Kubernetes deployment

This chart bootstraps an Dossier Organizer on a Kubernetes cluster using the Helm package manager.

Dossier Organizer is a scalable web based solution for viewing and structuring documents, and other media. The structure and relations between elements can be configured freely to match your needs. Fusion provides various features to modify paged documents without altering the original data.

As you can see, the chart provisions four deployments (subchart names in brackets):

• Dossier Organizer backend ("organizer")
• jadice web viewer ("viewer")

Sample configuration

Prior to installing the Helm chart, you need to provide some required parameters. A minimal values.yaml with these required parameters looks like this:

my-values.yaml

##
# Global configuration to be used by all sub components
##
global:
  imageRegistry: "registry.jadice.com" # Global Docker image registry

  # Two external ingress configuration have defined for your organizer application.
  urls:
    fusion:
      externalUrl: https://my-dossier-organizer.com
    viewer:
      externalUrl: https://my-dossier-organizer-viewer.com

##
# Secrets for sensitive information:
# -> to use encrypted 'sealed-secrets' see: https://github.com/bitnami-labs/sealed-secrets
##  
secrets:
  useSealedSecrets: true
  ## Secrets for the DB to store fusion collections in. (this section depends on the configured DB -  default is MariaDB)
  db:
    username: "***"
    password: "***"
    rootPassword: "***"
    replicationPassword: "***"
  # These settings are dependent on the configuration of your OAuth provider. The credentials have to be created 
  # beforehand.
  oauth:
    clientId: "***"
    scope: "***"
    issuer: "***"
    appIdUri: "***"
  # Depending on your configuration of secrets.useSealedSecrets this config has to be configured differently.
  # If you don't use sealed secrets the registry credentials can be put here in the fields 'server', 'username' and 
  # 'password'.
  # If you use sealed secrets you have to create a docker config JSON string, seal it and put it in the 
  # 'dockerconfigjson' field.
  imageRegistry:
    # Option 1:
    server: "***"
    username: "***"
    password: "***"
    # Option 2:
    dockerconfigjson: "***"

##
# Organizer specific configuration
##
organizer:
  ingress:
  # insert your ingress config here.
  resources:
  # insert your resources config here.

##
# Viewer specific configuration
##
viewer:
  ingress:
  # insert your ingress config here.
  resources:
  # insert your resources config here.

Install the helm chart with your values applied:

$ helm repo add levigo https://artifacts.jadice.com/repository/helm-charts/ --username <username> --password <password>
$ helm upgrade --install --namespace my-namespace --values my-values.yaml my-release levigo/fusion-dossier-organizer

---

Prerequisites

Kubernetes

• Kubernetes 1.14+
• Helm 3.1.0+
• (optional but recommended: sealed secrets )

Container Image Access

Because the images used in this chart are from a private container registry, you need to have access to the container registry registry.jadice.com or access to a proxy of the same registry.

For details see image pull secrets.

---

Installing the Chart

To install the chart with the release name my-release from levigo helm repository:

$ helm repo add levigo https://artifacts.jadice.com/repository/helm-charts/ --username <username> --password <password>
$ helm install --namespace my-namespace --values my-values.yaml my-release levigo/fusion-dossier-organizer

The command deploys fusion-dossier-organizer on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.

---

Configuration

The following tables lists the configurable parameters of the fusion-dossier-organizer chart and their default values.

Universal service settings

Let's start with universal settings for Kubernetes. These can be applied to every service in the values file. The <service>placeholder has to be replaced with a deployed kubernetes service alias like organizer, viewer, etc. these Aliases can be found in the chart.yaml and as prefix in the values file.

Parameter	Description
<service>.resources.requests.cpu	CPU units for the service to be allocated initially.
<service>.resources.requests.memory	Memory size for the service to be allocated initially.
<service>.resources.limits.cpu	Maximum CPU units that can be used by the service.
<service>.resources.limits.memory	Maximum Memory size that can be used by the service.
<service>.ingress.enabled	Enable / Disable the ingress for a service. In order for this service to work, user access is needed, hence some kind of access for an operator has to be provided.
<service>.ingress.annotations	Additional annotations for configuring the ingress.
<service>.ingress.hosts	The hostname of the service and eventual path rewrites.
<service>.ingress.tls	For configuring the corresponding TLS secrets of the previously defined hostnames.
<service>.ingress.ingressClassName	The ingress class name.
<service>.management.endpoints.web.exposure.include	Set which endpoints are exposed.
<service>.management.prometheus.metrics.export.enabled	Export prometheus metrics.
<service>.management.jmx.metrics.export.enabled	Export JMX metrics.
<service>.startupProbe.initialDelaySeconds	Initial delay of the startup probe in seconds.
<service>.startupProbe.periodSeconds	Time between requests for the startup probe in seconds.
<service>.startupProbe.timeoutSeconds	Maximum response time for the startup probe in seconds.
<service>.startupProbe.successThreshold	How often a startup probe has to succeed for the pod to be considered healthy.
<service>.startupProbe.failureThreshold	How often a startup probe is allowed to fail before the pod is considered unhealthy.
<service>.livenessProbe.initialDelaySeconds	Initial delay of the liveness probe in seconds.
<service>.livenessProbe.periodSeconds	Time between requests for the liveness probe in seconds.
<service>.livenessProbe.timeoutSeconds	Maximum response time for the liveness probe in seconds.
<service>.livenessProbe.successThreshold	How often a liveness probe has to succeed for the pod to be considered healthy.
<service>.livenessProbe.failureThreshold	How often a liveness probe is allowed to fail before the pod is considered unhealthy.
<service>.readinessProbe.initialDelaySeconds	Initial delay of the readiness probe in seconds.
<service>.readinessProbe.periodSeconds	Time between requests for the readiness probe in seconds.
<service>.readinessProbe.timeoutSeconds	Maximum response time for the readiness probe in seconds.
<service>.readinessProbe.successThreshold	How often a readiness probe has to succeed for the pod to be considered healthy.
<service>.readinessProbe.failureThreshold	How often a readiness probe is allowed to fail before the pod is considered unhealthy.
<service>.securityContext	Contains general security information for an individual pod depending on your environment5
<service>.podSecurityContext	Contains security information for an individual pod depending on your environment5
<service>.affinity	Configuration for service pod affinity6
<service>.nodeSelector	Configuration for service pod node selection6
<service>.tolerations	Configuration for service pod tolerations6

Secrets

The chart also supports the use of Sealed Secrets instead of regular Kubernetes secrets. Sealed Secret values can also be specified directly in the Helm values.yaml. Simply set secrets.useSealedSecrets to true and use the encrypted values for all parameters in the section "secrets". For further information on how to encrypt secrets see table in the Sealed Secrets section.

Image pull secrets

To access the container registry you have the following three options:

1. Provide the name of an existing Kubernetes registry-secret via global.imagePullSecrets.

   For instructions on how to create a Kubernetes docker-registry secret check out the Documentation or the output of kubectl create secret docker-registry --help

2. Provide the credentials to the registry via the following parameters:

Parameter	Description	Default
secrets.imageRegistry.server	Server of the container registry	registry.jadice.com
secrets.imageRegistry.username	Username for the container registry	nil
secrets.imageRegistry.password	Password for the container registry	nil

3. For sealed secrets, you can encrypt the content of a ~/.docker/config.json file as a String and provide this as the value for the parameter secrets.imageRegistry.dockerconfigjson.

   To create this String you could run the following command

   kubectl create secret docker-registry registry-secret \
     --docker-username=<user> \
     --docker-password=<password> \
     --docker-server=registry.jadice.com \
     --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d | kubeseal --raw --from-file=/dev/stdin --namespace <namespace> --name registry-secret

   Note:

   • Requires jq and kubeseal
   • Replace <user>, <password>, <namespace> with the respective values.

Other secrets

Other secrets containing credentials for the OAuth provider and the database.

Parameter	Description	Default
secrets.db.user	MariaDB user	nil
secrets.db.password	MariaDB password	nil
secrets.oauth.clientId	OAuth fusion client id	nil
secrets.oauth.scope	OAuth access scope(s)	nil
secrets.oauth.issuer	OAuth issuer url	nil
secrets.oauth.appIdUri	Your app ID registered at the auth provider	nil

Global Parameters

These values can be defined globally, overwriting the values defined for each component, including MariaDB.

Parameter	Description	Default
global.imageRegistry	Global Docker image registry	nil
global.imagePullSecrets	Global Docker registry secret names as an array	["registry-secret"]
global.storageClass	Global storage class for dynamic provisioning	nil
global.urls.fusion.externalUrl	External url for the fusion backend configured by ingress	nil
global.urls.fusion.serviceUrl	Kubernetes service url fot accessing the fusion service cluster internally	http://fusion-dossier-organizer-default
global.urls.viewer.externalUrl	External url for the viewer backend configured by ingress	nil
global.config.annotationProfile	Annotation configuration profile used by all Fusion Service in the cluster	<Profile String ...>

Dossier Organizer ("organizer")

The base configuration of dossier organizer includes all necessary configuration setting to run the fusion backend as is. If you like to customize your deployment the following configuration settings can be used:

Parameter	Description	Default
organizer.config.collectionTypeDefinitions	Configuration property contains a list of custom collection type definition files.
organizer.config.collectionTypeNames	Lists the corresponding collection type names to the definitions defined in 'collectionTypeDefinitions'. The name must be the same as the ID defined in the collection definition json. The order of elements has to match its counterpart in 'collectionTypeDefinitions'.
organizer.config.policyDefinitions	Configuration property contains a list of custom access policy definition files.
organizer.config.policyValidityDate	Lists the corresponding validity date of the access policies defined in 'policyDefinitions'. The date has to follow the date schema "yyyyMMdd-HHmmss-SSS". The active policy is always the policy with the newest validity that is not set in the future. The order of elements has to match its counterpart in 'policyDefinitions'.
organizer.config.styles	Configuration property contains a css to modify the frontend appearance.
organizer.config.logos	Configuration property allows the replacement of the default application logo.
organizer.config.favicon	Configuration property allows the replacement of the default application favicon.
organizer.config.gradationsEnabled	Enables the option to change the radation curve of the displayed document in JWT.	true
organizer.loaders.basicAuthenticatedStore.enabled	Toggle to enable basic authentication for document content loading.	false
organizer.loaders.basicAuthenticatedStore.baseUrl	Base url for documents to be secured with basic auth.	nil
organizer.loaders.bearerAuthenticatedStore.enabled	Toggle to enable bearer authentication for document content loading.	false
organizer.loaders.bearerAuthenticatedStore.baseUrl	Base url for documents to be secured with bearerAuth, e.g. https://example.com for document URLs https://example.com/path/to/document/.	nil
organizer.loaders.contentHostWhitelist	Base urls for hosts that are exclusively allowed for content loading.	[]
organizer.loaders.contentHostBlacklist	Base urls for hosts that are explicitely disallowed to load content from.	[]
organizer.exportNotification.enabled	Flag to enable export notification	false
organizer.exportNotification.url	The url of the endpoint
organizer.exportNotification.auth.userAuth.enabled	Flag to use user auth for the to be notified service	false
organizer.exportNotification.auth.basicAuthenticated.enabled	Flag to enable Basic auth for the to be notified service	false
organizer.exportNotification.auth.basicAuthenticated.username	Basic auth username
organizer.exportNotification.auth.basicAuthenticated.password	Basic auth password
organizer.exportNotification.auth.bearerAuthenticated.enabled	Bearer auth for the to be notified service	false
organizer.exportNotification.auth.bearerAuthenticated.bearerToken	Bearer auth token
organizer.saveNotification.enabled	Flag to enable save notification	false
organizer.saveNotification.url	The url of the endpoint
organizer.saveNotification.typeIdsWhitelist	Array collection type ids to be notified
organizer.saveNotification.auth.basicAuthenticated.enabled	Flag to enable Basic auth for the to be notified service	false
organizer.saveNotification.auth.basicAuthenticated.username	Basic auth username
organizer.saveNotification.auth.basicAuthenticated.password	Basic auth password
organizer.saveNotification.auth.bearerAuthenticated.enabled	Flag to enable Bearer auth	false
organizer.saveNotification.auth.bearerAuthenticated.bearerToken	Bearer auth token
organizer.db.jdbcURL	Database JDBC-URL	"jdbc:mariadb://fusion-dossier-organizer-mariadb/fusion"
organizer.db.driverClassName	Database Driver name	"org.mariadb.jdbc.Driver"
organizer.db.databasePlatform	Database language dialect	"org.hibernate.dialect.MariaDBDialect"
organizer.pringBootAdmin.enabled	Enable Spring Boot Admin support	false
organizer.logging.pattern	Allows you to define a custom logging pattern (see)
organizer.logging.level.*	Allows you to configure logging levels on a package or class basis (see)

Recommendation when using h2 as database: Note that pod replication is automatically set to 1 when H2 is used. Since H2 is an in-memory database, it may not be suitable for high load scenarios. Therefore, consider using MariaDB instead of H2 for better scalability and multiple instances. If scalability is an issue, switch to MariaDB and adjust the configuration accordingly.

Jadice web viewer ("viewer")

Jadice web viewer provides the document viewer to display most file formats in the browser frontend.

MariaDB

While MariaDB is a popular choice, it's important to note that it's not mandatory; you can set it to false and use an alternative database solution instead.

For detailed information about each parameter and its usage, you can refer to the official documentation provided by Bitnami.

Sealed Secrets

To encrypt sealed secrets you need to provide the cluster namespace, secret name, secret key and a secret value. The namespace can be chosen freely, the rest can be filled according to the following table. (All placeholders in the value fields have to be replaced with the actual values.)

secret-name	secret-key	secret-value
registry-secret	.dockerconfigjson	\{'auths':\{'registry.jadice.com':\{'username':'[USER]','password':'[PASSWORD]','email':'[EMAIL]','auth':'[TOKEN]'}}}
database-secret	password	[PASSWORD]
database-secret	username	[USERNAME]
mariadb-secret	mariadb-password	[PASSWORD]
mariadb-secret	mariadb-replication-password	[PASSWORD]
mariadb-secret	mariadb-root-password	[PASSWORD]
loader-auth-secret	loader-password	[PASSWORD]
loader-auth-secret	loader-user	[USER]
loader-auth-secret	loader-token	[TOKEN]
oauth-secret	app-id-uri	api://[APP_ID]
oauth-secret	client-id	[APP_ID]
oauth-secret	issuer	[ISSUER_URL]
oauth-secret	scope	[SCOPE]
s3-secret	s3-access-key	[KEY]
s3-secret	s3-bucket	[NAME]
s3-secret	s3-endpoint	[URL]
s3-secret	s3-secret-key	[KEY]
sba-secret	sba-password	[PASSWORD]
sba-secret	sba-user	[USER]