docs(kubernetes): frame README for starting-point and distributed-deployment audiences#702
Merged
bradymiller merged 1 commit intoopenemr:masterfrom May 10, 2026
Merged
Conversation
…ibuted-deployment audiences Restructure kubernetes/README.md so it explicitly serves two goals: a working OpenEMR starting point on Kubernetes, and a reference for the security primitives needed when components are deployed across trust boundaries. Move the Use section directly after Overview so readers can try the stack quickly. Add Security Architecture (per-layer threat model, including the NFS in-transit gap), and Production Hardening (storage-layer encryption per cloud, MariaDB TDE recipe, CNI-level WireGuard guidance, production checklist). Drop half-supported minikube references in favor of focused Kind instructions. Update the base README summary line to name both purposes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR restructures the Kubernetes documentation to better serve both “get it running quickly” users and readers deploying components across trust boundaries who need a clearer security model.
Changes:
- Reorders and reframes
kubernetes/README.md(Overview → Use early), adding new “Security Architecture”, “Connection Security”, and “Production Hardening” sections. - Removes Minikube-specific instructions in favor of Kind-focused guidance.
- Updates the repo root
README.mdKubernetes entry to reflect the README’s dual purpose (starting point + distributed-deployment security reference).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| README.md | Expands the Kubernetes entry to describe the Kubernetes docs as both a runnable starting point and a secure distributed-deployment reference. |
| kubernetes/README.md | Major reorganization plus added security/threat-model and production-hardening guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ## In-transit: Redis connections | ||
|
|
||
| OpenEMR ↔ Redis and OpenEMR ↔ Sentinel use mTLS via phpredis with Sentinel-based master discovery (`SESSION_STORAGE_MODE=predis-sentinel`). The `tls-auth-clients yes` setting in `redis/configmap-main.yaml` enforces client certificate presentation. Same three properties as MariaDB above. |
Comment on lines
+15
to
+18
| OpenEMR Kubernetes orchestration. Orchestration includes OpenEMR, MariaDB, Redis, and phpMyAdmin. | ||
| - **OpenEMR** - 3 deployment replications of OpenEMR are created. Replications can be increased/decreased. Ports for both http and https. | ||
| - **MariaDB** - 2 statefulset replications of MariaDB (1 primary/master with 1 replica/slave) are created. Replications can be increased/decreased which will increase/decrease number of replica/slaves. Connections use mTLS (mutual TLS / X509 client certificate verification) by default, including replication traffic. See **Security Architecture → MariaDB connections** for what this protects and **Connection Security → MariaDB Connection Security** for how to downgrade to TLS-only or plain TCP. | ||
| - **Redis** - Configured to support failover. There is 1 master and 2 slaves (no read access on slaves) for a statefulset and 3 sentinels for another statefulset. OpenEMR connects directly to Redis with mTLS (mutual TLS / X509 client certificate verification) by default. The primary/slaves and sentinels would require script changes if wish to increase/decrease replicates for these since these are hard-coded several places in the scripts. There are 3 users/passwords (`default`, `replication`, `admin`) used in this redis scheme. All passwords are stored in the `redis-credentials` Kubernetes Secret (redis/secret.yaml) and should be changed for production use. The `default` is the typical worker/app/client user. See **Security Architecture → Redis connections** for details and **Connection Security → Redis Connection Security** for how to downgrade. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
kubernetes/README.mdso it explicitly serves two related goals: a working OpenEMR starting point on Kubernetes, and a reference for the security primitives needed when components are deployed across trust boundaries (different clusters, VPCs, or over the public internet).file_key_managementplugin, CNI-level WireGuard guidance for the NFS in-transit gap, and a production checklist.README.mdsummary line to name both purposes ("Working starting point with mTLS, Redis Sentinel failover, multi-node support; also serves as a reference for secure distributed deployments").No code or manifest changes — documentation only.
Test plan
kubernetes/README.mdon GitHub and verify section navigation flows: Overview → Use → Security Architecture → Connection Security → Production HardeningREADME.mdKubernetes link still resolves tokubernetes/🤖 Generated with Claude Code