charts/hapi-fhir-jpaserver/values.yaml

# -- number of replicas to deploy
replicaCount: 1

image:
  # -- registry where the HAPI FHIR server image is hosted
  registry: docker.io
  # -- the path inside the repository
  repository: hapiproject/hapi
  # -- the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image.
  tag: "v6.1.0@sha256:253f87bb1f5b7627f8e25f76a4b0aa7a83f31968c6e111ad74d3cc4ad9ae812e"
  # -- image pullPolicy to use
  pullPolicy: IfNotPresent

# -- image pull secrets to use when pulling the image
imagePullSecrets: []

# -- override the chart name
nameOverride: ""

# -- override the chart fullname
fullnameOverride: ""

# -- annotations applied to the server deployment
deploymentAnnotations: {}

# -- annotations applied to the server pod
podAnnotations: {}

# -- pod security context
podSecurityContext:
  {}
  # fsGroup: 2000

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 65532
  runAsGroup: 65532
  privileged: false
  seccompProfile:
    type: RuntimeDefault

# service to expose the server
service:
  # -- service type
  type: ClusterIP
  # -- port where the server will be exposed at
  port: 8080

ingress:
  # -- whether to create an Ingress to expose the FHIR server HTTP endpoint
  enabled: false
  # -- provide any additional annotations which may be required. Evaluated as a template.
  annotations:
    {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: fhir-server.127.0.0.1.nip.io
      pathType: ImplementationSpecific
      paths: ["/"]
  # -- ingress TLS config
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

# -- configure the FHIR server's resource requests and limits
resources:
  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

# -- node selector for the pod
nodeSelector: {}

# -- pod tolerations
tolerations: []

# -- pod affinity
affinity: {}

# -- pod topology spread configuration
# see: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#api
topologySpreadConstraints:
  []
  # - maxSkew: 1
  #   topologyKey: topology.kubernetes.io/zone
  #   whenUnsatisfiable: ScheduleAnyway
  #   labelSelector:
  #     matchLabels:
  #       app.kubernetes.io/instance: hapi-fhir-jpaserver
  #       app.kubernetes.io/name: hapi-fhir-jpaserver

postgresql:
  # -- enable an included PostgreSQL DB.
  # see <https://github.com/bitnami/charts/tree/master/bitnami/postgresql> for details
  # if set to `false`, the values under `externalDatabase` are used
  enabled: true
  auth:
    # -- name for a custom database to create
    database: "fhir"
    # -- Name of existing secret to use for PostgreSQL credentials
    # `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret
    # The secret must contain the keys `postgres-password` (which is the password for "postgres" admin user),
    # `password` (which is the password for the custom user to create when `auth.username` is set),
    # and `replication-password` (which is the password for replication user).
    # The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and
    # picked from this secret in this case.
    # The value is evaluated as a template.
    existingSecret: ""
  primary:
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

readinessProbe:
  failureThreshold: 5
  initialDelaySeconds: 30
  periodSeconds: 20
  successThreshold: 1
  timeoutSeconds: 20

startupProbe:
  failureThreshold: 10
  initialDelaySeconds: 60
  periodSeconds: 30
  successThreshold: 1
  timeoutSeconds: 30

livenessProbe:
  failureThreshold: 5
  initialDelaySeconds: 30
  periodSeconds: 20
  successThreshold: 1
  timeoutSeconds: 30

externalDatabase:
  # -- external database host used with `postgresql.enabled=false`
  host: localhost
  # -- database port number
  port: 5432
  # -- username for the external database
  user: fhir
  # -- database password
  password: ""
  # -- name of an existing secret resource containing the DB password in the `existingSecretKey` key
  existingSecret: ""
  # -- name of the key inside the `existingSecret`
  existingSecretKey: "postgresql-password"
  # -- database name
  database: fhir

# -- extra environment variables to set on the server container
extraEnv:
  []
  # - name: SPRING_FLYWAY_BASELINE_ON_MIGRATE
  #   value: "true"

podDisruptionBudget:
  # -- Enable PodDisruptionBudget for the server pods.
  # uses policy/v1/PodDisruptionBudget thus requiring k8s 1.21+
  enabled: false
  # -- minimum available instances
  minAvailable: 1
  # -- maximum unavailable instances
  maxUnavailable: ""

metrics:
  serviceMonitor:
    # -- if enabled, creates a ServiceMonitor instance for Prometheus Operator-based monitoring
    enabled: false
    # -- additional labels to apply to the ServiceMonitor object, e.g. `release: prometheus`
    additionalLabels: {}
    # namespace: monitoring
    # interval: 30s
    # scrapeTimeout: 10s
  service:
    port: 8081

# @ignore
restrictedContainerSecurityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  privileged: false
  capabilities:
    drop:
      - ALL
  runAsNonRoot: true
  runAsUser: 65534
  runAsGroup: 65534
  seccompProfile:
    type: RuntimeDefault