Merge pull request #26 from digihunch/version2312

Version update on Dec 23
digihunch · Dec 21, 2023 · d2e4687 · d2e4687
2 parents a40b294 + 8bcc907
commit d2e4687
Show file tree

Hide file tree

Showing 31 changed files with 7,009 additions and 3,446 deletions.
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 
 # Korthweb - Orthanc on Kubernetes
 
-<a href="https://www.orthanc-server.com/"><img style="float" align="right" src=".asset/orthanc_logo.png"></a>
+<a href="https://www.orthanc-server.com/"><img style="float" align="right" src="docs/assets/images/orthanc_logo.png"></a>
 
 [![Kubernetes](https://img.shields.io/badge/kubernetes-%23326ce5.svg?logo=kubernetes&logoColor=white)](https://www.kubernetes.io)
 [![Helm](https://img.shields.io/badge/helm-%230f1689.svg?logo=helm&logoColor=white)](https://helm.sh/)
@@ -31,4 +31,4 @@ To deploy Orthanc (stateless app + database) on Kubernetes, and to securely host
 * GitOps with FluxCD for Continuous Deployment
 
 ## Documentation
-The [Korthweb documentation](https://digihunch.github.io/korthweb/) includes a step-by-step guide for each deployment approach.
+The [Korthweb documentation](https://digihunch.github.io/korthweb/) includes a step-by-step guide for each deployment approach.
diff --git a/docs/deployment/gitops.md b/docs/deployment/gitops.md
@@ -8,7 +8,7 @@ At the end of deployment two instances are deployed, in the bhs-orthweb and mhr-
 
 ![Diagram](../assets/images/korthweb-gitops.png)
 
-Each tenant has its own namespace, where the application, routing and database are hosted. Other services such as cert-manager are shared.
+Each tenant has its own namespace, where the application, routing and database are hosted. Other services such as cert-manager are shared. Since there are multiple tenants, please ensure that the kubernetes cluster has sufficient capacity. 
 
 ## Preparation
 Ensure that you can connect to your K8s cluster with `kubectl` from your command terminal. Your user in K8s needs sufficient privilege for Flux to perform deployment activities.
@@ -52,7 +52,7 @@ When all Kustomizations show True for READY, deployment is completed.
 
 ## Troubleshooting
 
-In case of errors, below are some steps I took to troubleshoot.
+It is important to ensure that the cluster has sufficient capacity, especially if you are running on a single node test cluster. Some stacks will time out when the node does not have sufficient capacity. In case of deployment errors, below are some steps I took to troubleshoot.
 
 1. Examine status of each Kustomization. The following command is essentially the same as "fluxctl get ks":
 ```sh
@@ -108,4 +108,4 @@ Events:
 4. You can also check the log of Flux:
 ```sh
 flux logs
-```
+```
diff --git a/docs/deployment/manual.md b/docs/deployment/manual.md
@@ -37,12 +37,12 @@ kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/ad
 istioctl dashboard kiali
 kubectl port-forward svc/kiali -n istio-system 8080:20001
 ```
-Kiali may take a few minutes to come up. Here we use a single manifest to deploy Kiali just for demo. For full-blown Kiali deployment, we should use Kiali CRD.
+Kiali may take a few minutes to come up. Here we use a single manifest to deploy Kiali just for demo. For full-blown Kiali deployment, we should use [Kiali CRD](https://kiali.io/docs/configuration/kialis.kiali.io/).
 
 ### Configure Certificates
 In this step, we generate our own X.509 key and certificate for the site. The certificates and key are stored as secrets and the Istio Ingress will reference them. To install cert manager using Helm:
 ```sh
-helm install cert-manager cert-manager --namespace cert-manager --create-namespace --version v1.11.0 --repo https://charts.jetstack.io --set installCRDs=true
+helm install cert-manager cert-manager --namespace cert-manager --create-namespace --version v1.13.3 --repo https://charts.jetstack.io --set installCRDs=true
 ```
 Confrim all Pods in cert-manager namespace come up. Then we use cert-manager CRs to create certificate in istio-system namespace, and verify the certificate by decoding the secret object.
 ```sh
@@ -60,11 +60,11 @@ helm install postgres-ha postgresql-ha \
        --set volumePermissions.enabled=true \
        --set service.portName=tcp-postgresql \
        --repo https://charts.bitnami.com/bitnami \
-       --version 11.0.1 \
+       --version 12.3.3 \
        --namespace orthweb
 kubectl -n orthweb wait deploy/postgres-ha-postgresql-ha-pgpool --for=condition=Available --timeout=10m
 kubectl apply -f orthanc.yaml
 kubectl -n orthweb get po --watch
 ```
 
-As a side note, we store the init script db_create.sql as an entry in orthanc-dbinit config map ahead of time before running the Helm chart, because Helm chart parameter [pgpool.initdbScriptsCM](https://artifacthub.io/packages/helm/bitnami/postgresql-ha#initialize-a-fresh-instance) does not take file with .sql extension. The postgres pods takes a few mintues to come all up. After that, we deploy the Orthanc workload as declared in `orthanc.yaml` file.
+As a side note, we store the init script db_create.sql as an entry in orthanc-dbinit config map ahead of time before running the Helm chart, because Helm chart parameter [pgpool.initdbScriptsCM](https://artifacthub.io/packages/helm/bitnami/postgresql-ha#initialize-a-fresh-instance) does not take file with .sql extension. The postgres pods takes a few mintues to come all up. After that, we deploy the Orthanc workload as declared in `orthanc.yaml` file.
diff --git a/docs/validation/gitops.md b/docs/validation/gitops.md
@@ -10,6 +10,10 @@ The first step is to make sure DNS resolution works. If you're on a Sandbox clus
 192.168.64.17 web.mhr.orthweb.com
 192.168.64.17 dicom.mhr.orthweb.com
 ```
+To find out the IP address, look for the attribute in each ingress service. For exampe:
+```sh
+kubectl -n bhs-orthweb get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
+```
 
 ## Generate client certificate
 Take BHS tenant as an example, we first create a client certificate for use later.
@@ -47,4 +51,4 @@ storescu -aet TESTER -aec ORTHANC -d +tls bhs.client.key bhs.client.crt -rc +cf
 To check Pod logs, use Kiali. We can use port-forward to expose kiali service.
 ```sh
 kubectl port-forward svc/kiali -n monitoring 8080:20001
-```
+```
diff --git a/docs/validation/helm.md b/docs/validation/helm.md
@@ -11,7 +11,7 @@ Ensure that the DNS names web.orthweb.com and dicom.orthweb.com resolve to the e
 ## Web Service
 To validate web service, export client CA and run curl command:
 ```sh
-kubectl -n orthweb get secret web.orthweb.com -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
+kubectl -n orthweb get secret https-secret -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
 
 curl -HHost:web.orthweb.com -v -k -X GET https://web.orthweb.com:443/app/explorer.html -u admin:orthanc --cacert ca.crt
 ```
@@ -23,4 +23,4 @@ The steps to validate DICOM traffic is similiar to other deployment option. Howe
 ```sh
 echoscu -aet TESTER -aec ORTHANC -d +tla -ic dicom.orthweb.com 11112
 storescu -aet TESTER -aec ORTHANC -d +tla -ic dicom.orthweb.com 11112 DICOM_CT/123.dcm
-```
+```
diff --git a/gitops/application/base/orthanc/deployment.yaml b/gitops/application/base/orthanc/deployment.yaml
@@ -30,6 +30,8 @@ spec:
           capabilities:
             drop:
               - ALL
+            add:
+              - DAC_OVERRIDE
           allowPrivilegeEscalation: false
         ports:
           - containerPort: 8042

diff --git a/gitops/application/bhs/kustomization.yaml b/gitops/application/bhs/kustomization.yaml
@@ -10,7 +10,7 @@ transformers:
 images:
 - name: orthanc-plugins
   newName: osimis/orthanc 
-  digest: sha256:20413096878fb56bf8d09af08cf4055993dbcf507526f0561b26fc4d0ed7affc
+  digest: 13914140549da7bb10869a75f7a7fd4ecfdc92e146da2af4917d6b85170e1525 
 patchesStrategicMerge:
 - |-
   apiVersion: v1

diff --git a/gitops/application/mhr/kustomization.yaml b/gitops/application/mhr/kustomization.yaml
@@ -10,7 +10,7 @@ transformers:
 images:
 - name: orthanc-plugins
   newName: osimis/orthanc 
-  digest: sha256:20413096878fb56bf8d09af08cf4055993dbcf507526f0561b26fc4d0ed7affc
+  digest: sha256:13914140549da7bb10869a75f7a7fd4ecfdc92e146da2af4917d6b85170e1525
 patchesStrategicMerge:
 - |-
   apiVersion: v1

diff --git a/gitops/dependency/base/istio-service/release.yaml b/gitops/dependency/base/istio-service/release.yaml
@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
   name: istio-egress
@@ -11,7 +11,7 @@ spec:
         kind: HelmRepository
         name: istio
         namespace: flux-system
-      version: "1.16.1"
+      version: "1.20.1"
   interval: 1h0m0s
   install:
     remediation:
@@ -30,7 +30,7 @@ spec:
     nodeSelector:
       beta.kubernetes.io/os: linux
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
   name: istio-ingress
@@ -43,7 +43,7 @@ spec:
         kind: HelmRepository
         name: istio
         namespace: flux-system
-      version: "1.16.1"
+      version: "1.20.1"
   interval: 1h0m0s
   install:
     remediation:

diff --git a/gitops/dependency/base/postgres/release.yaml b/gitops/dependency/base/postgres/release.yaml
@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
   name: postgres-ha 
@@ -11,7 +11,7 @@ spec:
         kind: HelmRepository
         name: bitnami
         namespace: flux-system
-      version: "11.0.1"
+      version: "12.3.3"
   interval: 1h0m0s
   install:
     remediation:

diff --git a/gitops/fluxcd/bhs-application.yaml b/gitops/fluxcd/bhs-application.yaml
@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: bhs-application
@@ -12,7 +12,7 @@ spec:
     name: flux-system
   path: ./gitops/application/bhs
   prune: true
-  validation: client
+  #validation: client
   healthChecks:  
     - apiVersion: networking.istio.io/v1beta1 
       kind: Gateway

diff --git a/gitops/fluxcd/bhs-dependency.yaml b/gitops/fluxcd/bhs-dependency.yaml
@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: bhs-dependency 
@@ -12,7 +12,7 @@ spec:
     name: flux-system
   path: ./gitops/dependency/bhs
   prune: true
-  validation: client
+  #validation: client
   healthChecks:
     - apiVersion: apps/v1
       kind: Deployment
@@ -22,15 +22,15 @@ spec:
       kind: Certificate
       name: orthweb-cert
       namespace: bhs-orthweb
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1 
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta2 
       kind: HelmRelease
       name: istio-egress
       namespace: bhs-orthweb
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1 
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta2 
       kind: HelmRelease
       name: istio-ingress
       namespace: bhs-orthweb
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta2
       kind: HelmRelease
       name: postgres-ha 
       namespace: bhs-orthweb