zaakbrug

A Helm chart for running ZaakBrug on Kubernetes

2.1.48

๐ŸŒ‰ ZaakBrug

An app for Dutch municipalities that supports the transition from "zaak- en documentatieservices" (zds) to "zaakgericht werken" (zgw).

ZaakBrug source on GitHub

Usage

Helm must be installed to use the charts. Please refer to Helm's documentation to get started.

Once Helm has been set up correctly, add the repo as follows:

helm repo add wearefrank https://wearefrank.github.io/charts

If you had already added this repo earlier, run helm repo update to retrieve the latest versions of the packages. You can then run helm search repo wearefrank to see the charts.

To install the ZaakBrug chart:

helm install zaakbrug wearefrank/zaakbrug

To uninstall the chart:

helm delete zaakbrug

Parameters

Common parameters

NameDescriptionValue
nameOverrideString to partially override ff-common.fullname template (will maintain the release name)""
fullnameOverrideString to fully override ff-common.fullname template""

Frank!Framework image parameters

NameDescriptionValue
image.registryFrank!Framework image registrywearefrank
image.repositoryFrank!Framework image repositoryzaakbrug
image.tagFrank!Framework image tag (immutable tags are recommended)""
image.pullPolicyFrank!Framework image pull policyIfNotPresent
image.pullSecretsFrank!Framework image pull secrets[]

Frank! Configuration parameters

NameDescriptionValue
frank.memory.percentageSet if the values for the memory are in percentagesfalse
frank.memory.minimumSets the initial size of the heap that will be used by the Frank!Framework4G
frank.memory.maximumSets the maximum size of the heap that will be used by the Frank!Framework4G
frank.dtap.stage(Required) Set the DTAP stage. Options: LOC, DEV, TST, ACC, PRD""
frank.dtap.sideSet the DTAP side of where the instance is running""
frank.credentials.secretSet the secret name of the existing secret""
frank.credentials.keySet the key inside the secret that contains the data (e.g. credentials.properties)""
frank.instance.nameSet the name of the Frank! instance (default is the fullname)""
frank.configurations.namesSet the configurations to load. Leave empty to use the default[]
frank.security.certificateStoresDefine certificate (key/trust) stores to mount in the resources folder of the Frank![]
frank.security.certificateStores.secretNameName of the secret where the certificate store is located in""
frank.security.certificateStores.keyThe key in the secret where the certificate store is located in""
frank.security.certificateStores.resourceUrlThe path to the certificate store in the Resource folder, the key will be used as default valueundefined
frank.security.http.authenticationSet http authentication for the Frank!false
frank.security.http.localUsersSet localUsers who can log in on the Frank![]
frank.security.http.localUsers.usernameSet the username of the user""
frank.security.http.localUsers.passwordSet the password of the user""
frank.security.http.localUsers.rolesSet the roles of the user. Options: IbisTester, IbisDataAdmin, IbisAdmin, IbisWebService, IbisObserver[]
frank.security.http.activeDirectory.enabledEnable Active Directory for authenticationfalse
frank.security.http.activeDirectory.urlSet url for Active Directory""
frank.security.http.activeDirectory.baseDnSet baseDn for Active Directory users""
frank.security.http.activeDirectory.roleMapping.testerMap the rol for Tester""
frank.security.http.activeDirectory.roleMapping.dataAdminMap the rol for DataAdmin""
frank.security.http.activeDirectory.roleMapping.adminMap the rol for Admin""
frank.security.http.activeDirectory.roleMapping.webServiceMap the rol for WebService""
frank.security.http.activeDirectory.roleMapping.observerMap the rol for Observer""
frank.server.transactionManagerSet the transaction manager for Tomcat. Options: NARAYANA, BTM, ``""
frank.environmentVariablesSet extra environment variables for the Frank!{}
frank.javaOptsAppend custom options to the JAVA_OPTS environment variable for the Frank!""

Frank!Framework Connection parameters

NameDescriptionValue
connections.createCreate a context.xml and possibly overwrite the existing one, to configure the connections/resources.true
connections.jdbcSet multiple database connections. One connection should have an empty name, so it'll get picked up by default (unless jdbc.required=false is set)[]
connections.jdbc.nameName of the connection (leave empty to use default: jdbc/${.Values.instance.name} in lowercase)""
connections.jdbc.typeDBMS type. Options: oracle, mssql, mysql, mariadb, postgresql, db2, mongodb""
connections.jdbc.hostHost of where the database can be reached (like in the same cluster e.g. <service>.<namespace>.svc.cluster.local)""
connections.jdbc.postPort for the database (leave empty for default)""
connections.jdbc.databaseName of the database to use (default is .Values.instance.name)""
connections.jdbc.usernameUsername to connect to the database (or use string template for use with credentials e.g. ${database/username})""
connections.jdbc.passwordPassword to connect to the database (or use string template for use with credentials e.g. ${database/password})""
connections.jdbc.sslSet to true is the connection uses SSL, default is false""
connections.jmsSet multiple massage services[]
connections.jms.nameName of the connection (leave empty to use default: jms/${.Values.instance.name} in lowercase)""
connections.jms.typeMQ type. Options: artemis, activemq""
connections.jms.hostHost of where the MQ can be reached (like in the same cluster e.g. <service>.<namespace>.svc.cluster.local)""
connections.jms.postPort for the MQ (leave empty for default)""

Frank!Framework deployment parameters

The startup probe will enable blue-green deployment, which are great for uptime during upgrades and such. It (and the liveness probe) will check if the console is accessible, until a better health endpoint is available. The readiness probe will check if all adapters are running using the server health endpoint

NameDescriptionValue
replicaCountNumber of Frank!Framework replicas to deploy1
startupProbe.initialDelaySecondsInitial delay seconds for startupProbe40
startupProbe.periodSecondsPeriod seconds for startupProbe10
startupProbe.timeoutSecondsTimeout seconds for startupProbe1
startupProbe.failureThresholdFailure threshold for startupProbe12
startupProbe.successThresholdSuccess threshold for startupProbe1
livenessProbe.initialDelaySecondsInitial delay seconds for livenessProbe0
livenessProbe.periodSecondsPeriod seconds for livenessProbe10
livenessProbe.timeoutSecondsTimeout seconds for livenessProbe1
livenessProbe.failureThresholdFailure threshold for livenessProbe12
livenessProbe.successThresholdSuccess threshold for livenessProbe1
readinessProbe.initialDelaySecondsInitial delay seconds for readinessProbe0
readinessProbe.periodSecondsPeriod seconds for readinessProbe5
readinessProbe.timeoutSecondsTimeout seconds for readinessProbe1
readinessProbe.failureThresholdFailure threshold for readinessProbe3
readinessProbe.successThresholdSuccess threshold for readinessProbe1
probesEnabledToggle probes. This should only be used if a Frank! needs to be kept while in a bad state (for debugging purposes){}
probesEnabled.startupProbeToggle startupProbe{}
probesEnabled.livenessProbeToggle livenessProbe{}
probesEnabled.readinessProbeToggle readinessProbe{}
resourcesSet the resources for the Frank!Framework containers{}
resources.limitsThe resources limits for the Frank!Framework containers""
resources.requests.memoryThe requested memory for the Frank!Framework containers""
resources.requests.cpuThe requested cpu for the Frank!Framework containers""
terminationGracePeriodSecondsNumber of seconds after which pods are forcefully killed60
terminationGracePeriodSecondsNote: Lower values may cause running adapters to fail
nodeSelectorNode labels for pod assignment{}
tolerationsSet tolerations for pod assignment[]
affinitySet affinity for pod assignment{}
timeZoneused for database connection and log timestampsEtc/UTC

Traffic Exposure Parameters

NameDescriptionValue
service.typeFrank!Framework service typeClusterIP
service.portFrank!Framework service port80
ingress.enabledEnable ingress record generation for Frank!false
ingress.classNameIngressClass that will be used to implement the Ingress (Kubernetes 1.18+)""
ingress.annotationsAdditional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.{}
ingress.hostsSet hosts for ingress[]
ingress.hosts.hostSet hostname""
ingress.hosts.pathsSet multiple paths[]
ingress.hosts.paths.pathSet path (context url)""
ingress.hosts.paths.pathTypeSet type of path""
ingress.tlsDefine tls secrets for hosts (implementation not done yet)[]

Other Parameters

NameDescriptionValue
serviceAccount.createEnable creation of ServiceAccount for Frank!Framework podtrue
serviceAccount.annotationsAdditional custom annotations for the ServiceAccount{}
serviceAccount.nameThe name of the ServiceAccount to use.""
podAnnotationsAnnotations for Frank!Framework pods{}
podLabelsExtra labels for Frank!Framework pods{}
podSecurityContextSet Frank!Framework pod's Security Context{}
securityContextSet Frank!Framework container's Security Context{}

Persistence

Persistence is used for keeping heap dumps. They can be found at /heap-dumps with persistence enabled. Otherwise, they can be found at /usr/local/tomcat/logs

NameDescriptionValue
persistence.enabledEnable persistence using Persistent Volume Claimsfalse
persistence.storageClassPersistent Volume storage class""
persistence.accessModesPersistent Volume access modes[]
persistence.sizePersistent Volume size5Gi
persistence.dataSourceCustom PVC data source{}
persistence.existingClaimThe name of an existing PVC to use for persistence""
persistence.selectorSelector to match an existing Persistent Volume for the Frank!Framework's data PVC{}
persistence.annotationsPersistent Volume Claim annotations{}

ZaakBrug

Following sections are about the configuration for the ZaakBrug

NameDescriptionValue
zaakbrug.zds.timezoneThe timezone of the receiving zds serviceEtc/UTC
zaakbrug.soap.beantwoordVraag.endpointSet the endpoint the service should be available attranslate/generic/zds/BeantwoordVraag
zaakbrug.soap.beantwoordVraag.validationSoftFailIncoming messages are validated, if set to true the message still gets processed if it failsfalse
zaakbrug.soap.beantwoordVraag_v2.endpointSet the endpoint the service should be available attranslate/generic/zds/v2/BeantwoordVraag
zaakbrug.soap.beantwoordVraag_v2.validationSoftFailIncoming messages are validated, if set to true the message still gets processed if it failsfalse
zaakbrug.soap.ontvangAsynchroon.endpointSet the endpoint the service should be available attranslate/generic/zds/OntvangAsynchroon
zaakbrug.soap.ontvangAsynchroon.validationSoftFailIncoming messages are validated, if set to true the message still gets processed if it failsfalse
zaakbrug.soap.ontvangAsynchroonMutatie_v2.endpointSet the endpoint the service should be available attranslate/generic/zds/v2/OntvangAsynchroonMutatie
zaakbrug.soap.ontvangAsynchroonMutatie_v2.validationSoftFailIncoming messages are validated, if set to true the message still gets processed if it failsfalse
zaakbrug.soap.ontvangAsynchroonOverdragen_v2.endpointSet the endpoint the service should be available attranslate/generic/zds/v2/OntvangAsynchroonOverdragen
zaakbrug.soap.ontvangAsynchroonOverdragen_v2.validationSoftFailIncoming messages are validated, if set to true the message still gets processed if it failsfalse
zaakbrug.soap.vrijeBerichten.endpointSet the endpoint the service should be available attranslate/generic/zds/VrijBericht
zaakbrug.soap.vrijeBerichten.validationSoftFailIncoming messages are validated, if set to true the message still gets processed if it failsfalse
zaakbrug.soap.vrijeBerichten_v2.endpointSet the endpoint the service should be available attranslate/generic/zds/v2/VrijBericht
zaakbrug.soap.vrijeBerichten_v2.validationSoftFailIncoming messages are validated, if set to true the message still gets processed if it failsfalse

Identificatie Templates

Templates used for generating zaak- and documentidentificatie
The syntax for variable substitution is as follows {[variable-name]}

Variables:

  • id Auto-incrementing identifier with 'D' as formatting option, indicating the amount of digits. example: {id:D5} with id-123 will result in '00123'
  • datetime The current date and time with '[Y' as formatting option, according to (https://www.oreilly.com/library/view/xslt-2nd-edition/9780596527211/ch04s05.html). Only the 'Y0001' is currently implemented example: {datetime:Y001} with datetime=14-03-2023 produces '2023'
NameDescriptionValue
zaakbrug.zgw.zaakIdentificatieTemplateTemplate for zaakidentificatieZK{datetime:[Y0001]}-{id:D5}
zaakbrug.zgw.documentIdentificatieTemplateTemplate for documentidentificatieDC{datetime:[Y0001]}-{id:D5}
zaakbrug.zgw.besluitIdentificatieTemplateTemplate for besluitidentificatieBS{datetime:[Y0001]}-{id:D5}

Api Endpoints

Make sure that all Url's contain two "parts" e.g. openzaak-nginx.zaakbrug. Openzaak can't use a single part domain.

NameDescriptionValue
zaakbrug.zgw.zakenApi.rootUrlEndpoint for the zaken APIhttp://open-zaak/zaken/api/v1/
zaakbrug.zgw.zakenApi.authTypeOptions: 'jwt', 'basic', 'value'. 'value' uses the password field of the given authAlias as Authorization headerjwt
zaakbrug.zgw.zakenApi.authAliasReference to an auth alias configured in credentials.propertieszaken-api.jwt
zaakbrug.zgw.zakenApi.timeoutSet timeout for the zaken API20000
zaakbrug.zgw.catalogiApi.rootUrlEndpoint for the catalogi APIhttp://open-zaak/catalogi/api/v1/
zaakbrug.zgw.catalogiApi.authTypeOptions: 'jwt', 'basic', 'value'. 'value' uses the password field of the given authAlias as Authorization headerjwt
zaakbrug.zgw.catalogiApi.authAliasReference to an auth alias configured in credentials.propertieszaken-api.jwt
zaakbrug.zgw.catalogiApi.timeoutSet timeout for the catalogi API20000
zaakbrug.zgw.documentenApi.rootUrlEndpoint for the documenten APIhttp://open-zaak/documenten/api/v1/
zaakbrug.zgw.documentenApi.authTypeOptions: 'jwt', 'basic', 'value'. 'value' uses the password field of the given authAlias as Authorization headerjwt
zaakbrug.zgw.documentenApi.authAliasReference to an auth alias configured in credentials.propertieszaken-api.jwt
zaakbrug.zgw.documentenApi.timeoutSet timeout for the documenten API20000
zaakbrug.zgw.besluitenApi.rootUrlEndpoint for the besluiten APIhttp://open-zaak/besluiten/api/v1/
zaakbrug.zgw.besluitenApi.authTypeOptions: 'jwt', 'basic', 'value'. 'value' uses the password field of the given authAlias as Authorization headerjwt
zaakbrug.zgw.besluitenApi.authAliasReference to an auth alias configured in credentials.propertieszaken-api.jwt
zaakbrug.zgw.besluitenApi.timeoutSet timeout for the besluiten API20000

Globals

NameDescriptionValue
zaakbrug.globals.organizationsMap gemeentecode and RSIN[]
zaakbrug.globals.organizations.gemeenteNaamName for organisation""
zaakbrug.globals.organizations.gemeenteCodeGemeentecode to map to RSIN""
zaakbrug.globals.organizations.RSINRSIN to be mapped to gemeentecode""

Profiles

NameDescriptionValue
zaakbrug.profiles.profileTranslation profile, specific per zaakType[]
zaakbrug.profiles.profile.zaakTypeIdentificatieZaaktype the profile is for""
zaakbrug.profiles.profile.endCaseEndDateundefined
zaakbrug.profiles.profile.endCaseEndDate.coalesceResultaatOptions: Onbekend, Toegekend""
zaakbrug.profiles.profile.endDateAndResultLastStatusundefined
zaakbrug.profiles.profile.endDateAndResultLastStatus.coalesceResultaatOptions: Onbekend, Toegekend""

Staging

Staging is needed if you want to use zgw-to-zds.

Following sections are about configuring OpenZaak (used as staging zaaksysteem) and the API proxy.
Ref: https://open-zaak.readthedocs.io/en/stable/installation/kubernetes.html

OpenZaak needs a Postgres database with PostGIS
ref: https://open-zaak.readthedocs.io/en/stable/installation/prerequisites.html#postgresql-with-postgis

NameDescriptionValue
staging.enabledEnable the staging environmentfalse
staging.image.tagVersion of OpenZaak1.9.0
staging.zakenApi.rootUrlEndpoint of the zaken API of the staging zaaksysteemhttp://zaakbrug-staging-nginx.zaakbrug/zaken/api/v1/
staging.documentenApi.rootUrlEndpoint of the documenten API of the staging zaaksysteemhttp://zaakbrug-staging-nginx.zaakbrug/documenten/api/v1/
staging.catalogiApi.rootUrlEndpoint of the catalogi API of the staging zaaksysteemhttp://zaakbrug-staging-nginx.zaakbrug/catalogi/api/v1/
staging.besluitenApi.rootUrlEndpoint of the besluiten API of the staging zaaksysteemhttp://zaakbrug-staging-nginx.zaakbrug/besluiten/api/v1/
staging.extraEnvVarsExtra environment variables that should be set on the zaaksysteem[]
staging.extraEnvVarsThe notifications should be disabled
staging.extraEnvVars.nameName of the variable""
staging.extraEnvVars.valueValue of the variableundefined
staging.settings.useXForwardedHostAdd X-Forwarded-Host to proxy headerfalse
staging.settings.useXForwardedHostLeave this to false, so absolute URL's make their way though te reverse proxies.
staging.settings.debugSet the debug mode of the zaaksysteemfalse
staging.settings.allowedHostsSet the (v)hosts that need to be accessible for OpenZaakzaakbrug-staging.zaakbrug,zaakbrug-staging-nginx.zaakbrug,zaakbrug-staging.zaakbrug.svc.cluster.local,zaakbrug-staging-nginx.svc.cluster.local,localhost
staging.settings.allowedHostsAdd the ingress route if you have one. Change the service names and include namespace
staging.settings.secretKeySecret key thatโ€™s used for certain cryptographic utilities. Use Djecrety to generate one""
staging.settings.database.hostHost for the database""
staging.settings.database.portPort for the database5432
staging.settings.database.usernameUser to log in to the database""
staging.settings.database.passwordPassword for the user""
staging.settings.database.nameName of the database""
staging.settings.database.sslmodeConfigure SSLModeprefer
staging.persistence.enabledToggle persistence for the staging zaaksysteemtrue
staging.persistence.storageClassNameConfigure which storage class should be used""
staging.apiProxy.nameOverrideString to partially override zaakbrug.apiProxyFullname template (will maintain the release name)""
staging.apiProxy.fullnameOverrideString to fully override zaakbrug.apiProxyFullname template""
staging.apiProxy.replicaCountNumber of API proxy replicas to deploy1
staging.apiProxy.podAnnotationsAnnotations for API proxy pods{}
staging.apiProxy.podLabelsExtra labels for API proxy pods{}
staging.apiProxy.securityContextSet API proxy container's Security Context{}
staging.apiProxy.image.registryAPI proxy image registry""
staging.apiProxy.image.repositoryAPI proxy image repositorynginxinc/nginx-unprivileged
staging.apiProxy.image.tagAPI proxy image tag (immutable tags are recommended)stable
staging.apiProxy.image.pullPolicyAPI proxy image pull policyIfNotPresent
staging.apiProxy.image.pullSecretsAPI proxy image pull secrets[]
staging.apiProxy.resourcesSet the resources for the API proxy containers{}
staging.apiProxy.resources.limitsThe resources limits for the API proxy containers""
staging.apiProxy.resources.requests.memoryThe requested memory for the API proxy containers""
staging.apiProxy.resources.requests.cpuThe requested cpu for the API proxy containers""
staging.apiProxy.existingConfigmapSet the name of an existing config-map to use as configuration for the API proxy""
staging.apiProxy.service.typeAPI proxy service typeClusterIP
staging.apiProxy.service.portAPI proxy service port80
staging.apiProxy.service.annotationsAnnotations for the API proxy service{}
staging.apiProxy.ingress.enabledEnable ingress record generation for Frank!false
staging.apiProxy.ingress.classNameIngressClass that will be used to implement the Ingress (Kubernetes 1.18+)""
staging.apiProxy.ingress.annotationsAdditional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.{}
staging.apiProxy.ingress.hostsSet hosts for ingress[]
staging.apiProxy.ingress.hosts.hostSet hostname""
staging.apiProxy.ingress.hosts.pathsSet multiple paths[]
staging.apiProxy.ingress.hosts.paths.pathSet path (context url)""
staging.apiProxy.ingress.hosts.paths.pathTypeSet type of path""
staging.apiProxy.ingress.tlsDefine tls secrets for hosts (implementation not done yet)[]

Configuration and installation details

DTAP Stage

The Frank!Framework will start with different settings enabled, depending on what DTAP stage is configured.

For more information about DTAP stages read: https://frank-manual.readthedocs.io/en/latest/deploying/dtapAndProperties.html

Notable changes

2.0.11

The .Values.frank.memory notation has been changed. It is now possible to define a minimum and a maximum, and to set percentages.

2.0.10

The .Values.frank.dtap.stage and .Values.frank.dtap.side are now empty by default.

  • .Values.frank.dtap.stage is now required and should be set to the right stage. Read more in the Installation details
  • .Values.frank.dtap.side will default to the release namespace deployed in.

Application Version

1.22.0

Chart Versions

2.1.48 - 01/10/2024
2.1.47 - 13/09/2024
2.1.46 - 13/09/2024
2.1.45 - 04/09/2024
2.1.44 - 03/09/2024
2.1.43 - 30/08/2024
2.1.42 - 26/07/2024
2.1.41 - 19/07/2024
2.1.40 - 17/07/2024
2.1.39 - 16/07/2024
+ Show all releases