Useful third-party tools in the eHealth Infrastructure

Owned by Frederik Mogensen (Unlicensed)
Last updated: 15-11-2023 by John SchneiderVersion comment
3 min read

This page describes the third-party tools (e.g. Jeager, Docker Repository, Splunk) used e.g. log analysis and tracing.

When hosting a Telemedicine Solution including a potential BFF on the eHealth platform, you will be given access to the following tools.

These tools will for most cases follow a naming scheme based on:

{Vendor Short Name}-{Application Short Name}/*

Deployment specified as code

The deployment and configuration are defined in a dedicated git repository for each solution.

The git repository is hosted on the eHealth infrastructure and is named:

{Vendor Short Name}-{Application Short Name}/helmsman

This repository contains a value.yaml file for each environment that the solution can be deployed to, containing the specific values for this environment, if any.

A deployment pipeline is connected to this repository, following the outline described in Development and deployment cycle.

Docker Image hosting

Each solution is given a docker repository hosted on the eHealth Platform. It is only possible and allowed to deploy images to the different environments from this docker repository.

This docker repository is not meant for all development builds, but only for images that the vendor has tested and validated internally, and that the vendor believes are ready for testing and QA.

All images in the docker repository are scanned for known security problems. And when any new security problems are found it is the responsibility of the Vendor to build a new image, push it, test it, and make sure it is deployed.

See Docker Base Images | DockerBaseImages Mitigation for requirements for the image and security risk mitigation.

The Docker repository is named:

{Vendor Short Name}-{Application Short Name}/bff

Helm Chart repository

The vendor is given access to the helm chart repository hosted by the eHealth Platform.

This repository contains the only helm chart that the vendor is allowed to use to deploy their applications on the platform. The chart should be complete enough to run the application, with different configurations for values, health endpoints, resource usage etc.

See Helm Charts for more info about the chart.

Kubernetes namespace

All applications on the platform are hosted on Kubernetes. To enforce separation between applications and to harden the security on the platform each application will have its own Kubernetes namespace.

  • From this namespace, only communication to other specified namespaces is allowed.

    • This is at the moment only the ehealth-public namespace.

  • Likewise, only communication to whitelisted services outside the eHealth Platform is allowed.

Namespace is named:

Splunk Central Logging

The vendor is given access to a central log collection where the vendor can query and access logs, audits and metrics collected from the application.

The vendor does not have access to logs for the rest of the platform services, or from other applications.

When moving up through the different environments, the access will be less and less to protect against unwanted data disclosure.

Indexes available are:

See also Logging model for logging requirements.

See also Using Splunk for a short introduction on how to use Splunk.

Jaeger tracing

In the test environments, the vendor is given access to a common tracing system where a call and the response times of each involved service can be found. This is possible when all involved services have implemented the header propagation as described in Call Tracing

In production, access to trace data is limited.

A GUI presenting the collected data for i.e. EXTTEST can be accessed here https://jaeger.admin.exttest.ehealth.sundhed.dk/search