Kubernetes deployment

This chart bootstraps an Dossier Organizer on a Kubernetes cluster using the Helm package manager.

Dossier Organizer is a scalable web based solution for viewing and structuring documents, and other media. The structure and relations between elements can be configured freely to match your needs. Fusion provides various features to modify paged documents without altering the original data.

As you can see, the chart provisions four deployments (subchart names in brackets):

• Dossier Organizer backend ("organizer")
• jadice web viewer ("viewer")

Sample configuration

Prior to installing the Helm chart, you need to provide some required parameters. A minimal values.yaml with these required parameters looks like this:

my-values.yaml

##
# Global configuration to be used by all sub components
##
global:
  imageRegistry: "registry.jadice.com" # Global Docker image registry

  # Two external ingress configuration have defined for your organizer application.
  urls:
    fusion:
      externalUrl: https://my-dossier-organizer.com
    viewer:
      externalUrl: https://my-dossier-organizer-viewer.com

##
# Secrets for sensitive information:
# -> to use encrypted 'sealed-secrets' see: https://github.com/bitnami-labs/sealed-secrets
##  
secrets:
  useSealedSecrets: true
  ## Secrets for the DB to store fusion collections in. (this section depends on the configured DB -  default is MariaDB)
  db:
    username: "***"
    password: "***"
    rootPassword: "***"
    replicationPassword: "***"
  # Depending on your configuration of secrets.useSealedSecrets this config has to be configured differently.
  # If you don't use sealed secrets the registry credentials can be put here in the fields 'server', 'username' and 
  # 'password'.
  # If you use sealed secrets you have to create a docker config JSON string, seal it and put it in the 
  # 'dockerconfigjson' field.
  imageRegistry:
    # Option 1:
    server: "***"
    username: "***"
    password: "***"
    # Option 2:
    dockerconfigjson: "***"

##
# Organizer specific configuration
##
organizer:
  ingress:
  # insert your ingress config here.
  resources:
  # insert your resources config here.

   # These settings are dependent on the configuration of your OAuth provider. The credentials have to be created beforehand.
  oauth:
     enabled: true
     clientId: "***"
     scope: "***"
     issuer: "***"
     appIdUri: "***"
     redirectUrl: "***"

##
# Viewer specific configuration
##
viewer:
  ingress:
  # insert your ingress config here.
  resources:
  # insert your resources config here.

Install the helm chart with your values applied:

$ helm repo add levigo https://artifacts.jadice.com/repository/helm-charts/ --username <username> --password <password>
$ helm upgrade --install --namespace my-namespace --values my-values.yaml my-release levigo/fusion-dossier-organizer

---

Prerequisites

Kubernetes

• Kubernetes 1.14+
• Helm 3.1.0+
• (optional but recommended: sealed secrets )

Container Image Access

Because the images used in this chart are from a private container registry, you need to have access to the container registry registry.jadice.com or access to a proxy of the same registry.

Information on how to provide login credentials as a secret can be found here: image pull secrets.

All the deployments have an individual configurable registry or image name and tag. If the images are not provided directly through the jadice registry you can configure the these settings through:

# Global override for all images
global.imageRegistry: registry.jadice.com

#individual overrides for all images
organizer:
  image:
    name: fusion-output-organizer
    registry: registry.jadice.com
    pullPolicy: IfNotPresent
    tag: ""
  initContainer:
    repository: flyway/flyway
    registry: registry.jadice.com
    pullPolicy: IfNotPresent
    tag: ""
viewer:
  image:
    repository: neverpile-fusion-jwt-viewer
    registry: registry.jadice.com
    pullPolicy: IfNotPresent
    tag: ""

---

Installing the Chart

To install the chart with the release name my-release from levigo helm repository:

$ helm repo add levigo https://artifacts.jadice.com/repository/helm-charts/ --username <username> --password <password>
$ helm install --namespace my-namespace --values my-values.yaml my-release levigo/fusion-dossier-organizer

The command deploys fusion-dossier-organizer on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.

---

Configuration

The following tables lists the configurable parameters of the fusion-dossier-organizer chart and their default values.

Universal service settings

Let's start with universal settings for Kubernetes. These can be applied to every service in the values file. The <service>placeholder has to be replaced with a deployed kubernetes service alias like organizer, viewer, etc. these Aliases can be found in the chart.yaml and as prefix in the values file.

Parameter	Description
<service>.resources.requests.cpu	CPU units for the service to be allocated initially.
<service>.resources.requests.memory	Memory size for the service to be allocated initially.
<service>.resources.limits.cpu	Maximum CPU units that can be used by the service.
<service>.resources.limits.memory	Maximum Memory size that can be used by the service.
<service>.ingress.enabled	Enable / Disable the ingress for a service. In order for this service to work, user access is needed, hence some kind of access for an operator has to be provided.
<service>.ingress.annotations	Additional annotations for configuring the ingress.
<service>.ingress.hosts	The hostname of the service and eventual path rewrites.
<service>.ingress.tls	For configuring the corresponding TLS secrets of the previously defined hostnames.
<service>.ingress.ingressClassName	The ingress class name.
<service>.management.endpoints.web.exposure.include	Set which endpoints are exposed.
<service>.management.prometheus.metrics.export.enabled	Export prometheus metrics.
<service>.management.jmx.metrics.export.enabled	Export JMX metrics.
<service>.startupProbe.initialDelaySeconds	Initial delay of the startup probe in seconds.
<service>.startupProbe.periodSeconds	Time between requests for the startup probe in seconds.
<service>.startupProbe.timeoutSeconds	Maximum response time for the startup probe in seconds.
<service>.startupProbe.successThreshold	How often a startup probe has to succeed for the pod to be considered healthy.
<service>.startupProbe.failureThreshold	How often a startup probe is allowed to fail before the pod is considered unhealthy.
<service>.livenessProbe.initialDelaySeconds	Initial delay of the liveness probe in seconds.
<service>.livenessProbe.periodSeconds	Time between requests for the liveness probe in seconds.
<service>.livenessProbe.timeoutSeconds	Maximum response time for the liveness probe in seconds.
<service>.livenessProbe.successThreshold	How often a liveness probe has to succeed for the pod to be considered healthy.
<service>.livenessProbe.failureThreshold	How often a liveness probe is allowed to fail before the pod is considered unhealthy.
<service>.readinessProbe.initialDelaySeconds	Initial delay of the readiness probe in seconds.
<service>.readinessProbe.periodSeconds	Time between requests for the readiness probe in seconds.
<service>.readinessProbe.timeoutSeconds	Maximum response time for the readiness probe in seconds.
<service>.readinessProbe.successThreshold	How often a readiness probe has to succeed for the pod to be considered healthy.
<service>.readinessProbe.failureThreshold	How often a readiness probe is allowed to fail before the pod is considered unhealthy.
<service>.securityContext	Contains general security information for an individual pod depending on your environment5
<service>.podSecurityContext	Contains security information for an individual pod depending on your environment5
<service>.affinity	Configuration for service pod affinity6
<service>.nodeSelector	Configuration for service pod node selection6
<service>.tolerations	Configuration for service pod tolerations6

Secrets

The chart also supports the use of Sealed Secrets instead of regular Kubernetes secrets. Sealed Secret values can also be specified directly in the Helm values.yaml. Simply set secrets.useSealedSecrets to true and use the encrypted values for all parameters in the section "secrets". For further information on how to encrypt secrets see table in the Sealed Secrets section.

Existing Secrets

Instead of automatically creating secrets within the Dossier Organizer deployment Helm chart you can replace these secrets with existing Kubernetes secrets created and maintained manually or by other systems.

Configuring Existing Secrets

To use an existing secret, you need to specify the name of the secret in the values.yaml file under the secrets section. The name of the secret can be chosen freely but the key within the secrets have to follow our definition seen in the Sealed Secrets table Here is an example configuration:

secrets:
  imageRegistry:
    existingSecret: "registry-secret"
  db:
    existingSecret: "database-secret"
  sba:
    existingSecret: "sba-secret"
  loader:
    existingSecret: "loader-auth-secret"
  s3:
    existingSecret: "s3-secret"
  token:
    existingSecret: "token-secret"
  saveNotification:
    existingSecret: "save-notification-auth-secret"
  exportNotification:
    existingSecret: "export-notification-auth-secret"

Image pull secrets

To access the container registry you have the following three options:

1. Provide the name of an existing Kubernetes registry-secret via global.imagePullSecrets.

   For instructions on how to create a Kubernetes docker-registry secret check out the Documentation or the output of kubectl create secret docker-registry --help

2. Provide the credentials to the registry via the following parameters:

Parameter	Description	Default
secrets.imageRegistry.server	Server of the container registry	registry.jadice.com
secrets.imageRegistry.username	Username for the container registry	nil
secrets.imageRegistry.password	Password for the container registry	nil

3. For sealed secrets, you can encrypt the content of a ~/.docker/config.json file as a String and provide this as the value for the parameter secrets.imageRegistry.dockerconfigjson.

   To create this String you could run the following command

   kubectl create secret docker-registry registry-secret \
     --docker-username=<user> \
     --docker-password=<password> \
     --docker-server=registry.jadice.com \
     --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d | kubeseal --raw --from-file=/dev/stdin --namespace <namespace> --name registry-secret

   Note:

   • Requires jq and kubeseal
   • Replace <user>, <password>, <namespace> with the respective values.

Other secrets

Other secrets containing credentials for the database.

Parameter	Description	Default
secrets.db.user	MariaDB user	nil
secrets.db.password	MariaDB password	nil

Global Parameters

These values can be defined globally, overwriting the values defined for each component, including MariaDB.

Parameter	Description	Default
global.imageRegistry	Global Docker image registry	nil
global.imagePullSecrets	Global Docker registry secret names as an array	["registry-secret"]
global.storageClass	Global storage class for dynamic provisioning	nil
global.urls.fusion.externalUrl	External url for the fusion backend configured by ingress	nil
global.urls.fusion.serviceUrl	Kubernetes service url fot accessing the fusion service cluster internally	http://fusion-dossier-organizer
global.urls.viewer.externalUrl	External url for the viewer backend configured by ingress	nil
global.config.annotationProfile	Annotation configuration profile used by all Fusion Service in the cluster see	<Default Profile ...>

Dossier Organizer ("organizer")

The base configuration of dossier organizer includes all necessary configuration setting to run the fusion backend as is. If you like to customize your deployment the following configuration settings can be used:

Parameter	Description	Default
organizer.config.gradationsEnabled	Enables the option to change the radation curve of the displayed document in JWT.	true
organizer.config.idValidationMode	Configuration for which IDs to validate as a UUID - Options: 'ALL', 'ELEMENT', 'COLLECTION', 'NONE'	ALL
organizer.config.zoomAutoFit	configures the default zoom behaviour. 'true' adjusts zoom automatically depending on the size of the document, 'false' simply sets the zoom level to 100%.	true
organizer.loaders.basicAuthenticatedStore.enabled	Toggle to enable basic authentication for document content loading.	false
organizer.loaders.basicAuthenticatedStore.baseUrl	Base url for documents to be secured with basic auth.	nil
organizer.loaders.bearerAuthenticatedStore.enabled	Toggle to enable bearer authentication for document content loading.	false
organizer.loaders.bearerAuthenticatedStore.baseUrl	Base url for documents to be secured with bearerAuth, e.g. https://example.com for document URLs https://example.com/path/to/document/.	nil
organizer.loaders.contentHostWhitelist	Base urls for hosts that are exclusively allowed for content loading.	[]
organizer.loaders.contentHostBlacklist	Base urls for hosts that are explicitely disallowed to load content from.	[]
organizer.exportNotification.enabled	Flag to enable export notification	false
organizer.exportNotification.url	The url of the endpoint
organizer.exportNotification.auth.userAuth.enabled	Flag to use user auth for the to be notified service	false
organizer.exportNotification.auth.basicAuthenticated.enabled	Flag to enable Basic auth for the to be notified service	false
organizer.exportNotification.auth.basicAuthenticated.username	Basic auth username
organizer.exportNotification.auth.basicAuthenticated.password	Basic auth password
organizer.exportNotification.auth.bearerAuthenticated.enabled	Bearer auth for the to be notified service	false
organizer.exportNotification.auth.bearerAuthenticated.bearerToken	Bearer auth token
organizer.saveNotification.enabled	Flag to enable save notification	false
organizer.saveNotification.url	The url of the endpoint
organizer.saveNotification.typeIdsWhitelist	Array collection type ids to be notified
organizer.saveNotification.auth.basicAuthenticated.enabled	Flag to enable Basic auth for the to be notified service	false
organizer.saveNotification.auth.basicAuthenticated.username	Basic auth username
organizer.saveNotification.auth.basicAuthenticated.password	Basic auth password
organizer.saveNotification.auth.bearerAuthenticated.enabled	Flag to enable Bearer auth	false
organizer.saveNotification.auth.bearerAuthenticated.bearerToken	Bearer auth token
organizer.db.jdbcURL	Database JDBC-URL	"jdbc:mariadb://fusion-dossier-organizer-mariadb/fusion"
organizer.db.driverClassName	Database Driver name	"org.mariadb.jdbc.Driver"
organizer.db.databasePlatform	Database language dialect	"org.hibernate.dialect.MariaDBDialect"
organizer.pringBootAdmin.enabled	Enable Spring Boot Admin support	false
organizer.logging.pattern	Allows you to define a custom logging pattern (see)
organizer.logging.level.*	Allows you to configure logging levels on a package or class basis (see)
organizer.contextPath	Allows you to configure the context path of the application (e.g. /foobar.mycompany.de/levigo/organizer)	/
organizer.oauth.enabled	Enable OAuth 2.0 authentication	true
organizer.oauth.clientId	OAuth fusion client id	``
organizer.oauth.scope	OAuth access scope(s)	``
organizer.oauth.issuer	OAuth issuer url	``
organizer.oauth.appIdUri	Your app ID registered at the auth provider	``
organizer.oauth.redirectUrl	Redirect URL for OAuth	``
organizer.truststore.enabled	enable a custom truststore for the container.	false
organizer.truststore.cacerts	Truststore with custom (root) certificatessee.
organizer.truststore.fileName	Configurable key name, allowing users to specify a different key name instead of the default cacerts.	cacerts
organizer.index.enabled	Enables metadata indexing for collections.	true
organizer.jobs.deletion.enabled	Enable the cron deletion job. (see)	false
organizer.jobs.deletion.cron	The cron expression that defines the schedule for the deletion job.	"0 0 0 * * ?"
organizer.jobs.deletion.gracePeriodInDays	The number of days to retain documents before they are eligible for deletion.	1
organizer.locking.enabled	Toggle to configure if locking should be done while working with collections through the client application. Enabled = pessimistic locking Disabled = optimistic locking.	true

Recommendation when using h2 as database: Note that pod replication is automatically set to 1 when H2 is used. Since H2 is an in-memory database, it may not be suitable for high load scenarios. Therefore, consider using MariaDB instead of H2 for better scalability and multiple instances. If scalability is an issue, switch to MariaDB and adjust the configuration accordingly.

Metadata Indexing

Indexing is used to enhance search efficiency by creating indexes on metadata attributes. This allows for rapid retrieval when performing queries based on metadata attributes, which is beneficial for complex search operations across large datasets. However, if indexing is not required for your use case, it can be disabled to reduce the overhead associated with maintaining these indexes. The following key can be used to enable or disable metadata indexing:

key	Description	Default
organizer.index.enabled	Enables metadata indexing for collections	true

Jadice web viewer ("viewer")

Jadice web viewer provides the document viewer to display most file formats in the browser frontend.

Configuration

here are the configuration settings for the jadice web viewer:

Parameter	Description	Default
viewer.contextPath	Allows you to configure the context path of the application (e.g. /foobar.mycompany.de/levigo/viewer)	/
viewer.serverConnection	Connection type for communication between the viewer client and its backend server. Possible values: WebSocket, LongPoll, ServerSentEvents	WebSocket

MariaDB

While MariaDB is a popular choice, it's important to note that it's not mandatory; you can set it to false and use an alternative database solution instead.

For detailed information about each parameter and its usage, you can refer to the official documentation provided by Bitnami.

Sealed Secrets

To encrypt sealed secrets you need to provide the cluster namespace, secret name, secret key and a secret value. The namespace can be chosen freely, the rest can be filled according to the following table. (All placeholders in the value fields have to be replaced with the actual values.)

secret-name	secret-key	secret-value
registry-secret	.dockerconfigjson	\{'auths':\{'registry.jadice.com':\{'username':'[USER]','password':'[PASSWORD]','email':'[EMAIL]','auth':'[TOKEN]'}}}
database-secret	password	[PASSWORD]
database-secret	username	[USERNAME]
mariadb-secret	mariadb-password	[PASSWORD]
mariadb-secret	mariadb-replication-password	[PASSWORD]
mariadb-secret	mariadb-root-password	[PASSWORD]
loader-auth-secret	loader-password	[PASSWORD]
loader-auth-secret	loader-user	[USER]
loader-auth-secret	loader-token	[TOKEN]
s3-secret	s3-access-key	[KEY]
s3-secret	s3-bucket	[NAME]
s3-secret	s3-endpoint	[URL]
s3-secret	s3-secret-key	[KEY]
sba-secret	sba-password	[PASSWORD]
sba-secret	sba-user	[USER]
save-notification-auth-secret	save-notification-username	[USERNAME]
save-notification-auth-secret	save-notification-password	[PASSWORD]
save-notification-auth-secret	save-notification-bearer-token	[TOKEN]