Merge branch 'main' into release/server/v1.0.0

johngrimes · johngrimes · commit e703e9bd6070 · 2026-01-21T12:38:25.000+10:00
# Conflicts:
#	site/docs/server/getting-started.md
diff --git a/.github/workflows/helm-cache-release.yml b/.github/workflows/helm-cache-release.yml
@@ -20,5 +20,8 @@ jobs:
       chart-name: pathling-cache
       tag-prefix: helm-cache-v
       version: ${{ inputs.version }}
+    secrets:
+      GPG_KEY: ${{ secrets.GPG_KEY }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     permissions:
       contents: write
diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml
@@ -23,6 +23,13 @@ on:
         description: Chart version to release (for manual dispatch).
         required: false
         type: string
+    secrets:
+      GPG_KEY:
+        description: GPG private key for signing the chart.
+        required: true
+      GPG_PASSPHRASE:
+        description: Passphrase for the GPG private key.
+        required: true
 
 jobs:
   release-helm-chart:
@@ -38,6 +45,26 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v4
 
+      - name: Import GPG key
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          # Import the GPG key.
+          echo "$GPG_KEY" | gpg --batch --import
+
+          # Get the key ID.
+          KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | grep sec | head -1 | awk '{print $2}' | cut -d'/' -f2)
+          echo "KEY_ID=${KEY_ID}" >> $GITHUB_ENV
+
+          # Get the key name for Helm signing.
+          KEY_NAME=$(gpg --list-secret-keys --keyid-format LONG | grep uid | head -1 | sed 's/.*] //')
+          echo "KEY_NAME=${KEY_NAME}" >> $GITHUB_ENV
+
+          # Create legacy GPG keyring for Helm (which uses the old format).
+          mkdir -p ~/.gnupg
+          echo "$GPG_KEY" | gpg --batch --no-tty --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --export-secret-keys > ~/.gnupg/secring.gpg
+
       - name: Extract and validate version
         working-directory: ${{ inputs.chart-path }}
         env:
@@ -61,20 +88,35 @@ jobs:
 
           echo "Releasing chart version: ${VERSION}"
 
-      - name: Package chart
+      - name: Package and sign chart
         env:
           INPUT_CHART_PATH: ${{ inputs.chart-path }}
           INPUT_CHART_NAME: ${{ inputs.chart-name }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
         run: |
-          helm package "$INPUT_CHART_PATH"
+          helm package "$INPUT_CHART_PATH" \
+            --sign \
+            --key "$KEY_NAME" \
+            --keyring ~/.gnupg/secring.gpg \
+            --passphrase-file <(echo "$GPG_PASSPHRASE")
           PACKAGE_NAME="${INPUT_CHART_NAME}-${VERSION}.tgz"
+          PROVENANCE_NAME="${INPUT_CHART_NAME}-${VERSION}.tgz.prov"
           echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_ENV
+          echo "PROVENANCE_NAME=${PROVENANCE_NAME}" >> $GITHUB_ENV
 
           if [ ! -f "$PACKAGE_NAME" ]; then
             echo "Error: Expected package ${PACKAGE_NAME} was not created"
             exit 1
           fi
 
+          if [ ! -f "$PROVENANCE_NAME" ]; then
+            echo "Error: Expected provenance file ${PROVENANCE_NAME} was not created"
+            exit 1
+          fi
+
+          echo "Created signed package: ${PACKAGE_NAME}"
+          echo "Created provenance file: ${PROVENANCE_NAME}"
+
       - name: Checkout gh-pages branch
         uses: actions/checkout@v4
         with:
@@ -91,6 +133,7 @@ jobs:
       - name: Add chart to repository
         run: |
           cp "${PACKAGE_NAME}" gh-pages/helm/
+          cp "${PROVENANCE_NAME}" gh-pages/helm/
           helm repo index gh-pages/helm/ --url https://pathling.csiro.au/helm --merge gh-pages/helm/index.yaml
 
       - name: Commit and push
diff --git a/.github/workflows/helm-server-release.yml b/.github/workflows/helm-server-release.yml
@@ -20,5 +20,8 @@ jobs:
       chart-name: pathling
       tag-prefix: helm-server-v
       version: ${{ inputs.version }}
+    secrets:
+      GPG_KEY: ${{ secrets.GPG_KEY }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     permissions:
       contents: write
diff --git a/deployment/cache/chart/Chart.yaml b/deployment/cache/chart/Chart.yaml
@@ -7,5 +7,9 @@ apiVersion: v2
 name: pathling-cache
 description: A Varnish-based frontend cache optimised for use with Pathling
 type: application
-version: 0.1.0
+version: 1.0.0
 appVersion: "1.0.0"
+annotations:
+  artifacthub.io/signKey: |
+    fingerprint: F814751C64B5F5E708A8C73FC3C6291FED48678D
+    url: https://pathling.csiro.au/helm/pubkey.asc
diff --git a/deployment/cache/chart/values.schema.json b/deployment/cache/chart/values.schema.json
@@ -0,0 +1,132 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema#",
+  "title": "Pathling Cache Helm Chart Values",
+  "description": "Configuration values for deploying Pathling Cache on Kubernetes",
+  "type": "object",
+  "properties": {
+    "pathlingCache": {
+      "type": "object",
+      "description": "Pathling cache configuration",
+      "properties": {
+        "image": {
+          "type": "string",
+          "description": "Docker image for the Pathling cache",
+          "default": "ghcr.io/aehrc/pathling-cache:latest"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "description": "Image pull policy for the container",
+          "enum": ["Always", "IfNotPresent", "Never"],
+          "default": "IfNotPresent"
+        },
+        "replicas": {
+          "type": "integer",
+          "description": "Number of cache replicas to deploy",
+          "minimum": 1,
+          "default": 1
+        },
+        "pathlingHost": {
+          "type": ["string", "null"],
+          "description": "Hostname of the Pathling server to cache (required)"
+        },
+        "pathlingPort": {
+          "type": ["integer", "null"],
+          "description": "Port of the Pathling server to cache (required)"
+        },
+        "service": {
+          "type": "object",
+          "description": "Kubernetes service configuration",
+          "properties": {
+            "type": {
+              "type": "string",
+              "description": "Service type",
+              "enum": ["ClusterIP", "NodePort", "LoadBalancer"],
+              "default": "ClusterIP"
+            },
+            "port": {
+              "type": "integer",
+              "description": "Service port",
+              "default": 80
+            }
+          }
+        },
+        "resources": {
+          "type": "object",
+          "description": "Resource requirements and limits for the cache pod",
+          "properties": {
+            "requests": {
+              "type": "object",
+              "description": "Resource requests for scheduling",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "integer"],
+                  "description": "CPU request (e.g., '100m' or '1')"
+                },
+                "memory": {
+                  "type": "string",
+                  "description": "Memory request (e.g., '128Mi')"
+                }
+              }
+            },
+            "limits": {
+              "type": "object",
+              "description": "Resource limits for the container",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "integer"],
+                  "description": "CPU limit (e.g., '200m' or '1')"
+                },
+                "memory": {
+                  "type": "string",
+                  "description": "Memory limit (e.g., '256Mi')"
+                }
+              }
+            }
+          },
+          "default": {}
+        },
+        "tolerations": {
+          "type": "array",
+          "description": "Tolerations for pod scheduling",
+          "items": {
+            "type": "object",
+            "properties": {
+              "key": {
+                "type": "string",
+                "description": "Toleration key"
+              },
+              "operator": {
+                "type": "string",
+                "description": "Toleration operator",
+                "enum": ["Exists", "Equal"]
+              },
+              "value": {
+                "type": "string",
+                "description": "Toleration value"
+              },
+              "effect": {
+                "type": "string",
+                "description": "Toleration effect",
+                "enum": ["NoSchedule", "PreferNoSchedule", "NoExecute"]
+              }
+            }
+          },
+          "default": []
+        },
+        "affinity": {
+          "type": "object",
+          "description": "Affinity rules for pod scheduling",
+          "default": {}
+        },
+        "nodeSelector": {
+          "type": "object",
+          "description": "Node selector for pod scheduling",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "default": {}
+        }
+      }
+    }
+  }
+}
diff --git a/deployment/helm/pathling/Chart.yaml b/deployment/helm/pathling/Chart.yaml
@@ -3,7 +3,7 @@ name: pathling
 description: A Helm chart for Pathling Server
 icon: https://raw.githubusercontent.com/aehrc/pathling/main/media/logo-icon-colour-detail.svg
 type: application
-version: 1.0.2
+version: 2.0.0
 maintainers:
   - name: John Grimes
     email: John.Grimes@csiro.au
@@ -15,3 +15,7 @@ keywords:
   - standards
   - fhir
   - terminology
+annotations:
+  artifacthub.io/signKey: |
+    fingerprint: F814751C64B5F5E708A8C73FC3C6291FED48678D
+    url: https://pathling.csiro.au/helm/pubkey.asc
diff --git a/deployment/helm/pathling/values.schema.json b/deployment/helm/pathling/values.schema.json
