openemr · bradymiller · Jan 25, 2023 · Jun 7, 2023 · Jun 7, 2023 · Jun 18, 2023
diff --git a/README.md b/README.md
@@ -20,7 +20,7 @@ OpenEMR administration and deployment tooling
 ### Deployment Options
 
 * [Ubuntu Installer](packages/appliance): Launch OpenEMR on any Ubuntu 24.04 instance
-* [Kubernetes](kubernetes): Two-worker OpenEMR Kubernetes orchestration on Minikube
+* [Kubernetes](kubernetes): OpenEMR Kubernetes orchestration with mTLS, Redis Sentinel failover, and multi-node support
 * [Raspberry Pi](raspberrypi): Install OpenEMR Docker on Raspberry Pi (supports ARMv8 infrastructure)
 
 ### Installations for Amazon Web Services

diff --git a/docker/openemr/obsolete/7.0.1/openemr.sh b/docker/openemr/obsolete/7.0.1/openemr.sh
@@ -242,32 +242,6 @@ if [ "$REDIS_SERVER" != "" ] &&
     #  and in swarm mode the docker will be functional after this redis section (ie. if do the below config section first
     #  then the breakage time of the pod will be markedly less).
 
-    # Support phpredis build
-    #   This will allow building phpredis towards either most recent development version "develop",
-    #    or a specific sha1 commit id, such as "e571a81f8d3009aab38cbb88dde865edeb0607ac".
-    #    This allows support for tls (ie. encrypted connections) since not available in production
-    #    version 5.3.7 .
-    if [ "$PHPREDIS_BUILD" != "" ]; then
-      apk update
-      apk del --no-cache php81-redis
-      apk add --no-cache git php81-dev php81-pecl-igbinary gcc make g++
-      mkdir /tmpredis
-      cd /tmpredis
-      git clone https://github.com/phpredis/phpredis.git
-      cd /tmpredis/phpredis
-      if [ "$PHPREDIS_BUILD" != "develop" ]; then
-          git reset --hard "$PHPREDIS_BUILD"
-      fi
-      phpize
-      ./configure --enable-redis-igbinary
-      make
-      make install
-      echo "extension=redis" > /etc/php81/conf.d/20_redis.ini
-      rm -fr /tmpredis/phpredis
-      apk del --no-cache git php81-dev gcc make g++
-      cd /var/www/localhost/htdocs/openemr
-    fi
-
     # Support the following redis auth:
     #   No username and No password set (using redis default user with nopass set)
     #   Both username and password set (using the redis user and pertinent password)

diff --git a/docker/openemr/obsolete/7.0.2/openemr.sh b/docker/openemr/obsolete/7.0.2/openemr.sh
@@ -262,34 +262,6 @@ if [ "$REDIS_SERVER" != "" ] &&
     #  and in swarm mode the docker will be functional after this redis section (ie. if do the below config section first
     #  then the breakage time of the pod will be markedly less).
 
-    # Support phpredis build
-    #   This will allow building phpredis towards either most recent development version "develop",
-    #    or a specific sha1 commit id, such as "e571a81f8d3009aab38cbb88dde865edeb0607ac".
-    #    This allows support for tls (ie. encrypted connections) since not available in production
-    #    version 5.3.7 .
-    if [ "$PHPREDIS_BUILD" != "" ]; then
-      apk update
-      apk del --no-cache php82-redis
-      apk add --no-cache git php82-dev php82-pecl-igbinary gcc make g++
-      mkdir /tmpredis
-      cd /tmpredis
-      git clone https://github.com/phpredis/phpredis.git
-      cd /tmpredis/phpredis
-      if [ "$PHPREDIS_BUILD" != "develop" ]; then
-          git reset --hard "$PHPREDIS_BUILD"
-      fi
-      # note for php 8.2, needed to change from 'phpize' to:
-      phpize82
-      # note for php 8.2, needed to change from './configure --enable-redis-igbinary' to:
-      ./configure --with-php-config=/usr/bin/php-config82 --enable-redis-igbinary
-      make -j $(nproc --all)
-      make install
-      echo "extension=redis" > /etc/php82/conf.d/20_redis.ini
-      rm -fr /tmpredis/phpredis
-      apk del --no-cache git php82-dev gcc make g++
-      cd /var/www/localhost/htdocs/openemr
-    fi
-
     # Support the following redis auth:
     #   No username and No password set (using redis default user with nopass set)
     #   Both username and password set (using the redis user and pertinent password)

diff --git a/kubernetes/README.md b/kubernetes/README.md
diff --git a/kubernetes/certs/redis-openemr-client.yaml b/kubernetes/certs/redis-openemr-client.yaml
@@ -0,0 +1,25 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: redis-openemr-client
+spec:
+  secretName: redis-openemr-client-certs
+  duration: 87660h # 10y
+  renewBefore: 360h # 15d
+  isCA: false
+  privateKey:
+    size: 2048
+    algorithm: RSA
+    encoding: PKCS1
+  usages:
+    - digital signature
+    - key encipherment
+    - client auth
+  subject:
+    organizations:
+      - openemr
+  commonName: openemr
+  issuerRef:
+    name: ca-issuer
+    kind: Issuer
+    group: cert-manager.io
diff --git a/kubernetes/certs/redis.yaml b/kubernetes/certs/redis.yaml
@@ -0,0 +1,33 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: redis
+spec:
+  secretName: redis-certs
+  duration: 87660h # 10y
+  renewBefore: 360h # 15d
+  isCA: false
+  privateKey:
+    size: 2048
+    algorithm: RSA
+    encoding: PKCS1
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  subject:
+    organizations:
+      - redis
+  commonName: redis
+  dnsNames:
+    - redis-0.redis
+    - redis-1.redis
+    - redis-2.redis
+    - redis-0.redis.default.svc.cluster.local
+    - redis-1.redis.default.svc.cluster.local
+    - redis-2.redis.default.svc.cluster.local
+  issuerRef:
+    name: ca-issuer
+    kind: Issuer
+    group: cert-manager.io
diff --git a/kubernetes/certs/sentinel.yaml b/kubernetes/certs/sentinel.yaml
@@ -0,0 +1,33 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: sentinel
+spec:
+  secretName: sentinel-certs
+  duration: 87660h # 10y
+  renewBefore: 360h # 15d
+  isCA: false
+  privateKey:
+    size: 2048
+    algorithm: RSA
+    encoding: PKCS1
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+  subject:
+    organizations:
+      - sentinel
+  commonName: sentinel
+  dnsNames:
+    - sentinel-0.sentinel
+    - sentinel-1.sentinel
+    - sentinel-2.sentinel
+    - sentinel-0.sentinel.default.svc.cluster.local
+    - sentinel-1.sentinel.default.svc.cluster.local
+    - sentinel-2.sentinel.default.svc.cluster.local
+  issuerRef:
+    name: ca-issuer
+    kind: Issuer
+    group: cert-manager.io
diff --git a/kubernetes/kind-config-1-node.yaml b/kubernetes/kind-config-1-node.yaml
@@ -0,0 +1,10 @@
+# single node cluster config
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  extraPortMappings:
+  - containerPort: 30080
+    hostPort: 8800
+  - containerPort: 30443
+    hostPort: 9800
diff --git a/kubernetes/kind-config-4-nodes.yaml b/kubernetes/kind-config-4-nodes.yaml
@@ -1,25 +1,13 @@
 # four node (three workers) cluster config
-#   Supports shared volumes over different nodes, however, to support this,
-#   have hard-coded hostpath to use /tmp/hostpath-provisioner in this script
-#   and in the kind-pvc-hostpath.yaml (custom storage class) script.
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
 - role: control-plane
-  extraMounts:
-  - hostPath: ./kind-pvc-hostpath.yaml
-    containerPath: /kind/manifests/default-storage.yaml
-  - hostPath: /tmp/hostpath-provisioner
-    containerPath: /tmp/hostpath-provisioner
-- role:  worker
-  extraMounts:
-  - hostPath: /tmp/hostpath-provisioner
-    containerPath: /tmp/hostpath-provisioner
-- role:  worker
-  extraMounts:
-  - hostPath: /tmp/hostpath-provisioner
-    containerPath: /tmp/hostpath-provisioner
+  extraPortMappings:
+  - containerPort: 30080
+    hostPort: 8800
+  - containerPort: 30443
+    hostPort: 9800
+- role: worker
+- role: worker
 - role: worker
-  extraMounts:
-  - hostPath: /tmp/hostpath-provisioner
-    containerPath: /tmp/hostpath-provisioner
diff --git a/kubernetes/kind-pvc-hostpath.yaml b/kubernetes/kind-pvc-hostpath.yaml
diff --git a/kubernetes/kub-down b/kubernetes/kub-down
@@ -8,24 +8,26 @@ kubectl delete \
     -f certs/mysql-replication.yaml \
     -f certs/mysql-openemr-client.yaml \
     -f certs/phpmyadmin.yaml \
-    -f certs/mysql-phpmyadmin-client.yaml
+    -f certs/mysql-phpmyadmin-client.yaml \
+    -f certs/redis.yaml \
+    -f certs/redis-openemr-client.yaml \
+    -f certs/sentinel.yaml
 
-kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml
+kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.20.2/cert-manager.yaml
 
 kubectl delete \
     -f mysql/configmap.yaml \
     -f mysql/secret.yaml \
+    -f mysql/replication-secret.yaml \
     -f mysql/service.yaml \
     -f mysql/statefulset.yaml \
+    -f redis/secret.yaml \
     -f redis/configmap-main.yaml \
     -f redis/configmap-acl.yaml \
-    -f redis/configmap-pipy.yaml \
     -f redis/statefulset-redis.yaml \
     -f redis/statefulset-sentinel.yaml \
-    -f redis/deployment-redisproxy.yaml \
     -f redis/service-redis.yaml \
     -f redis/service-sentinel.yaml \
-    -f redis/service-redisproxy.yaml \
     -f phpmyadmin/configmap.yaml \
     -f phpmyadmin/deployment.yaml \
     -f phpmyadmin/service.yaml \
@@ -34,4 +36,11 @@ kubectl delete \
     -f volumes/website.yaml \
     -f openemr/secret.yaml \
     -f openemr/deployment.yaml \
-    -f openemr/service.yaml
+    -f openemr/service.yaml \
+    -f network/policies.yaml
+
+kubectl delete \
+    -f nfs/rbac.yaml \
+    -f nfs/storageclass.yaml \
+    -f nfs/service.yaml \
+    -f nfs/deployment.yaml