diff --git a/.github/check_empty_reports.sh b/.github/check_empty_reports.sh new file mode 100644 index 00000000..b9e9366e --- /dev/null +++ b/.github/check_empty_reports.sh @@ -0,0 +1,16 @@ +#!/bin/bash +set -e + +function empty_report_check { + report_type=$1 + report_file_check=$(cat reports/${report_type}-vulnerabilities.txt | wc -m) + if [ $report_file_check == 0 ];then + echo "No Vulnerablity Found!" > reports/${report_type}-vulnerabilities.txt + fi +} + +empty_report_check "high" +empty_report_check "medium" +empty_report_check "critical" +empty_report_check "low" +empty_report_check "unknown" diff --git a/.github/setupEnvSecrets.sh b/.github/setupEnvSecrets.sh new file mode 100755 index 00000000..c52c2571 --- /dev/null +++ b/.github/setupEnvSecrets.sh @@ -0,0 +1,34 @@ +#!/bin/bash +set -e + +function exportWithMask { + SSM_PARAMETER_NAME=$1 + ENV_VARIABLE_NAME=$2 + + PARAMETER_VALUE=$(aws ssm get-parameter --with-decryption --name "$SSM_PARAMETER_NAME" --query "Parameter.Value" --output text) + echo "::add-mask::$PARAMETER_VALUE" + echo "$ENV_VARIABLE_NAME=$PARAMETER_VALUE" >> $GITHUB_ENV +} + +ENVIRONMENT=$1 + +exportWithMask "/$ENVIRONMENT/openmrs/DB_USERNAME" 'OPENMRS_DB_USERNAME' +exportWithMask "/$ENVIRONMENT/openmrs/DB_PASSWORD" 'OPENMRS_DB_PASSWORD' +exportWithMask "/$ENVIRONMENT/reports/DB_USERNAME" 'REPORTS_DB_USERNAME' +exportWithMask "/$ENVIRONMENT/reports/DB_PASSWORD" 'REPORTS_DB_PASSWORD' +exportWithMask "/$ENVIRONMENT/crater/DB_USERNAME" 'CRATER_DB_USERNAME' +exportWithMask "/$ENVIRONMENT/crater/DB_PASSWORD" 'CRATER_DB_PASSWORD' +exportWithMask "/$ENVIRONMENT/crater_atomfeed/DB_USERNAME" 'CRATER_ATOMFEED_DB_USERNAME' +exportWithMask "/$ENVIRONMENT/crater_atomfeed/DB_PASSWORD" 'CRATER_ATOMFEED_DB_PASSWORD' +exportWithMask "/$ENVIRONMENT/crater/ADMIN_PASSWORD" 'CRATER_ADMIN_PASSWORD' +exportWithMask "/nonprod/rds/mysql/host" 'RDS_HOST' +exportWithMask "/nonprod/rds/mysql/username" 'RDS_USERNAME' +exportWithMask "/nonprod/rds/mysql/password" 'RDS_PASSWORD' +exportWithMask "/nonprod/rabbitmq/USERNAME" 'MQ_USERNAME' +exportWithMask "/nonprod/rabbitmq/PASSWORD" 'MQ_PASSWORD' +exportWithMask "/nonprod/psql/DB_PASSWORD" 'PSQL_PASSWORD' +exportWithMask "/$ENVIRONMENT/abdm/GATEWAY_CLIENT_ID" 'GATEWAY_CLIENT_ID' +exportWithMask "/$ENVIRONMENT/abdm/GATEWAY_CLIENT_SECRET" 'GATEWAY_CLIENT_SECRET' +exportWithMask "/nonprod/efs/file_system_id" 'EFS_FILESYSTEM_ID' +exportWithMask "/smtp/access_key" 'MAIL_USER' +exportWithMask "/smtp/secret" 'MAIL_PASSWORD' diff --git a/.github/workflows/deploy-monitoring.yaml b/.github/workflows/deploy-monitoring.yaml new file mode 100644 index 00000000..21e5cc21 --- /dev/null +++ b/.github/workflows/deploy-monitoring.yaml @@ -0,0 +1,59 @@ +name: Deploy Monitoring and Logging + +on: + push: + branches: + - main + paths: + - values/monitoring.yaml + - aws/route53/monitoring-lite.mybahmni.in.json + - .github/workflows/deploy-monitoring.yaml + + workflow_dispatch: + +jobs: + deploy-monitoring-logging: + name: Deploy Monitoring & Logging + runs-on: ubuntu-latest + env: + CLUSTER_NAME: bahmni-cluster-nonprod + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Add helm repo + run: | + helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + helm repo add grafana https://grafana.github.io/helm-charts + helm repo update + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }} + aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }} + aws-region: ${{ secrets.BAHMNI_AWS_REGION }} + role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }} + role-duration-seconds: 900 # 15 mins + role-session-name: BahmniInfraAdminSession + - name: Authorise Kubectl with EKS + run: aws eks update-kubeconfig --name $CLUSTER_NAME + - name: Upsert Route53 A record with INGRESS_DNS + run: | + INGRESS_DNS=$(kubectl -n ingress-nginx get svc ingress-nginx-controller -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") + jq --arg ingress_dns "$INGRESS_DNS" '.Changes[].ResourceRecordSet.AliasTarget.DNSName = $ingress_dns' aws/route53/monitoring-lite.mybahmni.in.json > recordset + aws route53 change-resource-record-sets --hosted-zone-id ${{ secrets.HOSTED_ZONE_ID }} --change-batch file://recordset + - name: Helm Upgrade Monitoring Stack + run: | + GRAFANA_ADMIN_PASSWORD=$(aws ssm get-parameter --with-decryption --name "/nonprod/grafana/ADMIN_PASSWORD" --query "Parameter.Value" --output text) + GITHUB_OAUTH_CLIENT_ID=$(aws ssm get-parameter --with-decryption --name "/nonprod/grafana/oauth/github/bahmniindia/CLIENT_ID" --query "Parameter.Value" --output text) + GITHUB_OAUTH_CLIENT_SECRET=$(aws ssm get-parameter --with-decryption --name "/nonprod/grafana/oauth/github/bahmniindia/CLIENT_SECRET" --query "Parameter.Value" --output text) + helm upgrade monitoring prometheus-community/kube-prometheus-stack -n monitoring --create-namespace \ + --values=values/monitoring.yaml \ + --set grafana.adminPassword=$GRAFANA_ADMIN_PASSWORD \ + --set 'grafana.grafana\.ini.auth\.github.client_id'=$GITHUB_OAUTH_CLIENT_ID \ + --set 'grafana.grafana\.ini.auth\.github.client_secret'=$GITHUB_OAUTH_CLIENT_SECRET \ + --install + + - name: Helm Upgrade Logging Stack + run: | + helm upgrade --install loki --namespace=monitoring grafana/loki-stack \ + --values=values/logging.yaml diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml new file mode 100644 index 00000000..da5ad427 --- /dev/null +++ b/.github/workflows/deploy.yaml @@ -0,0 +1,194 @@ +name: Deploy + +on: + push: + branches: + - main + repository_dispatch: + types: ["bahmni-helm-publish-event","bahmniindia-helm-publish-event"] + workflow_dispatch: + inputs: + enable_db_setup: + description: 'Enable this to create databases' + required: true + type: boolean + default: false + environment: + description: 'Environment to deploy' + required: true + type: choice + default: dev + options: + - dev + - qa + - demo + - performance +env: + ENVIRONMENT: ${{ github.event.inputs.environment || 'dev'}} + ENVIRONMENT_DNS: ${{ (github.event.inputs.environment || 'dev') == 'demo' && 'lite.mybahmni.in' || format('{0}.{1}', github.event.inputs.environment || 'dev', 'lite.mybahmni.in') }} + +jobs: + deploy: + name: Deploy to ${{ github.event.inputs.environment || 'dev'}} environment + concurrency: ${{ github.event.inputs.environment || 'dev'}} + environment: + name: ${{ github.event.inputs.environment || 'dev'}} + url: ${{ (github.event.inputs.environment || 'dev') == 'demo' && 'lite.mybahmni.in' || format('{0}.{1}', github.event.inputs.environment || 'dev', 'lite.mybahmni.in') }} + runs-on: ubuntu-latest + env: + CLUSTER_NAME: bahmni-cluster-nonprod + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }} + aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }} + aws-region: ${{ secrets.BAHMNI_AWS_REGION }} + role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }} + role-duration-seconds: 900 # 15 mins + role-session-name: BahmniInfraAdminSession + - name: Authorise Kubectl with EKS + run: aws eks update-kubeconfig --name $CLUSTER_NAME + - name: Install Nginx Ingress + run: | + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + sed -i.bak "s|XXX.XXX.XXX/XX|10.0.0.0/16|" deploy.yaml + sed -i.bak "s|arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX|${{ secrets.MYBAHMNI_CERT_ARN }}|" deploy.yaml + kubectl apply -f deploy.yaml + - name: Upsert Route53 A record with INGRESS_DNS + run: | + INGRESS_DNS=$(kubectl -n ingress-nginx get svc ingress-nginx-controller -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") + jq --arg ingress_dns "$INGRESS_DNS" \ + --arg environment_dns "$ENVIRONMENT_DNS" \ + '.Changes[].ResourceRecordSet.AliasTarget.DNSName = $ingress_dns | .Changes[0].ResourceRecordSet.Name = $environment_dns | .Changes[1].ResourceRecordSet.Name = "payments-"+$environment_dns' \ + aws/route53/lite.mybahmni.in.json > recordset + aws route53 change-resource-record-sets --hosted-zone-id ${{ secrets.HOSTED_ZONE_ID }} --change-batch file://recordset + - name: Setup Environment secrets + shell: bash + run: bash .github/setupEnvSecrets.sh ${{ env.ENVIRONMENT }} + - name: Setup databases + if: ${{ github.event.inputs.enable_db_setup == 'true' }} + run: | + helm install db-setup db-setup --repo https://bahmni.github.io/helm-charts --devel --wait --wait-for-jobs --atomic --timeout 1m \ + --namespace ${{ env.ENVIRONMENT }} --create-namespace \ + --set DB_HOST=$RDS_HOST \ + --set DB_ROOT_USERNAME=$RDS_USERNAME \ + --set DB_ROOT_PASSWORD=$RDS_PASSWORD \ + --set databases.openmrs.DB_NAME=openmrs_${{ env.ENVIRONMENT }} \ + --set databases.openmrs.USERNAME=$OPENMRS_DB_USERNAME \ + --set databases.openmrs.PASSWORD=$OPENMRS_DB_PASSWORD \ + --set databases.crater.DB_NAME=crater_${{ env.ENVIRONMENT }} \ + --set databases.crater.USERNAME=$CRATER_DB_USERNAME \ + --set databases.crater.PASSWORD=$CRATER_DB_PASSWORD \ + --set databases.crater_atomfeed.DB_NAME=crater_atomfeed_${{ env.ENVIRONMENT }} \ + --set databases.crater_atomfeed.USERNAME=$CRATER_ATOMFEED_DB_USERNAME \ + --set databases.crater_atomfeed.PASSWORD=$CRATER_ATOMFEED_DB_PASSWORD \ + --set databases.reports.DB_NAME=bahmni_reports_${{ env.ENVIRONMENT }} \ + --set databases.reports.USERNAME=$REPORTS_DB_USERNAME \ + --set databases.reports.PASSWORD=$REPORTS_DB_PASSWORD + + - name: Deleting db-setup helm release + if: ${{ github.event.inputs.enable_db_setup == 'true' }} + run: helm uninstall db-setup --namespace ${{ env.ENVIRONMENT }} + - name: Helm Dependency Update + run: helm dependency update + - name: List Helm Dependencies + run: ls charts + - name: Helm Upgrade + run: | + helm upgrade bahmni-${{ env.ENVIRONMENT }} . \ + --set openmrs.secrets.OMRS_DB_USERNAME=$OPENMRS_DB_USERNAME \ + --set openmrs.secrets.OMRS_DB_PASSWORD=$OPENMRS_DB_PASSWORD \ + --set openmrs.config.OMRS_DB_NAME=openmrs_${{ env.ENVIRONMENT }} \ + --set openmrs.secrets.OMRS_DB_HOSTNAME=$RDS_HOST \ + --set openmrs.secrets.MAIL_USER=$MAIL_USER \ + --set openmrs.secrets.MAIL_PASSWORD=$MAIL_PASSWORD \ + --set openmrs.config.SEND_MAIL=true \ + --set openmrs.config.MAIL_FROM=noreply@mybahmni.in \ + --set openmrs.config.MAIL_SMTP_HOST=email-smtp.ap-south-1.amazonaws.com \ + --set openmrs.config.MAIL_SMTP_PORT=587 \ + --set reports.secrets.OPENMRS_DB_HOST=$RDS_HOST \ + --set reports.secrets.OPENMRS_DB_USERNAME=$OPENMRS_DB_USERNAME \ + --set reports.secrets.OPENMRS_DB_PASSWORD=$OPENMRS_DB_PASSWORD \ + --set reports.config.OPENMRS_DB_NAME=openmrs_${{ env.ENVIRONMENT }} \ + --set reports.secrets.REPORTS_DB_SERVER=$RDS_HOST \ + --set reports.secrets.REPORTS_DB_USERNAME=$REPORTS_DB_USERNAME \ + --set reports.secrets.REPORTS_DB_PASSWORD=$REPORTS_DB_PASSWORD \ + --set reports.config.REPORTS_DB_NAME=bahmni_reports_${{ env.ENVIRONMENT }} \ + --set crater.config.APP_URL=https://payments-${{env.ENVIRONMENT_DNS}} \ + --set crater.config.DB_DATABASE=crater_${{ env.ENVIRONMENT }} \ + --set crater.config.DB_HOST=$RDS_HOST \ + --set crater.config.SANCTUM_STATEFUL_DOMAINS=payments-${{env.ENVIRONMENT_DNS}} \ + --set crater.config.SESSION_DOMAIN=payments-${{env.ENVIRONMENT_DNS}} \ + --set crater.secrets.DB_USERNAME=$CRATER_DB_USERNAME \ + --set crater.secrets.DB_PASSWORD=$CRATER_DB_PASSWORD \ + --set crater.secrets.ADMIN_PASSWORD=$CRATER_ADMIN_PASSWORD \ + --set hip.secrets.GATEWAY_CLIENT_ID=$GATEWAY_CLIENT_ID \ + --set hip.secrets.GATEWAY_CLIENT_SECRET=$GATEWAY_CLIENT_SECRET \ + --set hip.secrets.OPENMRS_PASSWORD=Admin123 \ + --set hip.config.BAHMNI_URL=https://${{env.ENVIRONMENT_DNS}}/openmrs \ + --set hip.config.RABBITMQ_USERNAME=$MQ_USERNAME \ + --set hip.config.RABBITMQ_PASSWORD=$MQ_PASSWORD \ + --set hiu.secrets.HIU_CLIENT_ID=$GATEWAY_CLIENT_ID \ + --set hiu.secrets.HIU_CLIENT_SECRET=$GATEWAY_CLIENT_SECRET \ + --set hiu.config.DATA_PUSH_URL=https://${{env.ENVIRONMENT_DNS}}/hiu-api/data/notification \ + --set hiu.config.RABBITMQ_USERNAME=$MQ_USERNAME \ + --set hiu.config.RABBITMQ_PASSWORD=$MQ_PASSWORD \ + --set hiu-ui.config.BACKEND_BASE_URL=https://${{env.ENVIRONMENT_DNS}} \ + --set global.postgresql.auth.postgresPassword=$PSQL_PASSWORD \ + --set rabbitmq.auth.username=$MQ_USERNAME \ + --set rabbitmq.auth.password=$MQ_PASSWORD \ + --set ingress.host=${{env.ENVIRONMENT_DNS}} \ + --set efs.fileSystemId=${{env.EFS_FILESYSTEM_ID}} \ + --set crater-atomfeed.config.CRATER_ATOMFEED_DB_HOST=$RDS_HOST \ + --set crater-atomfeed.config.CRATER_ATOMFEED_DB_NAME=crater_atomfeed_${{ env.ENVIRONMENT }} \ + --set crater-atomfeed.config.CRATER_URL=https://payments-${{env.ENVIRONMENT_DNS}} \ + --set crater-atomfeed.secrets.OPENMRS_ATOMFEED_USER=superman \ + --set crater-atomfeed.secrets.OPENMRS_ATOMFEED_PASSWORD=Admin123 \ + --set crater-atomfeed.secrets.CRATER_USERNAME=superman@bahmni.org \ + --set crater-atomfeed.secrets.CRATER_PASSWORD=$CRATER_ADMIN_PASSWORD \ + --set crater-atomfeed.secrets.CRATER_ATOMFEED_DB_USERNAME=$CRATER_ATOMFEED_DB_USERNAME \ + --set crater-atomfeed.secrets.CRATER_ATOMFEED_DB_PASSWORD=$CRATER_ATOMFEED_DB_PASSWORD \ + --values=values/${{ env.ENVIRONMENT }}.yaml \ + --install \ + --namespace ${{ env.ENVIRONMENT }} --create-namespace + + notification: + name: Slack notification + needs: + - deploy + runs-on: ubuntu-latest + if: always() + steps: + - name: Success + if: ${{ needs.deploy.result == 'success' }} + run: | + curl -X POST -H 'Content-type: application/json' --data '{"text":">🟢 Bahmni India Distro deployed. \n>*Bahmni* https://${{env.ENVIRONMENT_DNS}} \n>*Payments* https://payments-${{env.ENVIRONMENT_DNS}} \n> "}' ${{ secrets.SLACK_WEBHOOK_URL }} + - name: Failure + if: ${{ needs.deploy.result == 'failure' }} + run: | + curl -X POST -H 'Content-type: application/json' --data '{"text":"🔴 Bahmni India Distro deployment failed!!! This is where you go look what happened → "}' ${{ secrets.SLACK_WEBHOOK_URL }} + trigger-e2e-smoke-test-lite: + name: Trigger E2E Smoke Test in Dev.Lite + needs: + - deploy + runs-on: ubuntu-latest + if: ${{ ((github.event.inputs.environment || 'dev') == 'dev') && (needs.deploy.result == 'success') }} + steps: + - name: Create repository_dispatch + env: + REPOSITORY_NAME: "bahmni-e2e-tests" + ORG_NAME: "Bahmni" + EVENT_TYPE: "Smoke-Test-Dev-Lite" + TEST_CONTEXT: "clinic & smoke" + run: | + trigger_result=$(curl -s -o trigger_response.txt -w "%{http_code}" -X POST -H "Accept: application/vnd.github.v3+json" -H 'authorization: Bearer ${{ secrets.BAHMNI_PAT }}' https://api.github.com/repos/${ORG_NAME}/${REPOSITORY_NAME}/dispatches -d '{"event_type":"'"${EVENT_TYPE}"'","client_payload":{"context":"'"${TEST_CONTEXT}"'"}}') + if [ $trigger_result == 204 ];then + echo "Trigger to $ORG_NAME/$REPOSITORY_NAME Success" + else + echo "Trigger to $ORG_NAME/$REPOSITORY_NAME Failed" + cat trigger_response.txt + exit 1 + fi diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml new file mode 100644 index 00000000..d9a422c5 --- /dev/null +++ b/.github/workflows/trivy-scan.yaml @@ -0,0 +1,182 @@ +name: Trivy Security Scan + +on: + push: + branches: + - main + paths: + - .github/workflows/trivy-scan.yaml + schedule: + # Runs "At 06:00 AM on every day-of-week. Below time is mentioned in UTC time zone" (see https://crontab.guru) + - cron: '30 0 * * *' + workflow_dispatch: + +env: + CLUSTER_NAME: bahmni-cluster-nonprod + +jobs: + trivy-cluster-summary-scan: + name: Trivy Cluster Summary Scan + runs-on: ubuntu-latest + steps: + - name: Setup Trivy + run: | + wget https://github.com/aquasecurity/trivy/releases/download/v0.31.3/trivy_0.31.3_Linux-64bit.deb + sudo dpkg -i trivy_0.31.3_Linux-64bit.deb + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }} + aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }} + aws-region: ${{ secrets.BAHMNI_AWS_REGION }} + role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }} + role-duration-seconds: 900 # 15 mins + role-session-name: BahmniInfraAdminSession + - name: Authorise Kubectl with EKS + run: aws eks update-kubeconfig --name $CLUSTER_NAME + + - name: Create reports directory + run: mkdir reports + + - name: Run Trivy Summary Scan + run: trivy k8s --no-progress --report=summary --timeout=1h cluster -o reports/cluster-summary.txt + + - name: Upload Report Artifact + uses: actions/upload-artifact@v3 + with: + name: cluster-summary + path: reports/ + + get-namespaces: + name: Get Namespaces + runs-on: ubuntu-latest + outputs: + namespaces: ${{ steps.get-namespaces.outputs.namespaces }} + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }} + aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }} + aws-region: ${{ secrets.BAHMNI_AWS_REGION }} + role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }} + role-duration-seconds: 900 # 15 mins + role-session-name: BahmniInfraAdminSession + - name: Authorise Kubectl with EKS + run: aws eks update-kubeconfig --name $CLUSTER_NAME + - name: Get namespaces list + id: get-namespaces + run: | + NAMESPACES=$(kubectl get ns -o json | jq -c ".items[] | .metadata.name" | jq -s .) + echo $NAMESPACES + echo ::set-output name=namespaces::${NAMESPACES} + + trivy-namespace-scan: + name: Trivy Namespace Scan + runs-on: ubuntu-latest + needs: [ get-namespaces ] + strategy: + matrix: + namespaces: ${{ fromJson(needs.get-namespaces.outputs.namespaces) }} + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Setup Trivy + run: | + wget https://github.com/aquasecurity/trivy/releases/download/v0.31.3/trivy_0.31.3_Linux-64bit.deb + sudo dpkg -i trivy_0.31.3_Linux-64bit.deb + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }} + aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }} + aws-region: ${{ secrets.BAHMNI_AWS_REGION }} + role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }} + role-duration-seconds: 900 # 15 mins + role-session-name: BahmniInfraAdminSession + - name: Authorise Kubectl with EKS + run: aws eks update-kubeconfig --name $CLUSTER_NAME + + - name: Create reports directory + run: mkdir reports + + - name: Run Trivy Detailed Scan for Critical Vulnerabilities + run: trivy k8s --no-progress --severity CRITICAL --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/critical-vulnerabilities.txt + - name: Run Trivy Detailed Scan for High Vulnerabilities + run: trivy k8s --no-progress --severity HIGH --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/high-vulnerabilities.txt + - name: Run Trivy Detailed Scan for Medium Vulnerabilities + run: trivy k8s --no-progress --severity MEDIUM --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/medium-vulnerabilities.txt + - name: Run Trivy Detailed Scan for Low Vulnerabilities + run: trivy k8s --no-progress --severity LOW --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/low-vulnerabilities.txt + - name: Run Trivy Detailed Scan for Unknown Vulnerabilities + run: trivy k8s --no-progress --severity UNKNOWN --report=all --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/unknown-vulnerabilities.txt + - name: Checking for Empty Vulnerability Reports + shell: bash + run: bash .github/check_empty_reports.sh + - name: Run Trivy Summary Scan + run: trivy k8s --no-progress --report=summary --namespace ${{ matrix.namespaces }} --timeout=1h all -o reports/trivy-summary.txt + + - name: Upload Report Artifact + uses: actions/upload-artifact@v3 + with: + name: ${{ matrix.namespaces }} + path: reports/ + + upload-report: + runs-on: ubuntu-latest + name: Upload Report + needs: [ trivy-namespace-scan, trivy-cluster-summary-scan ] + steps: + - name: Checkout reports branch + uses: actions/checkout@v2 + with: + ref: gh-pages + - name: Download Reports + uses: actions/download-artifact@v3 + with: + path: trivy-reports/ + - name: Update report timestamp + run: | + sed -i.bak "s|Report Generated at:.*

|Report Generated at: $(TZ=Asia/Kolkata date)

|" trivy-reports/index.html && rm trivy-reports/index.html.bak + - name: Publish Report + run: | + git config user.name 'github-actions[bot]' + git config user.email 'github-actions[bot]@users.noreply.github.com' + git add . + git commit -m "Updating trivy-report" + git push + + save-scan-summary: + name: Save Scan Summary + needs: upload-report + runs-on: ubuntu-latest + steps: + - name: Checkout reports branch + uses: actions/checkout@v2 + with: + ref: gh-pages + + - name: Download Cluster Summary + uses: actions/download-artifact@v3 + with: + name: cluster-summary + + - name: Rename Scan Summary with current date + run: mv cluster-summary.txt scan-summary-history/cluster-summary-"$(date +"%m-%d-%y")".txt + + - name: Publish Report + run: | + git config user.name 'github-actions[bot]' + git config user.email 'github-actions[bot]@users.noreply.github.com' + git add . + git commit -m "Saving Cluster Scan Summary for "$(date +"%m-%d-%y")"" + git push + + notification: + name: Slack notification + needs: [upload-report] + runs-on: ubuntu-latest + steps: + - name: Post message + run: | + curl -X POST -H 'Content-type: application/json' --data '{"text":"🔎 Trivy Security Scan completed for ${{ env.CLUSTER_NAME }}. \n> "}' ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/Chart.yaml b/Chart.yaml index cda568c9..a62b731d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,11 +1,11 @@ apiVersion: v2 -name: bahmni -description: Helm Umbrella chart for Bahmni +name: bahmni-india-distro +description: Helm Umbrella chart for Bahmni India Distribution type: application version: 1.0.0 dependencies: - - repository: https://bahmni.github.io/helm-charts + - repository: https://bahmniindiadistro.github.io/helm-charts name: openmrs version: ~1.0.0-0 condition: openmrs.enabled @@ -30,6 +30,41 @@ dependencies: version: ~1.0.0-0 condition: reports.enabled + - repository: https://bahmniindiadistro.github.io/helm-charts + name: hip + version: ~1.0.0-0 + condition: hip.enabled + + - repository: https://bahmniindiadistro.github.io/helm-charts + name: hiu + version: ~1.0.0-0 + condition: hiu.enabled + + - repository: https://bahmniindiadistro.github.io/helm-charts + name: hiu-db + version: ~1.0.0-0 + condition: hiu-db.enabled + + - repository: https://bahmniindiadistro.github.io/helm-charts + name: hiu-ui + version: ~1.0.0-0 + condition: hiu-ui.enabled + + - repository: https://bahmniindiadistro.github.io/helm-charts + name: otp-service + version: ~1.0.0-0 + condition: otp-service.enabled + + - repository: https://charts.bitnami.com/bitnami + name: postgresql + version: 12.1.2 + condition: postgresql.enabled + + - repository: https://charts.bitnami.com/bitnami + name: rabbitmq + version: 11.1.2 + condition: rabbitmq.enabled + - repository: https://bahmni.github.io/helm-charts name: patient-documents version: ~1.0.0-0 @@ -40,6 +75,11 @@ dependencies: version: ~1.0.0-0 condition: crater-atomfeed.enabled + - repository: https://bahmniindiadistro.github.io/helm-charts + name: hip-atomfeed + version: ~1.0.0-0 + condition: hip-atomfeed.enabled + - repository: https://bahmni.github.io/helm-charts name: appointments version: ~1.0.0-0 @@ -53,3 +93,8 @@ dependencies: - repository: https://bahmniindiadistro.github.io/helm-charts name: clinic-config version: ~1.0.0-0 + + - repository: https://bahmniindiadistro.github.io/helm-charts + name: abha-verification + version: ~1.0.0-0 + condition: abha-verification.enabled diff --git a/README.md b/README.md index 5be1585b..a908c130 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,118 @@ # helm-umbrella-chart -Helm Umbrella Chart for Bahmni +Helm Umbrella Chart for Bahmni India Distro ## Setting Bahmni K8s cluster using Minikube for development - [Developers Guide](https://bahmni.atlassian.net/wiki/spaces/BAH/pages/3073245197/Bahmni+K8s+with+Minikube+for+Development) + +## Setup Developer Access to the Cluster on AWS EKS + +> **_NOTE:_** Below details are only relevant for cluster running on AWS EKS + +#### Creating a User Group for EKS Cluster Admin Access + +Create a new IAM group for developers + +``` +aws iam create-group --group-name bahmni_eks_developers +``` + +When IAM users are added to this group then they will get full access to +resources in the EKS cluster. + +#### Create an IAM role + +Create Role with trust policy (first time) + +``` +aws iam create-role --role-name BahmniEKSDeveloperRoleForIAMUsers --assume-role-policy-document file://aws/roles/BahmniEKSDeveloperRoleForIAMUsers.json +``` + +#### Create Policies + +`aws/policies` folder contains all custom policies applied to the AWS account. + +Create a `AssumeRole` policy: + +``` + aws iam create-policy --policy-name BahmniEKSDeveloperAssumeRolePolicy --policy-document file://aws/policies/BahmniEKSDeveloperAssumeRolePolicy.json +``` + +Create a `BahmniEKSDeveloper` policy: + +``` +aws iam create-policy --policy-name BahmniEKSDeveloper --policy-document file://aws/policies/BahmniEKSDeveloper.json +``` + +Note the policy arns + +Next, Attach the `BahmniEKSDeveloperAssumeRolePolicy` to `bahmni_eks_developers` +group. + +``` +aws iam attach-group-policy --group-name bahmni_eks_developers --policy-arn +``` + +Attach the `BahmniEKSDeveloper` to `BahmniEKSDeveloperRoleForIAMUsers` role. + +``` +aws iam attach-role-policy --policy-arn --role-name BahmniEKSDeveloperRoleForIAMUsers +``` + +#### Authorise kubectl with EKS + +``` +aws eks update-kubeconfig --name bahmni-cluster-dev +``` + +#### Apply Kubernetes Developer Cluster Role + +``` +kubectl apply -f k8s-rbac/eks-developer.yaml +``` + +#### Create Identity Mapping + +``` +eksctl create iamidentitymapping \ +--cluster bahmni-cluster-nonprod \ +--arn arn:aws:iam::{YourAccountNumber}:role/BahmniEKSDeveloperRoleForIAMUsers \ +--group eks-developer-group \ +--username assume-role-user \ +--no-duplicate-arns +``` + +## Access RDS databases on AWS + +> **_NOTE:_** Below details are only relevant for cluster using database on AWS +> RDS + +#### Prerequisite: + +This is a one time setup. Configure your AWS CLI by following the steps +[here](https://bahmni.atlassian.net/wiki/spaces/BAH/pages/3023011844/AWS+Access+for+Developers). + +#### Connecting to Database: + +1. Navigate to the project root directory +2. Set your AWS Profile: `export AWS_PROFILE=bahmni-eks-developers` (Change the + profile name if you have configured aws credentials with a different profile) +3. Set your AWS Region: `export AWS_REGION=ap-south-1` +4. Run the script `connectmysqlrds.sh` + +```shell +./connectmysqlrds.sh + +e.g +./connectmysqlrds.sh dev openmrs +``` + +## View JVM metrics in Grafana +The JVM metrics for OpenMRS is fetched and displayed on route `/metrics` in port `8280` +with the help of [jmx-exporter](https://github.com/prometheus/jmx_exporter). Information related to heap space, GC count CPU load are provided in this route, which is visualised in Grafana with the help of [JVM dashboard](https://grafana.com/grafana/dashboards/8563-jvm-dashboard/). +- Sign in to monitoring environment +- Open Dashboards → Import +- Add the following ID (`8563`) to use JVM dashboard +- Click `load` button +- This would bring up the JVM dashboard containing visualised information of the JVM metrices. \ No newline at end of file diff --git a/aws/policies/BahmniEKSDeveloper.json b/aws/policies/BahmniEKSDeveloper.json new file mode 100644 index 00000000..1f48a2be --- /dev/null +++ b/aws/policies/BahmniEKSDeveloper.json @@ -0,0 +1,42 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "eks:DescribeCluster", + "Resource": "arn:aws:eks:ap-south-1:{YourAccountNumber}:cluster/*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:DescribeParameters" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:GetParameter*" + ], + "Resource": [ + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/demo/crater/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/dev/crater/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/demo/openmrs/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/dev/openmrs/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/demo/reports/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/dev/reports/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/qa/crater/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/qa/openmrs/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/qa/reports/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/performance/crater/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/performance/openmrs/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/performance/reports/*", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/nonprod/efs/file_system_id", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/nonprod/psql/DB_PASSWORD", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/nonprod/rds/mysql/host", + "arn:aws:ssm:ap-south-1:{YourAccountNumber}:parameter/nonprod/rabbitmq/*" + ] + + } + ] +} diff --git a/aws/policies/BahmniEKSDeveloperAssumeRolePolicy.json b/aws/policies/BahmniEKSDeveloperAssumeRolePolicy.json new file mode 100644 index 00000000..3a06f447 --- /dev/null +++ b/aws/policies/BahmniEKSDeveloperAssumeRolePolicy.json @@ -0,0 +1,11 @@ +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ], + "Resource": "arn:aws:iam::{YourAccountNumber}:role/BahmniEKSDeveloperRoleForIAMUsers" + } +} \ No newline at end of file diff --git a/aws/roles/BahmniEKSDeveloperRoleForIAMUsers.json b/aws/roles/BahmniEKSDeveloperRoleForIAMUsers.json new file mode 100644 index 00000000..6fd19258 --- /dev/null +++ b/aws/roles/BahmniEKSDeveloperRoleForIAMUsers.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::{YourAccountNumber}:root" + }, + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] +} \ No newline at end of file diff --git a/aws/route53/lite.mybahmni.in.json b/aws/route53/lite.mybahmni.in.json new file mode 100644 index 00000000..853c940a --- /dev/null +++ b/aws/route53/lite.mybahmni.in.json @@ -0,0 +1,29 @@ +{ + "Comment": "Creating Alias resource record set in Route 53", + "Changes": [ + { + "Action": "UPSERT", + "ResourceRecordSet": { + "Name": "{environment domain replaced in the pipeline}.mybahmni.in", + "Type": "A", + "AliasTarget": { + "HostedZoneId": "ZVDDRBQ08TROA", + "DNSName": "bogus-DNS-will-be-replaced-in-pipeline.amazonaws.com", + "EvaluateTargetHealth": false + } + } + }, + { + "Action": "UPSERT", + "ResourceRecordSet": { + "Name": "payments-{environment domain replaced in the pipeline}.mybahmni.in", + "Type": "A", + "AliasTarget": { + "HostedZoneId": "ZVDDRBQ08TROA", + "DNSName": "bogus-DNS-will-be-replaced-in-pipeline.amazonaws.com", + "EvaluateTargetHealth": false + } + } + } + ] +} \ No newline at end of file diff --git a/aws/route53/monitoring-lite.mybahmni.in.json b/aws/route53/monitoring-lite.mybahmni.in.json new file mode 100644 index 00000000..c970c07d --- /dev/null +++ b/aws/route53/monitoring-lite.mybahmni.in.json @@ -0,0 +1,17 @@ +{ + "Comment": "Creating Alias resource record set in Route 53", + "Changes": [ + { + "Action": "UPSERT", + "ResourceRecordSet": { + "Name": "monitoring-lite.mybahmni.in.", + "Type": "A", + "AliasTarget": { + "HostedZoneId": "ZVDDRBQ08TROA", + "DNSName": "bogus-DNS-will-be-replaced-in-pipeline.amazonaws.com", + "EvaluateTargetHealth": false + } + } + } + ] +} \ No newline at end of file diff --git a/connectmysqlrds.sh b/connectmysqlrds.sh new file mode 100755 index 00000000..dfd765dd --- /dev/null +++ b/connectmysqlrds.sh @@ -0,0 +1,11 @@ +#!/bin/bash +set -e + +ENVIRONMENT=$1 +APPLICATION_NAME=$2 +echo "Getting Secrets from SSM...." +DB_HOST=$(aws ssm get-parameter --with-decryption --name "/nonprod/rds/mysql/host" --query "Parameter.Value" --output text) +DB_USERNAME=$(aws ssm get-parameter --with-decryption --name "/$ENVIRONMENT/$APPLICATION_NAME/DB_USERNAME" --query "Parameter.Value" --output text) +DB_PASSWORD=$(aws ssm get-parameter --with-decryption --name "/$ENVIRONMENT/$APPLICATION_NAME/DB_PASSWORD" --query "Parameter.Value" --output text) +echo "Creating Bastion Pod...." +kubectl run "bastion-$RANDOM" --rm -it --image alpine --env="DB_HOST=$DB_HOST" --env="DB_USERNAME=$DB_USERNAME" --env="DB_PASSWORD=$DB_PASSWORD" -- sh -c 'apk add mysql-client && mysql -h$DB_HOST -u$DB_USERNAME -p$DB_PASSWORD' diff --git a/k8s-rbac/eks-developer.yaml b/k8s-rbac/eks-developer.yaml new file mode 100644 index 00000000..64b62a7d --- /dev/null +++ b/k8s-rbac/eks-developer.yaml @@ -0,0 +1,102 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: developer-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + - pods/log + - services + - replicationcontrollers + - secrets + - configmaps + - persistentvolumeclaims + - persistentvolumes + - events + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + - pods/attach + - pods/portforward + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: + - apps + resources: + - daemonsets + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - deployments/scale + verbs: + - get + - list + - watch + - patch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - get + - list + - watch + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eks-developer-binding +subjects: +- kind: Group + name: eks-developer-group + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: developer-role + apiGroup: rbac.authorization.k8s.io diff --git a/templates/ingress.yaml b/templates/ingress.yaml index 11f645fd..2ff17d50 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -82,6 +82,16 @@ spec: number: 80 {{- end }} + {{- if index .Values "abha-verification" "enabled" }} + - path: /abha-verification + pathType: Prefix + backend: + service: + name: abha-verification + port: + number: 80 + {{- end }} + - host: payments-{{ .Values.ingress.host }} http: paths: @@ -121,3 +131,67 @@ spec: port: number: 8080 {{- end }} +--- + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: abdm-ingress + labels: + environment: {{ .Values.metadata.labels.environment }} + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.metadata.ingress.ABDM_PROXY_BODY_SIZE }} + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/server-snippet: | + location ^~ /hiprovider { + if ($http_X_HIU_ID != '') { + rewrite ^/hiprovider(.*) /hiu-api$1 last; + } + rewrite ^/hiprovider(.*) /hip$1 last; + } +spec: + ingressClassName: nginx + rules: + - host: {{ .Values.ingress.host }} + http: + paths: + {{- if .Values.hiu.enabled }} + - path: /hiu-api/(.*) + pathType: Prefix + backend: + service: + name: hiu + port: + number: 9053 + {{- end }} + + {{- if .Values.hip.enabled }} + - path: /hip/(.*) + pathType: Prefix + backend: + service: + name: hip + port: + number: 8000 + {{- end }} + + {{- if index .Values "hiu-ui" "enabled" }} + - path: /hiuser(.*) + pathType: Prefix + backend: + service: + name: hiu-ui + port: + number: 5000 + {{- end }} + + {{- if index .Values "otp-service" "enabled" }} + - path: /otp-service/(.*) + pathType: Prefix + backend: + service: + name: otp-service + port: + number: 80 + {{- end }} + diff --git a/templates/postgres-pv-efs.yaml b/templates/postgres-pv-efs.yaml new file mode 100644 index 00000000..bf6ee9c5 --- /dev/null +++ b/templates/postgres-pv-efs.yaml @@ -0,0 +1,21 @@ +# This is a temporary PV for postgresql helm chart. +apiVersion: v1 +kind: PersistentVolume +metadata: + name: postgresql-efs-volume-{{ .Values.metadata.labels.environment }} +spec: + capacity: + storage: 10Gi + volumeMode: Filesystem + accessModes: + - ReadWriteMany + mountOptions: + - tls + persistentVolumeReclaimPolicy: Retain + claimRef: + namespace: {{ .Values.metadata.labels.environment }} + name: data-bahmni-{{ .Values.metadata.labels.environment }}-postgresql-0 + storageClassName: bahmni-efs-sc + csi: + driver: efs.csi.aws.com + volumeHandle: {{ .Values.efs.fileSystemId }} diff --git a/values/demo.yaml b/values/demo.yaml new file mode 100644 index 00000000..7ba3616f --- /dev/null +++ b/values/demo.yaml @@ -0,0 +1,159 @@ +global: + storageClass: bahmni-efs-sc + nodeSelector: + eks.amazonaws.com/nodegroup: nonprod + +metadata: + labels: + environment: demo + ingress: + PROXY_BODY_SIZE: "7m" + ABDM_PROXY_BODY_SIZE: "30m" + +openmrs: + enabled: true + metadata: + labels: + environment: demo +bahmni-web: + enabled: true + metadata: + labels: + environment: demo +bahmni-lab: + enabled: true + metadata: + labels: + environment: demo +crater: + enabled: true + metadata: + labels: + environment: demo + config: + AUTO_INSTALL: "true" + ADMIN_NAME: Super Man + COMPANY_NAME: Bahmni + COMPANY_SLUG: bahmni + COUNTRY_ID: 101 + secrets: + ADMIN_EMAIL: "superman@bahmni.org" +reports: + enabled: true + metadata: + labels: + environment: demo + config: + OPENMRS_HOST: "openmrs" +hiu: + enabled: true + config: + POSTGRES_HOST: "bahmni-demo-postgresql" + RABBITMQ_HOST: "bahmni-demo-rabbitmq" + HIU_ID: "Bahmni-Demo" + HIU_NAME: "Bahmni-Demo" + metadata: + labels: + environment: demo +hiu-db: + enabled: true + config: + JAVA_TOOL_OPTIONS: "-Djdbc.url=jdbc:postgresql://bahmni-demo-postgresql:5432/ -Djdbc.username=postgres -Djdbc.password=welcome -Djdbc.database=health_information_user" + metadata: + labels: + environment: demo +hiu-ui: + enabled: true + config: + POSTGRES_HOST: bahmni-demo-postgresql + RABBITMQ_HOST: bahmni-demo-rabbitmq + metadata: + labels: + environment: demo +hip: + enabled: true + config: + CONNECTION_STRING: "Host=bahmni-demo-postgresql;Port=5432;Username=postgres;Password=welcome;Database=hipservice" + RABBITMQ_HOST: "bahmni-demo-rabbitmq" + BAHMNI_ID: "Bahmni-Demo" + metadata: + labels: + environment: demo +otp-service: + enabled: true + config: + CONNECTION_STRING: "Host=bahmni-demo-postgresql;Port=5432;Username=postgres;Password=welcome;Database=otpservice;" + metadata: + labels: + environment: demo +hip-atomfeed: + enabled: true + config: + DATABASE_URL: "jdbc:postgresql://bahmni-demo-postgresql:5432/" + metadata: + labels: + environment: demo + +postgresql: + enabled: true + volumePermissions: + enabled: true + primary: + persistence: + subPath: demo + storageClass: bahmni-efs-sc + accessModes: + - ReadWriteMany + nodeSelector: + eks.amazonaws.com/nodegroup: nonprod + image: + tag: 14-debian-11 + +rabbitmq: + enabled: true + auth: + erlangCookie: bahmni + persistence: + storageClass: bahmni-efs-sc + accessModes: + - ReadWriteMany + nodeSelector: + eks.amazonaws.com/nodegroup: nonprod + image: + repository: rabbitmq + tag: alpine + +patient-documents: + enabled: true + metadata: + labels: + environment: demo + config: + OPENMRS_HOST: "openmrs" + +appointments: + enabled: true + + +crater-atomfeed: + enabled: true + metadata: + labels: + environment: demo + +implementer-interface: + enabled: true + metadata: + labels: + environment: demo + +clinic-config: + metadata: + labels: + environment: demo + +abha-verification: + enabled: true + metadata: + labels: + environment: demo diff --git a/values/dev.yaml b/values/dev.yaml new file mode 100644 index 00000000..1baed3c9 --- /dev/null +++ b/values/dev.yaml @@ -0,0 +1,107 @@ +global: + storageClass: bahmni-efs-sc + nodeSelector: + eks.amazonaws.com/nodegroup: nonprod + +metadata: + labels: + environment: dev + ingress: + PROXY_BODY_SIZE: "7m" + ABDM_PROXY_BODY_SIZE: "30m" + +openmrs: + enabled: true +bahmni-web: + enabled: true +bahmni-lab: + enabled: true +crater: + enabled: true + config: + AUTO_INSTALL: "true" + ADMIN_NAME: Super Man + COMPANY_NAME: Bahmni + COMPANY_SLUG: bahmni + COUNTRY_ID: 101 + secrets: + ADMIN_EMAIL: "superman@bahmni.org" +reports: + enabled: true + config: + OPENMRS_HOST: "openmrs" +hiu: + enabled: true + config: + POSTGRES_HOST: "bahmni-dev-postgresql" + RABBITMQ_HOST: "bahmni-dev-rabbitmq" + HIU_ID: "Bahmni" + HIU_NAME: "Bahmni" + +hiu-db: + enabled: true + config: + JAVA_TOOL_OPTIONS: "-Djdbc.url=jdbc:postgresql://bahmni-dev-postgresql:5432/ -Djdbc.username=postgres -Djdbc.password=welcome -Djdbc.database=health_information_user" +hiu-ui: + enabled: true + config: + POSTGRES_HOST: bahmni-dev-postgresql + RABBITMQ_HOST: bahmni-dev-rabbitmq +hip: + enabled: true + config: + CONNECTION_STRING: "Host=bahmni-dev-postgresql;Port=5432;Username=postgres;Password=welcome;Database=hipservice" + RABBITMQ_HOST: "bahmni-dev-rabbitmq" + BAHMNI_ID: "Bahmni" +otp-service: + enabled: true +hip-atomfeed: + enabled: true + +postgresql: + enabled: true + volumePermissions: + enabled: true + primary: + persistence: + subPath: dev + storageClass: bahmni-efs-sc + accessModes: + - ReadWriteMany + nodeSelector: + eks.amazonaws.com/nodegroup: nonprod + image: + tag: 14-debian-11 + +rabbitmq: + enabled: true + auth: + erlangCookie: bahmni + persistence: + storageClass: bahmni-efs-sc + accessModes: + - ReadWriteMany + nodeSelector: + eks.amazonaws.com/nodegroup: nonprod + image: + repository: rabbitmq + tag: alpine + +patient-documents: + enabled: true + config: + OPENMRS_HOST: "openmrs" + +crater-atomfeed: + enabled: true + metadata: + labels: + environment: dev +appointments: + enabled: true + +implementer-interface: + enabled: true + +abha-verification: + enabled: true diff --git a/values/local.yaml b/values/local.yaml index a20b277c..f60d6440 100644 --- a/values/local.yaml +++ b/values/local.yaml @@ -7,8 +7,8 @@ metadata: labels: environment: local ingress: - PROXY_BODY_SIZE: '7m' - ABDM_PROXY_BODY_SIZE: '30m' + PROXY_BODY_SIZE: "7m" + ABDM_PROXY_BODY_SIZE: "30m" ingress: host: bahmni.k8s @@ -23,30 +23,30 @@ openmrs: bahmni-web: enabled: true bahmni-lab: - enabled: true + enabled: false crater: enabled: true config: - APP_URL: http://payments-bahmni.k8s + APP_URL: http://payments-bahmni.local DB_DATABASE: crater DB_HOST: mysql DB_PORT: 3306 - SANCTUM_STATEFUL_DOMAINS: payments-bahmni.k8s - SESSION_DOMAIN: payments-bahmni.k8s - AUTO_INSTALL: 'true' + SANCTUM_STATEFUL_DOMAINS: payments-bahmni.local + SESSION_DOMAIN: payments-bahmni.local + AUTO_INSTALL: "true" ADMIN_NAME: Super Man COMPANY_NAME: Bahmni COMPANY_SLUG: bahmni COUNTRY_ID: 101 secrets: - DB_USERNAME: 'crater-user' - DB_PASSWORD: 'password' - ADMIN_EMAIL: 'superman@bahmni.org' - ADMIN_PASSWORD: 'crater123' + DB_USERNAME: "crater-user" + DB_PASSWORD: "password" + ADMIN_EMAIL: "superman@bahmni.org" + ADMIN_PASSWORD: "crater123" reports: - enabled: true + enabled: false config: - OPENMRS_HOST: 'openmrs' + OPENMRS_HOST: "openmrs" OPENMRS_DB_NAME: openmrs REPORTS_DB_NAME: reports secrets: @@ -56,16 +56,51 @@ reports: REPORTS_DB_SERVER: mysql REPORTS_DB_USERNAME: reports-user REPORTS_DB_PASSWORD: password +hiu: + enabled: false + config: + POSTGRES_HOST: bahmni-local-postgresql + RABBITMQ_HOST: bahmni-local-rabbitmq +hiu-db: + enabled: false + config: + JAVA_TOOL_OPTIONS: "-Djdbc.url=jdbc:postgresql://bahmni-local-postgresql:5432/ -Djdbc.username=postgres -Djdbc.password=welcome -Djdbc.database=health_information_user" +hiu-ui: + enabled: false +hip: + enabled: false + config: + CONNECTION_STRING: "Host=bahmni-local-postgresql;Port=5432;Username=postgres;Password=welcome;Database=hipservice" + RABBITMQ_HOST: "bahmni-local-rabbitmq" +otp-service: + enabled: false +postgresql: + enabled: false +rabbit-mq: + enabled: false +hip-atomfeed: + enabled: false + +rabbitmq: + auth: + username: bahmni + password: bahmni + erlangCookie: bahmni + patient-documents: enabled: true config: - OPENMRS_HOST: 'openmrs' + OPENMRS_HOST: "openmrs" appointments: enabled: true + crater-atomfeed: enabled: true implementer-interface: enabled: true + +abha-verification: + enabled: false diff --git a/values/monitoring.yaml b/values/monitoring.yaml index e83bd877..87e259a9 100644 --- a/values/monitoring.yaml +++ b/values/monitoring.yaml @@ -15,7 +15,7 @@ grafana: auth_url: https://github.com/login/oauth/authorize token_url: https://github.com/login/oauth/access_token api_url: https://api.github.com/user - allowed_organizations: Bahmni + allowed_organizations: Bahmni BahmniIndiaDistro IPLit users: viewers_can_edit: true additionalDataSources: @@ -58,7 +58,7 @@ prometheus: nodeSelector: eks.amazonaws.com/nodegroup: nonprod additionalScrapeConfigs: - - job_name: 'java' - metrics_path: '/metrics' + - job_name: "java" + metrics_path: "/metrics" static_configs: - - targets: ['openmrs.performance.svc.cluster.local:8280'] + - targets: ["openmrs.performance.svc.cluster.local:8280"] diff --git a/values/performance.yaml b/values/performance.yaml new file mode 100644 index 00000000..d1901fb4 --- /dev/null +++ b/values/performance.yaml @@ -0,0 +1,159 @@ +global: + storageClass: bahmni-efs-sc + nodeSelector: + eks.amazonaws.com/nodegroup: performance + +metadata: + labels: + environment: performance + ingress: + PROXY_BODY_SIZE: "7m" + ABDM_PROXY_BODY_SIZE: "30m" + +openmrs: + enabled: true + metadata: + labels: + environment: performance +bahmni-web: + enabled: true + metadata: + labels: + environment: performance +bahmni-lab: + enabled: true + metadata: + labels: + environment: performance +crater: + enabled: true + metadata: + labels: + environment: performance + config: + AUTO_INSTALL: "true" + ADMIN_NAME: Super Man + COMPANY_NAME: Bahmni + COMPANY_SLUG: bahmni + COUNTRY_ID: 101 + secrets: + ADMIN_EMAIL: "superman@bahmni.org" +reports: + enabled: true + metadata: + labels: + environment: performance + config: + OPENMRS_HOST: "openmrs" +hiu: + enabled: true + config: + POSTGRES_HOST: "bahmni-performance-postgresql" + RABBITMQ_HOST: "bahmni-performance-rabbitmq" + HIU_ID: "Bahmni-Perf" + HIU_NAME: "Bahmni-Perf" + metadata: + labels: + environment: performance +hiu-db: + enabled: true + config: + JAVA_TOOL_OPTIONS: "-Djdbc.url=jdbc:postgresql://bahmni-performance-postgresql:5432/ -Djdbc.username=postgres -Djdbc.password=welcome -Djdbc.database=health_information_user" + metadata: + labels: + environment: performance +hiu-ui: + enabled: true + config: + POSTGRES_HOST: bahmni-performance-postgresql + RABBITMQ_HOST: bahmni-performance-rabbitmq + metadata: + labels: + environment: performance +hip: + enabled: true + config: + CONNECTION_STRING: "Host=bahmni-performance-postgresql;Port=5432;Username=postgres;Password=welcome;Database=hipservice" + RABBITMQ_HOST: "bahmni-performance-rabbitmq" + BAHMNI_ID: "Bahmni-Perf" + metadata: + labels: + environment: performance +otp-service: + enabled: true + config: + CONNECTION_STRING: "Host=bahmni-performance-postgresql;Port=5432;Username=postgres;Password=welcome;Database=otpservice;" + metadata: + labels: + environment: performance +hip-atomfeed: + enabled: true + config: + DATABASE_URL: "jdbc:postgresql://bahmni-performance-postgresql:5432/" + metadata: + labels: + environment: performance + +postgresql: + enabled: true + volumePermissions: + enabled: true + primary: + persistence: + subPath: performance + storageClass: bahmni-efs-sc + accessModes: + - ReadWriteMany + nodeSelector: + eks.amazonaws.com/nodegroup: performance + image: + tag: 14-debian-11 + +rabbitmq: + enabled: true + auth: + erlangCookie: bahmni + persistence: + storageClass: bahmni-efs-sc + accessModes: + - ReadWriteMany + nodeSelector: + eks.amazonaws.com/nodegroup: performance + image: + repository: rabbitmq + tag: alpine + +patient-documents: + enabled: true + metadata: + labels: + environment: performance + config: + OPENMRS_HOST: "openmrs" + +appointments: + enabled: true + + +crater-atomfeed: + enabled: true + metadata: + labels: + environment: performance + +implementer-interface: + enabled: true + metadata: + labels: + environment: performance + +clinic-config: + metadata: + labels: + environment: performance + +abha-verification: + enabled: true + metadata: + labels: + environment: performance diff --git a/values/qa.yaml b/values/qa.yaml new file mode 100644 index 00000000..ae5c5e3b --- /dev/null +++ b/values/qa.yaml @@ -0,0 +1,159 @@ +global: + storageClass: bahmni-efs-sc + nodeSelector: + eks.amazonaws.com/nodegroup: nonprod + +metadata: + labels: + environment: qa + ingress: + PROXY_BODY_SIZE: "7m" + ABDM_PROXY_BODY_SIZE: "30m" + +openmrs: + enabled: true + metadata: + labels: + environment: qa +bahmni-web: + enabled: true + metadata: + labels: + environment: qa +bahmni-lab: + enabled: true + metadata: + labels: + environment: qa +crater: + enabled: true + metadata: + labels: + environment: qa + config: + AUTO_INSTALL: "true" + ADMIN_NAME: Super Man + COMPANY_NAME: Bahmni + COMPANY_SLUG: bahmni + COUNTRY_ID: 101 + secrets: + ADMIN_EMAIL: "superman@bahmni.org" +reports: + enabled: true + metadata: + labels: + environment: qa + config: + OPENMRS_HOST: "openmrs" +hiu: + enabled: true + config: + POSTGRES_HOST: "bahmni-qa-postgresql" + RABBITMQ_HOST: "bahmni-qa-rabbitmq" + HIU_ID: "Bahmni-QA" + HIU_NAME: "Bahmni-QA" + metadata: + labels: + environment: qa +hiu-db: + enabled: true + config: + JAVA_TOOL_OPTIONS: "-Djdbc.url=jdbc:postgresql://bahmni-qa-postgresql:5432/ -Djdbc.username=postgres -Djdbc.password=welcome -Djdbc.database=health_information_user" + metadata: + labels: + environment: qa +hiu-ui: + enabled: true + config: + POSTGRES_HOST: bahmni-qa-postgresql + RABBITMQ_HOST: bahmni-qa-rabbitmq + metadata: + labels: + environment: qa +hip: + enabled: true + config: + CONNECTION_STRING: "Host=bahmni-qa-postgresql;Port=5432;Username=postgres;Password=welcome;Database=hipservice" + RABBITMQ_HOST: "bahmni-qa-rabbitmq" + BAHMNI_ID: "Bahmni-QA" + metadata: + labels: + environment: qa +otp-service: + enabled: true + config: + CONNECTION_STRING: "Host=bahmni-qa-postgresql;Port=5432;Username=postgres;Password=welcome;Database=otpservice;" + metadata: + labels: + environment: qa +hip-atomfeed: + enabled: true + config: + DATABASE_URL: "jdbc:postgresql://bahmni-qa-postgresql:5432/" + metadata: + labels: + environment: qa + +postgresql: + enabled: true + volumePermissions: + enabled: true + primary: + persistence: + subPath: qa + storageClass: bahmni-efs-sc + accessModes: + - ReadWriteMany + nodeSelector: + eks.amazonaws.com/nodegroup: nonprod + image: + tag: 14-debian-11 + +rabbitmq: + enabled: true + auth: + erlangCookie: bahmni + persistence: + storageClass: bahmni-efs-sc + accessModes: + - ReadWriteMany + nodeSelector: + eks.amazonaws.com/nodegroup: nonprod + image: + repository: rabbitmq + tag: alpine + +patient-documents: + enabled: true + metadata: + labels: + environment: qa + config: + OPENMRS_HOST: "openmrs" + +appointments: + enabled: true + + +crater-atomfeed: + enabled: true + metadata: + labels: + environment: qa + +implementer-interface: + enabled: true + metadata: + labels: + environment: qa + +clinic-config: + metadata: + labels: + environment: qa + +abha-verification: + enabled: true + metadata: + labels: + environment: qa