From 92e62671f4f7ab9b01631a4f8470cda5c3540638 Mon Sep 17 00:00:00 2001 From: drono Date: Mon, 5 Aug 2024 14:06:30 +0300 Subject: [PATCH] Add Letsencrypt automatic cert generation for registry layer- 86byxgqbj --- .env.cluster | 2 +- .env.local | 2 +- client-registry-jempi/docker-compose.api.yml | 9 ++++++++- client-registry-jempi/docker-compose.web.yml | 7 ++++++- client-registry-santempi/docker-compose.yml | 15 ++++++++++++--- dashboard-visualiser-jsreport/docker-compose.yml | 2 +- dashboard-visualiser-kibana/docker-compose.yml | 2 +- dashboard-visualiser-superset/docker-compose.yml | 2 +- .../packages/reverse-proxy-traefik/README.md | 2 +- .../docker-compose.yml | 2 +- .../docker-compose.yml | 8 ++++---- monitoring/docker-compose.yml | 16 +++++++++++++--- 12 files changed, 50 insertions(+), 19 deletions(-) diff --git a/.env.cluster b/.env.cluster index 4b05e194..2777fab7 100644 --- a/.env.cluster +++ b/.env.cluster @@ -38,7 +38,7 @@ STAGING=true INSECURE=false # Reverse Proxy - Traefik -DOMAIN_NAME_HOST_TRAEFIK=domain +DOMAIN_NAME=domain # Analytics Datastore - Elastic Search ES_HEAP_SIZE=-Xms8192m -Xmx8192m diff --git a/.env.local b/.env.local index fb726277..98bd9afa 100644 --- a/.env.local +++ b/.env.local @@ -28,4 +28,4 @@ JS_REPORT_PACKAGE_PATH= # Reverse Proxy - Traefik PLACEMENT_ROLE_CONSTRAINTS=manager ENABLE_TRAEFIK_DASHBOARD=true -DOMAIN_NAME_HOST_TRAEFIK=domain +DOMAIN_NAME=domain diff --git a/client-registry-jempi/docker-compose.api.yml b/client-registry-jempi/docker-compose.api.yml index e216624a..7009302a 100644 --- a/client-registry-jempi/docker-compose.api.yml +++ b/client-registry-jempi/docker-compose.api.yml @@ -29,7 +29,11 @@ services: - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.jempi-api.service=jempi-api - traefik.http.services.jempi-api.loadbalancer.server.port=50000 - - traefik.http.routers.jempi-api.rule=Host(`${JEMPI_API_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.jempi-api.rule=Host(`${JEMPI_API_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME}`) + - traefik.http.routers.jempi-api.entrypoints=websecure + - traefik.http.routers.jempi-api.tls=true + - traefik.http.routers.jempi-api.tls.certresolver=${CERT_RESOLVER} + - traefik.http.services.jempi-api.loadbalancer.server.scheme=http resources: limits: memory: ${JEMPI_API_MEMORY_LIMIT} @@ -43,6 +47,7 @@ services: jempi: postgres: + jempi-api-kc: image: jembi/jempi-api-kc:${JEMPI_API_KC_IMAGE_TAG} environment: @@ -89,9 +94,11 @@ services: jempi: postgres: + volumes: jempi-shared-data: + networks: reverse-proxy: name: reverse-proxy_public diff --git a/client-registry-jempi/docker-compose.web.yml b/client-registry-jempi/docker-compose.web.yml index 130d57ef..b013bc53 100644 --- a/client-registry-jempi/docker-compose.web.yml +++ b/client-registry-jempi/docker-compose.web.yml @@ -20,7 +20,11 @@ services: - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.jempi-web.service=jempi-web - traefik.http.services.jempi-web.loadbalancer.server.port=3000 - - traefik.http.routers.jempi-web.rule=Host(`${JEMPI_WEB_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.jempi-web.rule=Host(`${JEMPI_WEB_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME}`) + - traefik.http.routers.jempi-web.entrypoints=websecure + - traefik.http.routers.jempi-web.tls=true + - traefik.http.routers.jempi-web.tls.certresolver=${CERT_RESOLVER} + - traefik.http.services.jempi-web.loadbalancer.server.scheme=http placement: max_replicas_per_node: 1 resources: @@ -34,6 +38,7 @@ services: keycloak: default: + networks: reverse-proxy: name: reverse-proxy_public diff --git a/client-registry-santempi/docker-compose.yml b/client-registry-santempi/docker-compose.yml index f8ef36ea..be71b70e 100644 --- a/client-registry-santempi/docker-compose.yml +++ b/client-registry-santempi/docker-compose.yml @@ -29,7 +29,11 @@ services: - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.santedb-mpi.service=santedb-mpi - traefik.http.services.santedb-mpi.loadbalancer.server.port=8080 - - traefik.http.routers.santedb-mpi.rule=Host(`${SANTEDB_MPI_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.santedb-mpi.rule=Host(`${SANTEDB_MPI_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME}`) + - traefik.http.routers.santedb-mpi.entrypoints=websecure + - traefik.http.routers.santedb-mpi.tls=true + - traefik.http.routers.santedb-mpi.tls.certresolver=${CERT_RESOLVER} + - traefik.http.services.santedb-mpi.loadbalancer.server.scheme=https volumes: - santedb-data:/santedb @@ -41,16 +45,21 @@ services: - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.santedb-www.service=santedb-www - traefik.http.services.santedb-www.loadbalancer.server.port=9200 - - traefik.http.routers.santedb-www.rule=Host(`${SANTEDB_WWW_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.santedb-www.rule=Host(`${SANTEDB_WWW_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME}`) + - traefik.http.routers.santedb-www.entrypoints=websecure + - traefik.http.routers.santedb-www.tls=true + - traefik.http.routers.santedb-www.tls.certresolver=${CERT_RESOLVER} + - traefik.http.services.santedb-www.loadbalancer.server.scheme=https networks: default: reverse-proxy: traefik: -# Sante's Match configuration is stored in the container. This will prevent the matching rules of the client registry from being lost. A docker config cannot be used for this case as the settings can be changed on Sante's UI. + # Sante's Match configuration is stored in the container. This will prevent the matching rules of the client registry from being lost. A docker config cannot be used for this case as the settings can be changed on Sante's UI. volumes: santedb-data: + networks: mpi: name: mpi_public diff --git a/dashboard-visualiser-jsreport/docker-compose.yml b/dashboard-visualiser-jsreport/docker-compose.yml index 2ce709b8..89099eb7 100644 --- a/dashboard-visualiser-jsreport/docker-compose.yml +++ b/dashboard-visualiser-jsreport/docker-compose.yml @@ -16,7 +16,7 @@ services: labels: - traefik.enable=true - traefik.docker.network=reverse-proxy-traefik_public - - traefik.http.routers.dashboard-visualiser-jsreport.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`${JS_REPORT_PATH_PREFIX}`) + - traefik.http.routers.dashboard-visualiser-jsreport.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`${JS_REPORT_PATH_PREFIX}`) - traefik.http.middlewares.jsreport-stripprefix.stripprefix.prefixes=${JS_REPORT_PATH_PREFIX} - traefik.http.routers.dashboard-visualiser-jsreport.middlewares=jsreport-stripprefix - traefik.http.services.dashboard-visualiser-jsreport.loadbalancer.server.port=5488 diff --git a/dashboard-visualiser-kibana/docker-compose.yml b/dashboard-visualiser-kibana/docker-compose.yml index c4d3691d..e70c8019 100644 --- a/dashboard-visualiser-kibana/docker-compose.yml +++ b/dashboard-visualiser-kibana/docker-compose.yml @@ -17,7 +17,7 @@ services: - traefik.enable=true - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.dashboard-visualiser-kibana.service=dashboard-visualiser-kibana - - traefik.http.routers.dashboard-visualiser-kibana.rule=Host(`${KIBANA_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.dashboard-visualiser-kibana.rule=Host(`${KIBANA_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME}`) - traefik.http.services.dashboard-visualiser-kibana.loadbalancer.server.port=5601 resources: limits: diff --git a/dashboard-visualiser-superset/docker-compose.yml b/dashboard-visualiser-superset/docker-compose.yml index 36c35097..4745e48f 100644 --- a/dashboard-visualiser-superset/docker-compose.yml +++ b/dashboard-visualiser-superset/docker-compose.yml @@ -7,7 +7,7 @@ services: labels: - traefik.enable=true - traefik.docker.network=reverse-proxy-traefik_public - - traefik.http.routers.dashboard-visualiser-superset.rule=Host(`${SUPERSET_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.dashboard-visualiser-superset.rule=Host(`${SUPERSET_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME}`) - traefik.http.services.dashboard-visualiser-superset.loadbalancer.server.port=8088 environment: KC_SUPERSET_SSO_ENABLED: ${KC_SUPERSET_SSO_ENABLED} diff --git a/documentation/packages/reverse-proxy-traefik/README.md b/documentation/packages/reverse-proxy-traefik/README.md index 872651f0..6ad51981 100644 --- a/documentation/packages/reverse-proxy-traefik/README.md +++ b/documentation/packages/reverse-proxy-traefik/README.md @@ -21,7 +21,7 @@ The package is an alternative reverse proxy Nginx, this reverse proxy exposes pa | JSReport | Sub Directory (e.g. /jsreport) | | OpenHim | Sub Domain (Frontend) Sub Directory (Backend) (e.g. openhim. and openhim./openhimcore) | -> Please ensure that the ENV "DOMAIN_NAME_HOST_TRAEFIK" is set, in this documentation we will be using the placeholder "domain" for its value +> Please ensure that the ENV "DOMAIN_NAME" is set, in this documentation we will be using the placeholder "domain" for its value ## Subdomain-Based Reverse Proxy diff --git a/identity-access-manager-keycloak/docker-compose.yml b/identity-access-manager-keycloak/docker-compose.yml index 3c1fbc69..3e3dd3a5 100644 --- a/identity-access-manager-keycloak/docker-compose.yml +++ b/identity-access-manager-keycloak/docker-compose.yml @@ -50,7 +50,7 @@ services: - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak - traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080 - - traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME}`) - traefik.http.routers.identity-access-manager-keycloak.tls=true - traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER} networks: diff --git a/interoperability-layer-openhim/docker-compose.yml b/interoperability-layer-openhim/docker-compose.yml index 59a1d95e..5fef322a 100644 --- a/interoperability-layer-openhim/docker-compose.yml +++ b/interoperability-layer-openhim/docker-compose.yml @@ -49,19 +49,19 @@ services: - traefik.http.services.openhimcomms.loadbalancer.server.scheme=https - traefik.http.routers.openhimcomms.tls=true - traefik.http.routers.openhimcomms.entrypoints=websecure - - traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`) + - traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`/openhimcomms`) - traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms - traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix - - traefik.http.routers.openhimcomms.tls.certresolver=le + - traefik.http.routers.openhimcomms.tls.certresolver=${CERT_RESOLVER} - traefik.http.routers.openhimcore.service=openhimcore - traefik.http.services.openhimcore.loadbalancer.server.port=5000 - traefik.http.services.openhimcore.loadbalancer.server.scheme=https - traefik.http.routers.openhimcore.tls=true - traefik.http.routers.openhimcore.entrypoints=websecure - - traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`) + - traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`/openhimcore`) - traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore - traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix - - traefik.http.routers.openhimcore.tls.certresolver=le + - traefik.http.routers.openhimcore.tls.certresolver=${CERT_RESOLVER} diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml index 2d4de27b..513efaba 100644 --- a/monitoring/docker-compose.yml +++ b/monitoring/docker-compose.yml @@ -11,7 +11,7 @@ services: - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.grafana.service=grafana - traefik.http.services.grafana.loadbalancer.server.port=3000 - - traefik.http.routers.grafana.rule=Host(${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/grafana`) + - traefik.http.routers.grafana.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`/grafana`) environment: GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER} GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD} @@ -72,6 +72,7 @@ services: traefik: default: + prometheus: image: prom/prometheus:v2.38.0 user: root @@ -92,6 +93,7 @@ services: public: default: + cadvisor: image: gcr.io/cadvisor/cadvisor:v0.45.0 command: -docker_only @@ -152,7 +154,13 @@ services: MINIO_BROWSER_REDIRECT_URL: ${MINIO_BROWSER_REDIRECT_URL} MINIO_SERVER_URL: http://localhost:9000 healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] + test: + [ + "CMD", + "curl", + "-f", + "http://localhost:9000/minio/health/live" + ] interval: 30s timeout: 20s retries: 3 @@ -165,7 +173,7 @@ services: labels: - traefik.enable=true - traefik.docker.network=reverse-proxy-traefik_public - - traefik.http.routers.minio.rule=${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/minio`) + - traefik.http.routers.minio.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`/minio`) - traefik.http.services.minio.loadbalancer.server.port=9001 - traefik.http.middlewares.minio-stripprefix.stripprefix.prefixes=/minio - traefik.http.routers.minio.middlewares=minio-stripprefix @@ -174,6 +182,7 @@ services: traefik: default: + configs: grafana.ini: file: ./grafana/grafana.ini @@ -258,6 +267,7 @@ volumes: minio-01-data1: minio-01-data2: + networks: keycloak: name: keycloak_public