Prerequisites
Before deploying the HealthFlow NDP infrastructure, ensure your environment meets the following requirements.
Kubernetes Cluster
Minimum Requirements
Resource Estimates
These are rough estimates for a development/staging environment. Production sizing should be based on:
- Expected transaction volume
- Number of concurrent users
- Data retention requirements
- High availability needs
- Disaster recovery requirements
Always perform load testing and capacity planning before production deployment.
| Component | Specification |
|---|---|
| Kubernetes Version | 1.28+ |
| Control Plane Nodes | 3 nodes (HA setup) |
| Worker Nodes | 3+ nodes (minimum) |
| Node CPU | 8 cores per worker node |
| Node Memory | 16 GB per worker node |
| Node Storage | 200 GB per worker node |
| Total Cluster | ~28 cores, ~56 GB RAM, ~700 GB storage |
Recommended Specifications
For production workloads handling 100,000+ prescriptions/day:
| Environment | Worker Nodes | CPU per Node | Memory per Node | Storage per Node |
|---|---|---|---|---|
| Development | 3 | 4 cores | 8 GB | 100 GB |
| Staging | 3 | 8 cores | 16 GB | 200 GB |
| Production | 5+ | 16 cores | 32 GB | 500 GB |
Scaling Strategy
Start with minimum specifications and scale horizontally (add nodes) or vertically (increase node resources) based on:
- Prometheus metrics
- Application performance monitoring
- Load test results
- Business growth projections
Container Runtime
- containerd 1.6+ (recommended)
- Docker 20.10+ (alternative)
- CRI-O 1.24+ (alternative)
Network
CNI Plugin
- Calico (recommended for network policies)
- Flannel (simpler alternative)
- Cilium (advanced features)
Network Requirements
- Cluster CIDR:
/16minimum - Service CIDR:
/16minimum - Pod Network: Non-overlapping with existing networks
- Egress access to internet (for container images, Let's Encrypt)
Firewall Rules
Inbound (from Internet)
| Port | Protocol | Service | Description |
|---|---|---|---|
| 80 | TCP | HTTP | Traefik HTTP (redirects to HTTPS) |
| 443 | TCP | HTTPS | Traefik HTTPS |
| 6443 | TCP | Kubernetes API | Cluster management (restrict to admin IPs) |
Internal (between nodes)
| Port Range | Protocol | Service | Description |
|---|---|---|---|
| 2379-2380 | TCP | etcd | Cluster state |
| 10250 | TCP | kubelet | Node management |
| 10251 | TCP | kube-scheduler | Scheduler |
| 10252 | TCP | kube-controller | Controller |
| 30000-32767 | TCP/UDP | NodePort | Service exposure |
Storage
Storage Classes Required
Block Storage (RWO - ReadWriteOnce)
- For databases (PostgreSQL, MySQL, MongoDB)
- Minimum: 500 GB available
- IOPS: 3000+ (recommended for databases)
- Providers: Local SSD, Egypt Cloud Block Storage, Ceph RBD
File Storage (RWX - ReadWriteMany)
- For shared volumes (Traefik certificates)
- Minimum: 50 GB available
- Providers: NFS, Egypt Cloud File Storage, GlusterFS, CephFS
Storage Estimate Breakdown
Storage Growth
These estimates assume a 3-month retention policy for logs and metrics. Adjust based on compliance requirements.
| Component | Storage | Growth Rate | Notes |
|---|---|---|---|
| PostgreSQL | 200 GB | ~10 GB/month | Prescription and registry data |
| MySQL | 100 GB | ~5 GB/month | Pharmacy and medicine data |
| MongoDB | 100 GB | ~20 GB/month | Audit logs |
| Prometheus | 100 GB | ~15 GB/month | Metrics (15-day retention) |
| Loki | 200 GB | ~30 GB/month | Logs (30-day retention) |
| Redis | 20 GB | Minimal | In-memory cache |
| Other | 50 GB | Minimal | Configurations, certificates |
| Total | 770 GB | ~80 GB/month | Estimated for first year |
Software Tools
Required on Admin Machine
# Kubernetes CLI
kubectl version --client
# Should be within one minor version of cluster
# Helm package manager
helm version
# Version 3.10+
# Optional but recommended
kubectx # Switch between clusters easily
kubens # Switch between namespaces easily
k9s # Terminal UI for KubernetesInstallation Commands
# Install kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
# Install Helm
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# Install k9s (optional)
curl -sS https://webinstall.dev/k9s | bashAccess & Permissions
Kubernetes RBAC
You will need a kubeconfig file with sufficient permissions:
# Minimum required permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: healthflow-deployer
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]Cloud Provider Access
If using managed Kubernetes on Egyptian cloud infrastructure:
- Egypt Cloud K8s: Service account with cluster admin permissions
- Local Data Center: Direct access to Kubernetes API server
- Self-Managed: kubeconfig with appropriate RBAC permissions
DNS Configuration
Required DNS Records
| Record Type | Name | Value | TTL |
|---|---|---|---|
| A | *.healthflow.eg | Load Balancer IP | 300 |
| A | traefik.healthflow.eg | Load Balancer IP | 300 |
| A | portainer.healthflow.eg | Load Balancer IP | 300 |
| A | grafana.healthflow.eg | Load Balancer IP | 300 |
| A | api.healthflow.eg | Load Balancer IP | 300 |
Wildcard DNS
Use a wildcard DNS record (*.healthflow.eg) to simplify service exposure.
SSL/TLS Certificates
Option 1: Let's Encrypt (Recommended)
Traefik will automatically obtain certificates via ACME.
Requirements:
- Valid domain name
- Domain must resolve to your load balancer
- Ports 80 and 443 accessible from internet
Option 2: Custom Certificates
If using internal CA or purchased certificates:
# Create TLS secret
kubectl create secret tls healthflow-tls \
--cert=path/to/cert.pem \
--key=path/to/key.pem \
--namespace=gateway-stackSecurity Requirements
Secrets to Generate
Before deployment, generate the following:
# PostgreSQL password
openssl rand -base64 32
# MySQL root password
openssl rand -base64 32
# Redis password
openssl rand -base64 32
# Grafana admin password
openssl rand -base64 32
# Vault unseal keys (generated during Vault initialization)
# Traefik dashboard password
htpasswd -nb admin $(openssl rand -base64 16)Store these securely in a password manager or secrets vault.
Monitoring & Alerting Setup
Email for Alerts
- SMTP server access for AlertManager
- Email addresses for critical alerts
- Slack webhook URL (optional)
External Integrations
- EDA API: Credentials for Egyptian Drug Authority integration
- MOH Systems: API keys if applicable
- Insurance Providers: Integration endpoints
Checklist
Before proceeding to installation:
- [ ] Kubernetes cluster provisioned and accessible
- [ ] kubectl configured with admin access
- [ ] Storage classes configured (RWO and RWX)
- [ ] DNS records configured
- [ ] Domain resolves to load balancer
- [ ] Firewall rules configured
- [ ] Secrets generated and stored securely
- [ ] SMTP configured for alerts (optional)
- [ ] Backup strategy defined
- [ ] Disaster recovery plan documented
Next Steps
Once all prerequisites are met:
- Installation Guide - Deploy the infrastructure
- Configuration Guide - Configure services
- Gateway Stack - Begin with the first stack
Estimation Disclaimer
Production Sizing
All resource specifications in this documentation are rough estimates for planning purposes. Before production deployment:
- Perform load testing with realistic data volumes
- Monitor resource usage during staging deployment
- Plan for 50-100% headroom above peak observed usage
- Review quarterly and adjust based on growth
- Consider data retention policies impact on storage
The actual resource requirements depend heavily on:
- Transaction volume (prescriptions/day)
- Number of concurrent users
- API call patterns
- Data retention requirements
- Monitoring verbosity
- Number of deployed microservices
- Integration with external systems
Always validate with your specific workload before purchasing hardware or cloud resources.