Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Letsencrypt automatic cert generation for platform packages #323

Merged
merged 10 commits into from
Dec 3, 2024
7 changes: 7 additions & 0 deletions .env.traefik.remote
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,10 @@ OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms
OPENHIM_API_PORT=443/openhimcomms
OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app
CERT_RESOLVER=le
CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
OPENHIM_CORE_IMAGE=jembi/openhim-core:prerelease
OPENHIM_CONSOLE_IMAGE=jembi/openhim-console:poc-microfrontend-prelease
GF_SERVER_ROOT_URL=https://<domain>/grafana
GF_SERVER_DOMAIN=<domain>
MINIO_BROWSER_REDIRECT_URL=https://<domain>/minio
DOMAIN_NAME_HOST_TRAEFIK=<domain>
5 changes: 4 additions & 1 deletion identity-access-manager-keycloak/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ services:
"start",
"--proxy=edge",
"--hostname-url=${KC_FRONTEND_URL}",
"--import-realm",
"--import-realm"
]
hostname: identity-access-manager-keycloak
healthcheck:
Expand Down Expand Up @@ -49,17 +49,20 @@ services:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak
- traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.scheme=http
- traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080
- traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.routers.identity-access-manager-keycloak.tls=true
- traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER}
- traefik.http.routers.identity-access-manager-keycloak.entrypoints=websecure
networks:
reverse-proxy:
public:
traefik:
default:
postgres:


configs:
realm.json:
file: ./config/realm.json
Expand Down
32 changes: 26 additions & 6 deletions monitoring/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,13 @@ services:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.grafana.service=grafana
- traefik.http.services.grafana.loadbalancer.server.port=3000
- traefik.http.routers.grafana.rule=Host(${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/grafana`)
- traefik.http.routers.grafana.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/grafana`)
- traefik.http.routers.grafana.tls=true
- traefik.http.services.grafana.loadbalancer.server.scheme=http
- traefik.http.routers.grafana.entrypoints=websecure
- traefik.http.routers.grafana.tls.certresolver=le
- traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana
- traefik.http.routers.grafana.middlewares=grafana-stripprefix
environment:
GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER}
GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD}
Expand All @@ -37,8 +42,8 @@ services:
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token"
GF_AUTH_GENERIC_OAUTH_API_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo"
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN}
GF_SERVER_ROOT_URL: ${KC_GRAFANA_ROOT_URL}
GF_SERVER_DOMAIN: ${DOMAIN_NAME_HOST_TRAEFIK}
GF_SERVER_ROOT_URL: ${DOMAIN_NAME_HOST_TRAEFIK}
GF_SERVER_SERVE_FROM_SUB_PATH: ${GF_SERVER_SERVE_FROM_SUB_PATH}
GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login"
configs:
Expand Down Expand Up @@ -72,6 +77,7 @@ services:
traefik:
default:


prometheus:
image: prom/prometheus:v2.38.0
user: root
Expand All @@ -92,6 +98,7 @@ services:
public:
default:


cadvisor:
image: gcr.io/cadvisor/cadvisor:v0.45.0
command: -docker_only
Expand Down Expand Up @@ -152,7 +159,13 @@ services:
MINIO_BROWSER_REDIRECT_URL: ${MINIO_BROWSER_REDIRECT_URL}
MINIO_SERVER_URL: http://localhost:9000
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
test:
[
"CMD",
"curl",
"-f",
"http://localhost:9000/minio/health/live"
]
interval: 30s
timeout: 20s
retries: 3
Expand All @@ -165,15 +178,21 @@ services:
labels:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.minio.rule=${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/minio`)
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/minio`)
- traefik.http.services.minio.loadbalancer.server.port=9001
- traefik.http.routers.minio.tls=true
- traefik.http.services.minio.loadbalancer.server.scheme=http
- traefik.http.routers.minio.entrypoints=websecure
- traefik.http.routers.minio.tls.certresolver=le
- traefik.http.middlewares.minio-stripprefix.stripprefix.prefixes=/minio
- traefik.http.routers.minio.middlewares=minio-stripprefix
networks:
reverse-proxy:
traefik:
default:


configs:
grafana.ini:
file: ./grafana/grafana.ini
Expand Down Expand Up @@ -258,6 +277,7 @@ volumes:
minio-01-data1:
minio-01-data2:


networks:
keycloak:
name: keycloak_public
Expand Down
Loading