| Excerpt |
|---|
This page describes the third-party tools (e.g. Jeager, Docker Repository, Splunk) used for e.g. log analysis and tracing. |
...
| Code Block | ||
|---|---|---|
| ||
{Vendor Short Name}-{Application Short Name}/* |
Deployment specified as code
The deployment and configuration is are defined in a dedicated git repository for each solution.
The git repository is hosted on the eHealth infrastructure , and is named:
| Code Block | ||
|---|---|---|
| ||
{Vendor Short Name}-{Application Short Name}/helmsman |
This repository contains a valuesvalue.yaml file for each environment that the solution can be deployed to, containing the specific values for this environment, if any.
A deployment pipeline is connected to this repository, following the outline described in Development and deployment cycle.
Docker Image hosting
Each solution is given a docker repository hosted on the eHealth Platform. It is only possible and allowed to deploy images to the different environments from this docker repository.
...
All images in the docker repository is are scanned for known security problems. And when any new security problems are found it is the responsibility of the Vendor to build a new image, push it, test it, and make sure it is deployed.
See Docker Base Images for requirements for the image and security risk mitigation.
The Docker repository is named:
| Code Block |
|---|
{Vendor Short Name}-{Application Short Name}/bff |
Helm Chart repository
The vendor is given access to the helm chart repository hosted by the eHealth Platform.
This repository contains the only helm chart that the vendor is allowed to use to deploy their applications on the platform. The chart should be complete enough to run the application, with different configuration configurations for values, health endpoints, resource usage etc.
See Helm Charts for more info about the chart.
Kubernetes namespace
All applications on the platform is are hosted on Kubernetes. To enforce separation between applications and to harden the security on the platform each application will have it’s its own Kubernetes namespace.
From this namespace, only communication to other specified namespaces is allowed.
This is at the moment only the
ehealth-publicnamespace.
Likewise, only communication to whitelisted services outside the eHealth Platform is allowed.
Please contact FUT-S Contact Information if new white - listings are needed
Namespace is named:
| Code Block |
|---|
{Vendor Short Name}-{Application Short Name} |
Splunk Central Logging
The vendor is given access to a central log collection where the vendor can query and access logs, audits and metrics collected from the application.
The vendor do does not have access to logs for the rest of the platform services, or from other applications.
When moving up through the different environments, the access will be less and less to protect against unwanted data disclosure.
Indexes available isare:
| Code Block |
|---|
{environment}_k8s_{Vendor Short Name}-{Application Short Name}_application
{environment}_k8s_{Vendor Short Name}-{Application Short Name}_audit
{environment}_k8s_{Vendor Short Name}-{Application Short Name}_metrics |
See also Logging model for logging requirements.
See also Using Splunk for a short introduction on how to use Splunk.
Jaeger tracing
In the test environment environments, the vendor is given access to a common tracing system where a call and the response times of each involved service can be found. This is possible when all involved services has have implemented the header propagation as described in Call Tracing
In production the , access to tracedata will be trace data is limited.
A GUI presenting the collected data for i.e. EXTTEST car can be accessed here https://jaeger.admin.exttest.ehealth.sundhed.dk/search