Full chart contract
Common - configuration shared by all applications
Image access control
If you are pulling images from an image repository with access control restrictions then you will need to set this to the name of a secret created in Kubernetes.
note
Use any appropriate secret name. ghcr-ro-secret is simply our convention.
imagePullSecrets:
- name: ghcr-ro-secret
The secret is setup as follows
kubectl create secret -n <namespace> docker-registry <secret_name> --docker-server=ghcr.io --docker-username=<username> --docker-password=<password|token> --docker-email=<email>
Network Policy control
networkPolicy:
enabled: true
cidr:
loadBalancers: []
#- cidr: 0.0.0.0/0
# except:
# - 10.1.0.0/8
oidcProvider:
#- cidr: # Optional
# ports: # Optional
- ports:
- 443
store:
cases: []
definitions: []
attachments: []
networkPolicy.enabled- enable or disable network policies
CIDR control
cidr.loadBalancers- allow traffic to and from loadbalancerscidr.oidcProvider- allow traffic to and from the OIDC Providercidr.store- allow access to and from databases and blob stores
Within each of these you can use the following:
cidr.<target>.[].cidr.[]- list of CIDR ranges allowedcidr.<target>.[].ports.[]- list of ports that are allowed access (all if not provided)cidr.<target>.[].except.[]- list of CIDR blocks that are not allowed, i.e. a range within the allowed.cidr.[]
OIDC Provider
URLs and configuration
URLs for OIDC provider:
oidc:
jwksUrl: https://cognito-idp.eu-west-2.amazonaws.com/eu-west-2_NNNNNNN/.well-known/jwks.json
loginUrl: https://quickcase-nonprod.auth.eu-west-2.amazoncognito.com/login
loginUrlParams: {}
logoutUrl: https://quickcase-nonprod.auth.eu-west-2.amazoncognito.com/logout
logoutUrlParams: {}
tokenUrl: https://quickcase-nonprod.auth.eu-west-2.amazoncognito.com/oauth2/token
userInfoUrl: https://quickcase-nonprod.auth.eu-west-2.amazoncognito.com/oauth2/userInfo
openidScope: openid
loginUrlParams,logoutUrlParams- map of parameters to add to the login and logout URL, they will convert to?param1=val1¶m2=val2
Claims
Claim names will depend on the OIDC provider and the configuration of that provider. The following shows the default configurations.
claims:
# These are the default claim names, see https://github.com/quickcase/spring-oidc#configuration
prefix: ''
sub: sub
name: name
email: email
roles: app.quickcase.claims/roles
organisations: app.quickcase.claims/organisations
defaultJurisdiction: app.quickcase.claims/default_jurisdiction
defaultCaseType: app.quickcase.claims/default_case_type
defaultState: app.quickcase.claims/default_state
prefix- prefix added to each claim by the provider. Use in cases where custom claim names are prefixed by the OIDC provider.sub,name,email- are usually already provided by your OIDC provider.The remainder are specific to QuickCase:
roles- roles that the user has been assigned, which allows QuickCase to provide, prevent or limit access to cases.organisations- the organisations that the user may access (there may be more that one in a cases database)defaultJurisdiction- the default jurisdiction that the user will work ondefaultCaseType- the default case type this user would normally create or accessdefaultState- the default state of cases the user will access
Stores
Definition and Data Store
This is the configuration for access to the PostgreSQL databases for cases and
definitions. Depending on the cloud provider you may need to allow access to
the database from the cluster via networkPolicies.
store:
cases:
db_name: cases
#host: somehost.com
port: 5432
#password: ''
username: quickcase
options: {}
definitions:
db_name: definitions
#host: somehost.com
port: 5432
#password: ''
username: quickcase
There are two databases:
store.cases- QuickCase case datastore.definitions- QuickCase case definitions
The configuration is identical:
<database>.db_name- name of the database on the database instance<database>.host- the instance host name<database>.port- port on which to access the database (default: 5432)<database>.password- password for the database<database>.username- user with access to the database<database>.options- additional options needed for the connection string as key value pairs.
Attachment Store (blob store)
Common configuration
attachments:
download:
expiry: 300
upload:
expiry: 300
prefix: ''
provider: amazon-s3 # azure-blob, google-storage
download.expiry,upload.expiry- timeout in secondsupload.prefix- adds this prefix to every uploadprovider- the blob store provider, one of:amazon-s3- AWS S3azure-blob- Azure bloc store, orgoogle-storage- Google Cloud Storage
Amazon S3
provider: amazon-s3
amazon-s3:
bucket: attachment-store-s3-bucket
region: eu-west-2
endpoint: # Optional
amazon-s3.bucket- AWS S3 bucket name (unique across S3)amazon-s3.region- AWS S3 region for the bucketamazon-s3.endpoint- (Optional) the S3 endpoint, if not provided the standard endpoint will be used.
Azure Blob Store
provider: azure-blob
azure-blob:
storageAccountName:
storageAccountKey:
storageAccountUrl: # Optional
container:
azure-blob.storageAccountName- Storage account nameazure-blob.storageAccountKey- Access key for the above storage accountazure-blob.storageAccountUrl- (Optional) endpoint for Azure storage, will use the default if not providedazure-blob.container- the storage account bucket name
Google Cloud Storage
provider: google-storage
google-storage:
bucket: qcstoragebucket
google-storage.bucket- Google Cloud Storage bucket name
Applications - app specific configuration
The 5 apps we configure within there own namespaces are:
admin_uicase_uidata_storedefinition_storeattachment_store
Their configuration is broken into three sections:
- Common Helm - configuration provided by a default Helm chart
- Common QuickCase - QuickCase customisation that are shared across all charts
- Application specific - configuration only provided for a single app
Common Helm - Inherited from default Helm charts
<app>:
replicaCount: 1
image:
repository: ghcr.io/quickcase/case-management-ui
tag: latest
pullPolicy: Always
fullnameOverride: ""
containerTargetPort: 4453
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
service:
type: LoadBalancer
port: 443
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-2:NNNNNNNNNNNN:certificate/deadbeaf-339f-4830-aa57-deadbeafNNNN
# service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
# external-dns.alpha.kubernetes.io/hostname: work.XXX.quickcase.app
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: alb
# alb.ingress.kubernetes.io/scheme: internet-facing
# alb.ingress.kubernetes.io/target-type: ip
# alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-2:NNNNNNNNNNNN:certificate/deadbeaf-339f-4830-aa57-deadbeafNNNN
# alb.ingress.kubernetes.io/group.name: quickcase
hosts:
- host: work.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: work-tls
# hosts:
# - work.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
Common QuickCase - common to QuickCase
- Custom settings provided by QuickCase
- Setting provided by Helm and overridden by default
<app>:
sidecarContainers: []
nameOverride: "<app>"
helmTestsDebug: false
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 5
cpuAverageUtilizationPercentage: 50
# memoryAverageUtilizationPercentage: 80
environment:
EXAMPLE_URL: 'http://{{ .Release.Name }}-data-store/aggregated'
PORT: '{{ .Values.<app>.containerTargetPort }}'
nameOverride- we override all our app names to allow has to maintain sub apps in a single charthelmTestsDebug- when runninghelm testthe containers will not be deleted to allow inspection and debuggingenvironment- set environmental variables for the app. These are parsed so that you can use Helm and.Valuesin these settings. The ones shown above are examples. For them to be parsed they must be quoted.
Application specific configuration
Case UI
case_ui:
dmStoreUrl: https://document.XXX.quickcase.app
oidc:
loginUrlParams:
response_type: code
client_id: "{{client_id}}"
redirect_uri: "{{redirect_uri}}"
scope: openid
logoutUrlParams:
logout_uri: "{{redirect_uri}}"
scope: openid
clientName: ""
clientSecret: ""
environment:
CCD_API_URL: 'http://{{ .Release.Name }}-data-store/aggregated'
CCD_DATA_URL: 'http://{{ .Release.Name }}-data-store'
OAUTH2_REDIRECT_URI: 'https://{{ .Values.case_ui.service.hostname }}/oauth2'
QUICKCASE_STORE_ATTACHMENT_PROVIDER: '{{ .Values.store.attachments.provider }}'
QUICKCASE_STORE_ATTACHMENT_URL: '{{ .Values.case_ui.dmStoreUrl }}'
PORT: '{{ .Values.case_ui.containerTargetPort }}'
service:
type: LoadBalancer
port: 443
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-2:NNNNNNNNNNNN:certificate/deadbeaf-339f-4830-aa57-deadbeafNNNN
# service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
# external-dns.alpha.kubernetes.io/hostname: work.XXX.quickcase.app
Admin UI
admin_ui:
oidc:
loginUrlParams:
response_type: code
client_id: "{{client_id}}"
redirect_uri: "{{redirect_uri}}"
logoutUrlParams: {}
clientName: ''
clientSecret: ''
environment:
ADMINWEB_AUTHORIZATION_URL: http://{{ .Release.Name }}-definition-store/api/idam/adminweb/authorization
ADMINWEB_CREATE_DEFINITION_URL: http://{{ .Release.Name }}-definition-store/api/draft
ADMINWEB_DEFINITIONS_URL: http://{{ .Release.Name }}-definition-store/api/drafts
ADMINWEB_DELETE_DEFINITION_URL: http://{{ .Release.Name }}-definition-store/api/draft
ADMINWEB_IMPORT_AUDITS_URL: http://{{ .Release.Name }}-definition-store/api/import-audits
ADMINWEB_IMPORT_URL: http://{{ .Release.Name }}-definition-store/import
ADMIN_ALL_USER_ROLES_URL: http://{{ .Release.Name }}-definition-store/api/user-roles
ADMINWEB_WHOAMI_URL: http://{{ .Release.Name }}-definition-store/api/idam/profile
ADMINWEB_USER_ROLE_URL: http://{{ .Release.Name }}-definition-store/api/user-role
ADMINWEB_UPDATE_DEFINITION_URL: http://{{ .Release.Name }}-definition-store/api/draft/save
ADMINWEB_JURISDICTIONS_URL: http://{{ .Release.Name }}-definition-store/api/data/jurisdictions
SECURE_AUTH_COOKIE_ENABLED: "true"
NODE_ENV: prod
PORT: '{{ .Values.admin_ui.containerTargetPort }}'
service:
type: LoadBalancer
port: 443
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...
# service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
# external-dns.alpha.kubernetes.io/hostname: admin.example.com
Data Store
data_store:
environment:
#QUICKCASE_STORE_DATA_CALLBACK_PLACEHOLDERS: "{'webhooksBaseUrl':'http://{{ .Release.Name }}-webhooks'}"
QUICKCASE_STORE_DEFINITION_URI: http://{{ .Release.Name }}-definition-store
networkPolicy:
ingressLabelEnabled: false
egressLabel:
enabled: false
#ports: # Optional, if left out or set to [] egress is to any port
# - 80
# - 443
ingressIp: []
# List of additional CIDR values allowed ingress, empty list [] disables
#- 1.2.3.6/32
egressIp: []
# List of additional CIDRs and ports that the app can access, empty list [] disables
#- cidr:
# - 1.2.3.4/32
# ports:
# - 443
# - 80
ingressRaw: []
egressRaw: []
service:
type: LoadBalancer
port: 443
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-2:NNNNNNNNNNNN:certificate/deadbeaf-339f-4830-aa57-deadbeafNNNN
# service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
# external-dns.alpha.kubernetes.io/hostname: work-api.XXXX.quickcase.app
Definition Store
definition_store:
environment: {}
# See data_store.networkPolicy for examples
networkPolicy:
ingressLabelEnabled: false
egressLabel:
enabled: false
ingressIp: []
egressIp: []
ingressRaw: []
egressRaw: []
service:
type: ClusterIP
port: 80
annotations: {}
Attachment Store
attachment_store:
enabled: true
environment:
QUICKCASE_STORE_DATA_URI: 'http://{{ .Release.Name }}-data-store'
PORT: '{{ .Values.attachment_store.containerTargetPort }}'
# See data_store.networkPolicy for examples
networkPolicy:
ingressLabelEnabled: false
egressLabel:
enabled: false
ingressIp: []
egressIp: []
ingressRaw: []
egressRaw: []
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# NOTE: To associate an AWS role with S3 rights do similar to this
#name: attachment-store
#annotations:
# eks.amazonaws.com/role-arn: arn:aws:iam::NNNNNNNNNNNN:role/QcEKSDocStoreRole_qc_XXXX
podSecurityContext:
fsGroup: 1000 # For DocumentStoreS3 to be able to read Kubernetes and AWS token files
service:
type: LoadBalancer
port: 443
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-2:NNNNNNNNNNNN:certificate/deadbeaf-339f-4830-aa57-deadbeafNNNN
# service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
# external-dns.alpha.kubernetes.io/hostname: document.XXXX.quickcase.app