Skip to content

feat: add Helm charts for Kubernetes deployment #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rolandgroen merged 30 commits into from
Oct 31, 2025
Merged

feat: add Helm charts for Kubernetes deployment #199

rolandgroen merged 30 commits into from
Oct 31, 2025

Conversation

@rolandgroen
Copy link
Contributor

@rolandgroen rolandgroen commented Oct 14, 2025

Summary

Introduces production-ready Helm charts for deploying nuts-knooppunt and its dependencies to Kubernetes. The charts provide a flexible, infrastructure-agnostic deployment solution with sensible defaults
for development while supporting production customization.

Key additions:

  • Complete Helm chart for nuts-knooppunt application with embedded dependencies
  • Standalone HAPI FHIR server Helm chart with PostgreSQL integration
  • Standard Kubernetes Ingress support (default)
  • Optional Gateway API support for modern deployments
  • Automated PostgreSQL provisioning via CloudNativePG operator
  • Local development configuration overrides

Changes

Helm Charts (1,187 lines added)

  1. nuts-knooppunt Chart (helm/nuts-knooppunt/)

Main application chart with the following features:

  • Deployment Configuration (helm/nuts-knooppunt/templates/deployment.yaml:1)
    • Configurable replicas with optional horizontal pod autoscaling
    • Dual service ports: internal (8081) and public (8080)
    • ConfigMap-based application configuration
    • Health probes for liveness and readiness
  • Dependencies (helm/nuts-knooppunt/Chart.yaml:26-36)
    • fhir chart (v0.1.0) - Local subchart for HAPI FHIR server
    • nuts-node-chart (v0.0.5-pre) - From oci://ghcr.io/brainhivenl/nuts-node
    • Both dependencies conditionally enabled via values
  • Networking Options - Choose your preferred ingress method:
    • Traditional Kubernetes Ingress (helm/nuts-knooppunt/templates/ingress.yaml:1) - Enabled by default
    • Gateway API Gateway resource (helm/nuts-knooppunt/templates/gateway.yaml:1) - Optional
    • Gateway API HTTPRoute (helm/nuts-knooppunt/templates/httproute.yaml:1) - Optional
  • Database Management (helm/nuts-knooppunt/templates/nuts/database.yaml:1, helm/nuts-knooppunt/templates/hapifhir/database.yaml:1)
    • PostgreSQL clusters provisioned via CloudNativePG operator
    • Separate databases for nuts-node and FHIR components
  • Development Support (helm/nuts-knooppunt/values-local.yaml:1)
    • Local overrides for development environments
    • Pre-configured with nuts-knooppunt.localhost hostname
    • FHIR integration enabled by default
  1. FHIR Server Chart (helm/fhir/)

Standalone HAPI FHIR deployment chart:

  • HAPI FHIR Deployment (helm/fhir/templates/deployment.yaml:1)
    • HAPI FHIR v7.2.0 by default (helm/fhir/values.yaml:16)
    • Environment-based configuration via ConfigMap
    • PostgreSQL connection auto-configured when enabled
    • Configurable health probes with sensible defaults
  • PostgreSQL Integration (helm/fhir/templates/postgres.yaml:1)
    • Enabled by default for out-of-the-box functionality (helm/fhir/values.yaml:137)
    • Uses CloudNativePG operator for database management
    • Can be disabled to use external database
  • Networking (helm/fhir/templates/ingress.yaml:1, helm/fhir/templates/httproute.yaml:1)
    • Standard Kubernetes Ingress template
    • Optional Gateway API HTTPRoute support
    • Optional cert-manager integration for TLS (helm/fhir/templates/certificate.yaml:1)
  • Autoscaling (helm/fhir/templates/hpa.yaml:1)
    • Optional HorizontalPodAutoscaler
    • CPU and memory-based scaling

Supporting Changes

.gitignore (.gitignore:5)

  • Updated pattern from nuts-knooppunt to /nuts-knooppunt
  • Allows the helm/nuts-knooppunt/ directory while excluding the root binary

.github/workflows/build-images.yaml (.github/workflows/build-images.yaml:2)

  • Normalized quote style for consistency (double to single quotes)

Key Design Decisions

Infrastructure Agnostic:

  • No hard dependency on specific ingress controllers, Gateway API implementations, or cloud providers
  • Gateway API resources (Gateway, HTTPRoute) are completely optional and disabled by default
  • Works with any standard Kubernetes cluster

Default Configuration:

  • Traditional Kubernetes Ingress enabled by default (broadest compatibility)
  • PostgreSQL enabled for FHIR (immediate functionality)
  • Gateway API disabled by default (opt-in for modern infrastructure)
  • Autoscaling disabled by default (explicit resource planning)

Production Ready:

  • Separate databases for nuts-node and FHIR components
  • Configurable resource limits and requests
  • Health checks and readiness probes
  • Support for custom ServiceAccounts, annotations, and labels
  • TLS/certificate management via cert-manager (optional)

Deployment Examples

Basic installation with default values (Ingress-based)

helm install nuts-knooppunt ./helm/nuts-knooppunt

Local development with overrides

helm install nuts-knooppunt ./helm/nuts-knooppunt
-f ./helm/nuts-knooppunt/values-local.yaml

Production deployment with custom namespace

helm install nuts-knooppunt ./helm/nuts-knooppunt
-n nuts-knooppunt --create-namespace

Using Gateway API instead of Ingress

helm install nuts-knooppunt ./helm/nuts-knooppunt
--set gateway.enabled=true
--set httpRoute.enabled=true
--set ingress.enabled=false

Prerequisites

Required:

  • Kubernetes 1.24+ cluster
  • CloudNativePG operator (for PostgreSQL management)
  • Helm 3.x

Optional:

  • Ingress controller (nginx, traefik, etc.) for Ingress resources
  • Gateway API implementation (Envoy Gateway, Istio, etc.) if using Gateway API features
  • cert-manager (for automated TLS certificate management)

Testing Checklist

  • Helm chart linting passes (helm lint ./helm/nuts-knooppunt)
  • Default installation works on vanilla Kubernetes
  • PostgreSQL databases provision correctly via CloudNativePG
  • Ingress routes traffic to correct services
  • FHIR server connects to PostgreSQL
  • nuts-node connects to PostgreSQL
  • Health checks function correctly
  • Local values override properly applied

dmeijboom and others added 7 commits September 6, 2025 16:32
@dmeijboom
feat: build/push using skaffold
5a23f09
@dmeijboom
feat: setup initial deployment and helm chart(s)
bcc6e8b
@rolandgroen
Enhance ingress template to support configurable backend services.
1524933
@rolandgroen
Clean up unused build options in GitHub Actions workflow.
a03cc37
@rolandgroen
Merge branch 'main' into feat/helm-charts
316e315 
* main: (35 commits)
  #133 Show alert in interface when you are unable to delete a resource (#198)
  Deployment documentation (#175)
  #190: Fixed empty content returned by knooppunt when creating DocumentReference and also the fact BSN wasn't properly transformed from the transport token (#191)
  Adds pseudonym support for NVI to HAPI (#154)
  #133 Associate Endpoints Screen (#187)
  #168: Support pseudonyms in NVI gateway (#171)
  Add addressing view to diagram (#42)
  feat(bsn): add proof-of-concept transport token utils (#166)
  #68: Add search to NVI gateway (#162)
  #113 mCSD Update Client: use resource-level history query, instead of system-wide  (#156)
  Refactored the code to use conditional references (#157)
  #68: NVI gateway for registering DocumentReferences (#160)
  #135: fix mCSD Update Client meta.source (#151)
  Decouple HAPI Fhir initalisation from Nuts (#152)
  #144: set correct FHIR resource profiles (#147)
  #58: Support pagination when updating mCSD (#108)
  #103 [MCSD Admin] Refine location screen (#138)
  mCSD Admin: make valuesets compiler-safe with generated constants (#146)
  mCSD Update Client: return empty slice in report when no errors or warnings are there, instead of null (#141)
  #103 [MCSD Admin] Refine Organisation Screen (#137)
  ...
@rolandgroen
Revert "feat: build/push using skaffold"
aa6efef 
This reverts commit 5a23f09.
@rolandgroen
Revert: remove k3d and Helm chart manifests
38fab7b
@rolandgroen rolandgroen requested a review from a team as a code owner October 14, 2025 17:26
@rolandgroen rolandgroen changed the title Feat/helm charts feat: add Helm charts for Kubernetes deployment Oct 14, 2025
@rolandgroen rolandgroen mentioned this pull request Oct 15, 2025
Closed
@JorisHeadease JorisHeadease requested a review from Copilot October 15, 2025 10:12
Copilot AI reviewed Oct 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces comprehensive Helm charts for deploying nuts-knooppunt and its dependencies to Kubernetes, providing a production-ready, infrastructure-agnostic deployment solution with flexible configuration options.

  • Adds a complete nuts-knooppunt Helm chart with embedded dependencies for nuts-node and FHIR server
  • Introduces a standalone HAPI FHIR server chart with PostgreSQL integration via CloudNativePG operator
  • Provides multiple networking options including traditional Ingress and optional Gateway API support

Reviewed Changes

Copilot reviewed 30 out of 34 changed files in this pull request and generated 3 comments.

File Description
helm/nuts-knooppunt/ Main application chart with deployment templates, networking options, and dependency management
helm/fhir/ Standalone FHIR server chart with PostgreSQL integration and networking templates
.github/workflows/build-images.yaml Updated quote style for consistency

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

JorisHeadease
JorisHeadease requested changes Oct 15, 2025
View reviewed changes
rolandgroen and others added 10 commits October 21, 2025 09:06
@rolandgroen @JorisHeadease
Update helm/nuts-knooppunt/values.yaml
80099d9 
Co-authored-by: JorisHeadease <joris@headease.nl>
@rolandgroen
Add ingress template for FHIR helm chart and update related values co…
2acec99 
…nfigurations
@rolandgroen
Remove values-local.yaml from nuts-knooppunt Helm chart as it is pr…
3164766 
…imarily used for the Skaffold
@rolandgroen
Set ingress enabled to true by default
80100dc 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@rolandgroen
Update helm/fhir/values.yaml
44a0a51 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@rolandgroen
Remove blank lines
bcbf2e6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@rolandgroen
Update Nuts repository in helm/nuts-knooppunt/Chart.yaml to use the o…
eaeba47 
…riginal URL
@rolandgroen
Revert Nuts dependency version in Helm chart to 0.0.4
fc8993f
@rolandgroen
Parametrize database storage sizes across Helm charts
c15fee1
@rolandgroen
Merge branch 'main' into feat/helm-charts
4d3cc85 
* main:
  #192: validate custodian with ura header, if exists (#200)
@rolandgroen
Update Helm chart for nuts-knooppunt: adjust repository URL, nuts-nod…
172d075 
…e dependency version, and configuration parameters; add README documentation.
JorisHeadease
JorisHeadease reviewed Oct 21, 2025
View reviewed changes
@rolandgroen
Update nuts-node repository URL to OCI and bump version to 0.0.5-pre …
8e50e3b 
…in Helm chart.
@rolandgroen
Merge branch 'main' into feat/helm-charts
970d0d2 
* main:
  Rewritten handleConsent check to internal function (#218)
  Mitz component cleanup (unused methods, logging) (#214)
  Readme update (#211)
  ADR: Solution Architecture (#169)
  #180: Adding mitz connector (closed query, subscription, notification) (#194)
  #139 Add practitioner role in mcsd admin (#201)
  Docs: change diagrams to have a set of diagrams per GF (#195)

# Conflicts:
#	.gitignore
@rolandgroen
Revert nuts-node repository URL to original and bump dependency versi…
2b2cbce 
…on to 0.0.5 in Helm chart.
JorisHeadease
JorisHeadease requested changes Oct 29, 2025
View reviewed changes
rolandgroen and others added 7 commits October 31, 2025 12:37
@rolandgroen
Bump nuts-node dependency version to 0.0.6 in Helm chart.
09e065b
@rolandgroen
Remove unused Helm chart dependencies: fhir-0.1.0 and nuts-node-chart…
c8d8737 
…-0.0.5-pre.
@rolandgroen
Bump nuts-node dependency version to 0.0.6 in Helm chart lock file.
975de34
@rolandgroen
Sanitize database connection string in Helm values file.
fa8f079
@rolandgroen
Clarify .gitignore rule for root directory binary files. The helm cha…
d7e8e74 
…rts is in a directory called nuts-knooppunt and this line causes trouble.
@rolandgroen @claude
Add automatic database connection configuration for NUTS node
12cee62 
This eliminates the manual task of creating database secrets by:

1. Automatic Secret Conversion
   - Helm hook job converts CloudNativePG postgresql:// URIs to postgres://
   - NUTS node requires postgres:// scheme, CloudNativePG uses postgresql://
   - Job creates a new secret with the correct format automatically

2. Intelligent Configuration Validation
   - NOTES.txt validates database connection configuration
   - Checks for NUTS_STORAGE_SQL_CONNECTION environment variable
   - Validates secret name matches expected pattern
   - Provides helpful warnings with correct configuration examples

3. Simplified User Experience
   - Users create custom values files (e.g., my-values.yaml)
   - Clear examples in values.yaml with placeholder values
   - Validation catches common mistakes (wrong secret name, missing config)
   - No complex --set-json commands required

4. Helper Template
   - Added nuts-knooppunt.nuts.dbSecretName helper
   - Ensures consistency between database and secret references
   - Used in validation and secret conversion

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@rolandgroen
Bump nuts-node dependency version to 0.0.6 in Helm chart README.
cc05400
JorisHeadease
JorisHeadease approved these changes Oct 31, 2025
View reviewed changes
Copy link
Contributor

@JorisHeadease JorisHeadease left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good @rolandgroen!

I've added the Helm chart dependency tarballs to the .gitignore.

@rolandgroen rolandgroen merged commit 3489211 into main Oct 31, 2025
1 check passed
@rolandgroen rolandgroen deleted the feat/helm-charts branch October 31, 2025 18:09
rolandgroen added a commit that referenced this pull request Nov 14, 2025
@rolandgroen
Merge branch 'main' into chore/change-license
cbe0a74 
* main: (92 commits)
  feat: Make mCSD directory resource types configurable (#247)
  Make HTTP interface configurable (#253)
  test(pep): add e2e authorization tests (#237)
  Add PractitionerRole to the list of entities to sync using the update client (#236)
  NVI: use actual Fake NVI HAPI interceptor in e2e test (#243)
  feat: Add ExcludeAdminDirectories configuration to prevent self-syncing in mCSD (#230)
  fix: #241  mCSD update client caches admin directories in memory indefinitely (#242)
  Add examples for localisation GF (#189)
  #16: switch to EUPL 1.2 license + DCO (#224)
  #233: fix nil deref on missing entry.Request of mCSD _history response (#235)
  Fix organization name not being dynamic (#234)
  Docs: GF I&A EHR-Knooppunt interaction Sequence Diagram (#232)
  Helm: add HAPI FHIR properties (#227)
  Fix URL in documentation (#229)
  Helm: update Knooppunt to v0.2.0 (#228)
  feat: add Helm charts for Kubernetes deployment (#199)
  Docs: prep integration and deployment docs for hackathon (#222)
  Docs: add IHE ITI codes to TXs in C4 diagrams (#213)
  C4 diagrams for PEP/PDP that use GF Consent (#210)
  #216 Boilerplate PDP endpoint (#219)
  ...

# Conflicts:
#	LICENSE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JorisHeadease JorisHeadease JorisHeadease approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rolandgroen @JorisHeadease @dmeijboom