be long enough for even the largest documents (and in combined view for the whole collection).600

MariaDB

While MariaDB is a popular choice, it's important to note that it's not mandatory; you can set it to false and use an alternative database solution instead.

For detailed information about each parameter and its usage, you can refer to the official documentation provided by Bitnami.

Sealed Secrets

To encrypt sealed secrets you need to provide the cluster namespace, secret name, secret key and a secret value. The namespace can be chosen freely, the rest can be filled according to the following table. (All placeholders in the value fields have to be replaced with the actual values.)

secret-namesecret-keysecret-value
registry-secret.dockerconfigjson\{'auths':\{'registry.jadice.com':\{'username':'[USER]','password':'[PASSWORD]','email':'[EMAIL]','auth':'[TOKEN]'}}}
database-secretpassword[PASSWORD]
database-secretusername[USERNAME]
mariadb-secretmariadb-password[PASSWORD]
mariadb-secretmariadb-replication-password[PASSWORD]
mariadb-secretmariadb-root-password[PASSWORD]
loader-auth-secretloader-password[PASSWORD]
loader-auth-secretloader-user[USER]
loader-auth-secretloader-token[TOKEN]
s3-secrets3-access-key[KEY]
s3-secrets3-bucket[NAME]
s3-secrets3-endpoint[URL]
s3-secrets3-secret-key[KEY]
export-notification-auth-secretexport-notification-username[USERNAME]
export-notification-auth-secretexport-notification-password[PASSWORD]
export-notification-auth-secretexport-notification-bearer-token[BEARER_TOKEN]
save-notification-auth-secretsave-notification-username[USERNAME]
save-notification-auth-secretsave-notification-password[PASSWORD]
save-notification-auth-secretsave-notification-bearer-token[TOKEN]