Feedback on Helm 2.6.0
Following the new version of the guide 2.6.0 using the the helm chart I experienced some issues with the helm chart, and I would like to address them here.
I tried to structure my feedback around the individual components of the national-connector helm chart.
Feedback:
In general, all deployment and services defined in the helm chart is not very configurable via values.yaml. Deployments also lack proper probe configuration for readiness and liveness.
Database
- The postgresql database deployment is not optional nor configurable. Maybe use a subchart for instead?
Suggestions for what should be configurable:
- postgresql image version
- pvc size and permissions etc
- resource requests and limits for containers + init containers
- securitycontext
api-gateway
The api-gateway now requires TLS certificates, as the previous .Values.api_gateway.disableTls
is removed - is this intentional - the code seems to allow not specifying it?
shacl-validator
The deployment shacl-validator is not configurable.
- image version
- resource requests and limits
- securitycontext
port and service port is hardcoded - and seems to have a mismatch (8080 -> 7400) ?
Configmap
The use of .Files.Get
in the configmap is not very flexible, as it requires the files to be in the same directory as the chart. The values should be configurable via values.yaml instead to make the chart more self-contained.
Secrets
The <release-name>-tls-secret
should be optional as it is not required needed.
I will suggest to structure the values.yaml
file into sections for each component, and make the components configurable and make an enabled
flag for each component.
services:
apiGateway:
enabled: true
service:
port: 7100
targetPort: 7100
deployment:
image: code.europa.eu:4567/healthdataeu-nodes/hdeupoc/api-gateway:v2.6.0
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
securityContext:
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
probes:
readiness:
path: /health
port: 7100
initialDelaySeconds: 5
periodSeconds: 10
liveness:
path: /health
port: 7100
initialDelaySeconds: 5
periodSeconds: 10
env:
- name: DB_HOST
value: postgresql
- name: DB_PORT
value: "5432"
- name: DB_USER
secretKeyRef:
name: postgres-credentials
key: username
- name: DB_PASSWORD
secretKeyRef:
name: postgres-credentials
key: password
config:
read_timeout: 5s
write_timeout: 10s
idle_timeout: 2m
shutdown_timeout: 20s
api_host: nac-api-gateway:7100
disable_tls: true
tls_cert_file: tmp.ssn.crt
tls_key_file: tmp.ssn.key
as4MessageDispatcher:
enabled: true
...
config:
time_interval: 1s
shutdown_timeout: 20s
dataDiscovery:
enabled: true
...
config:
read_timeout: 5s
write_timeout: 10s
idle_timeout: 2m
shutdown_timeout: 20s
api_host: nac-data-discovery:7200
dataPermit:
enabled: true
...
config:
read_timeout: 5s
write_timeout: 10s
idle_timeout: 2m
shutdown_timeout: 20s
api_host: nac-data-permit:7300
shaclValidator:
enabled: true
...
config:
host: nac-shacl-validator:7400
disable_validation: true
validation_timeout: 25s
postgresql:
enabled: true
image: postgres:16-alpine
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
securityContext: ...
pvc:
size: 1Gi
storageClassName: standard
accessModes: ReadWriteOnce
# common configuration for all services
commonConfig:
db:
host: nac-postgres:5432
max_idle_conns: 2
max_open_conns: 0
disable_tls: true
domibus:
username: {DOMIBUS_PLUGIN_USER}
host: {DOMIBUS_HOST}:{DOMIBUS_PORT}
disable_tls: true
sender: {DOMIBUS_ACCESS_POINT}
recipient: {CENTRAL_ACCESS_POINT}