OpenSRP GKE HAPI FHIR Server

• If using DBMS cloud service such as Google Cloud SQL, create database with the same name as the one being referenced within the server applications configurations.
• Create DB user(s) for the database, and the least privileges permissions for each user(s). See sample SQL script for modifying permissions.
• FHIR Server "Central" has hapi.fhir.mdm_enabled set to true, while other FHIR Servers have it set to false
• Upload wildcard SSL cert via OpenHIM Admin Console (later should be automated from source which renews the cert)
• Can also use Google-managed SSL certificate, combined with Kubernetes Ingress
• In older versions of HAPI FHIR JPA Server (< 6.6.0), change data type of public.hfj_res_ver.res_text_vc from varchar(4000) to text in HAPI FHIR database. The GitHub Issue.
• Restart FHIR Gateway after all other components ready to serve to avoid issue related to JWT verification failed with error: The Token's Signature resulted invalid when verified using the Algorithm: SHA256withRSA

Helpful Tools

For deploying in Google Cloud Platform

• gcloud
• kubectl
• kubectx + kubens: Power tools for kubectl

For deploying in local machine

• Docker
• kubectl
• kubectx + kubens: Power tools for kubectl
• Minikube

Optional

• Preferred code editor: Cursor
• Preferred DB administration tool: DBeaver
• Preferred password generator: Password Generator
• Preferred version control: GitHub

Useful Commands

Levi preferred to call them "Magic Spells", along with his some years of experience in technological wizardry.

Create a namespace

NAMESPACE_NAME=trainee01 && \
kubectl create namespace $NAMESPACE_NAME

Apply all manifests in some namespaces

kubectx gke_spheregcp-test_asia-southeast2_spheregcp-test-autopilot-cluster && PROJECT_NAME=spheregcp-test && \
NAMESPACE_NAME=** && \
EXTRA_DIR_PATH=*/*/* && \

for file in projects/$PROJECT_NAME/namespaces/$NAMESPACE_NAME/KubernetesManifests/$EXTRA_DIR_PATH; do
  kubectl apply -f "$file"
done

Refresh all manifests in some namespaces (or projects)

kubectx gke_spheregcp-test_asia-southeast2_spheregcp-test-autopilot-cluster && PROJECT_NAME=spheregcp-test && \
NAMESPACE_NAME=team-based-care && \
EXTRA_DIR_PATH=*/*/* && \
DIR_PATH=projects/${PROJECT_NAME}/namespaces/${NAMESPACE_NAME}/KubernetesManifests/${EXTRA_DIR_PATH} && \

for file in $DIR_PATH; do
  MANIFEST_FILE_NAME=$(echo "$file" | awk -F'/' '{print $(NF)}') && \
  # extract MANIFEST_NAME from MANIFEST_FILE_NAME without suffix .yaml or .yml
  MANIFEST_NAME=$(echo "$MANIFEST_FILE_NAME" | sed 's/\.yaml$//' | sed 's/\.yml$//') && \
  KUBE_RESOURCE_TYPE=$(echo "$file" | awk -F'/' '{print $(NF-1)}') && \
  API_PATH=$(echo "$file" | awk -F'/' '{print $(NF-2)}') && \
  FILE_NAMESPACE_NAME=$(echo "$file" | awk -F'/' '{print $(NF-4)}') && \
  MANIFEST_PATH=projects/${PROJECT_NAME}/namespaces/${FILE_NAMESPACE_NAME}/KubernetesManifests/${API_PATH}/${KUBE_RESOURCE_TYPE}/${MANIFEST_FILE_NAME} && \
  kubectl get -n "$FILE_NAMESPACE_NAME" ${KUBE_RESOURCE_TYPE} ${MANIFEST_NAME} -o yaml > ${MANIFEST_PATH}
done

Apply all manifests in a namespace

kubectx gke_spheregcp-test_asia-southeast2_spheregcp-test-autopilot-cluster && PROJECT_NAME=spheregcp-test && \
PROJECT_NAME=spheregcp-test && \
NAMESPACE_NAME=team-based-care-dev && \
kubens $NAMESPACE_NAME && \
EXTRA_DIR_PATH= && \
\
kubectl apply -n "$NAMESPACE_NAME" -f projects/$PROJECT_NAME/namespaces/$NAMESPACE_NAME/KubernetesManifests/$EXTRA_DIR_PATH -R

Refresh a k8s manifest yaml

kubectx gke_spheregcp-test_asia-southeast2_spheregcp-test-autopilot-cluster && PROJECT_NAME=spheregcp-test && \
NAMESPACE_NAME=team-based-care && \
kubens $NAMESPACE_NAME && \
MANIFEST_NAME=fhir-gateway-config-1rt6 && \
KUBE_RESOURCE_TYPE=ConfigMap && \
API_VERSION=$(kubectl get -n "$NAMESPACE_NAME" ${KUBE_RESOURCE_TYPE} ${MANIFEST_NAME} -o jsonpath={.apiVersion}) && \
API_PATH=${API_VERSION%%/*} && \
DIR_PATH=projects/${PROJECT_NAME}/namespaces/${NAMESPACE_NAME}/KubernetesManifests/${API_PATH}/${KUBE_RESOURCE_TYPE} && \
mkdir -p ${DIR_PATH} && \
\
kubectl get -n "$NAMESPACE_NAME" ${KUBE_RESOURCE_TYPE} ${MANIFEST_NAME} -o yaml > ${DIR_PATH}/${MANIFEST_NAME}.yaml

Apply after refresh & modify

kubectl apply -n "$NAMESPACE_NAME" -f ${DIR_PATH}/${MANIFEST_NAME}.yaml

Restart after ConfigMap updates

kubectl set env deployment/my-deployment --env="LAST_RESTART=$(date)"

Apply new manifests in a folder all at once

kubectx gke_spheregcp-test_asia-southeast2_spheregcp-test-autopilot-cluster && PROJECT_NAME=spheregcp-test && \
NAMESPACE_NAME=team-based-care && \
KUBE_RESOURCE_TYPE=ConfigMap && \
API_PATH=v1 && \
DIR_PATH=projects/${PROJECT_NAME}/namespaces/${NAMESPACE_NAME}/KubernetesManifests/${API_PATH}/${KUBE_RESOURCE_TYPE} && \
\
kubectl apply -n "$NAMESPACE_NAME" -f ${DIR_PATH} -R

Get many manifests and put them into manifests.yaml + secret manifests and put them into secrets.yaml

kubectx gke_spheregcp-test_asia-southeast2_spheregcp-test-autopilot-cluster && PROJECT_NAME=spheregcp-test && \
NAMESPACE_NAME="team-based-care" && \
DIR_PATH=projects/${PROJECT_NAME}/namespaces/${NAMESPACE_NAME}/KubernetesManifests && \
mkdir -p ${DIR_PATH} && \
kubectl get deployment,sts,cm,hpa,vpa,service,ingress,frontendconfigs,mcrt,all -n ${NAMESPACE_NAME} -o yaml > ${DIR_PATH}/manifests.yaml \
&& \
kubectl get secrets -n ${NAMESPACE_NAME} -o yaml > ${DIR_PATH}/secrets.yaml

Get many manifests and put them into one yaml

kubectx gke_spheregcp-test_asia-southeast2_spheregcp-test-autopilot-cluster && \
kubectl get deployment,sts,cm,hpa,vpa,service,ingress -o yaml > some-manifests.yaml

Get all manifests (excluding Secret, ConfigMap, Ingress, ManagedCertificate, etc...) and put them into one yaml

kubectx gke_spheregcp-test_asia-southeast2_spheregcp-test-autopilot-cluster && \
kubectl get all -o yaml > all-manifests.yaml

Get secrets and put them into secrets.yaml

kubectx gke_spheregcp-test_asia-southeast2_spheregcp-test-autopilot-cluster && \
kubectl get secrets -o yaml > secrets.yaml

Kubernetes Best Practices

• Kubernetes best practices: Specifying Namespaces in YAML | Google Cloud Blog

Kubernetes Secret

• Using Secrets to store sensitive data | Config Connector Documentation | Google Cloud
• Decode a secret value
• Good practices for Kubernetes Secrets | Kubernetes

Mastering the KUBECONFIG file

Merging kubeconfig files Since kubeconfig files are structured YAML files, you can’t just append them to get one big kubeconfig file, but kubectl can help you merge these files:

KUBECONFIG=file1:file2:file3 kubectl config view \
 --merge --flatten > out.txt

or

KUBECONFIG=~/.kube/config:~/.kube.minikube/config kubectl config view \
 --merge --flatten > out.txt