Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Letsencrypt automatic cert generation for platform packages #323

Merged
merged 10 commits into from
Dec 3, 2024
35 changes: 21 additions & 14 deletions .env.traefik.remote
Original file line number Diff line number Diff line change
Expand Up @@ -26,28 +26,35 @@ JS_REPORT_PACKAGE_PATH=
# KAFKA_TOPICS=2xx,reprocess,3xx,metrics:3:1
KAFKA_TOPICS=2xx,2xx-async,reprocess,3xx,metrics:3:3,patient,observation

OPENHIM_CORE_MEDIATOR_HOSTNAME=c9a4-41-90-68-240.ngrok-free.app
OPENHIM_CORE_MEDIATOR_HOSTNAME=domain
OPENHIM_MEDIATOR_API_PORT=443/openhimcomms

# Reverse Proxy - Nginx
REVERSE_PROXY_INSTANCES=1
DOMAIN_NAME=c9a4-41-90-68-240.ngrok-free.app
SUBDOMAINS=openhimcomms.<domain>,openhimcore.<domain>,openhimconsole.<domain>,kibana.<domain>,reports.<domain>,santewww.<domain>,santempi.<domain>,superset.<domain>,keycloak.<domain>,grafana.<domain>,minio.<domain>,jempi-web.<domain>,jempi-api.<domain>
DOMAIN_NAME=domain
SUBDOMAINS=openhimcomms.domain,openhimcore.domain,openhimconsole.domain,kibana.domain,reports.domain,santewww.domain,santempi.domain,superset.domain,keycloak.domain,grafana.domain,minio.domain,jempi-web.domain,jempi-api.domain
STAGING=false
INSECURE=false

# Identity Access Manager - Keycloak
KC_FRONTEND_URL=https://keycloak.c9a4-41-90-68-240.ngrok-free.app
KC_GRAFANA_ROOT_URL=https://grafana.<domain>
KC_JEMPI_ROOT_URL=https://jempi-web.<domain>
KC_SUPERSET_ROOT_URL=https://superset.<domain>
KC_OPENHIM_ROOT_URL=https://c9a4-41-90-68-240.ngrok-free.app
GF_SERVER_DOMAIN=grafana.<domain>

REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.<domain>
KC_FRONTEND_URL=https://keycloak.domain
KC_GRAFANA_ROOT_URL=https://grafana.domain
KC_JEMPI_ROOT_URL=https://jempi-web.domain
KC_SUPERSET_ROOT_URL=https://superset.domain
KC_OPENHIM_ROOT_URL=https://domain

REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.domain
REACT_APP_JEMPI_BASE_API_PORT=443
OPENHIM_CONSOLE_BASE_URL=https://c9a4-41-90-68-240.ngrok-free.app
OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms
OPENHIM_CONSOLE_BASE_URL=https://domain
OPENHIM_API_HOST=https://domain/openhimcomms
OPENHIM_API_PORT=443/openhimcomms
OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app
OPENHIM_HOST_NAME=domain
CERT_RESOLVER=le
CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
OPENHIM_CORE_IMAGE=jembi/openhim-core:prerelease
OPENHIM_CONSOLE_IMAGE=jembi/openhim-console:poc-microfrontend-prelease
GF_SERVER_ROOT_URL=https://domain/grafana
GF_SERVER_DOMAIN=domain
MINIO_BROWSER_REDIRECT_URL=https://domain/minio
DOMAIN_NAME_HOST_TRAEFIK=domain
GF_SERVER_SERVE_FROM_SUB_PATH=true
10 changes: 10 additions & 0 deletions client-registry-jempi/docker-compose.api.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ services:
- traefik.http.routers.jempi-api.service=jempi-api
- traefik.http.services.jempi-api.loadbalancer.server.port=50000
- traefik.http.routers.jempi-api.rule=Host(`${JEMPI_API_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.routers.jempi-api.entrypoints=websecure
- traefik.http.routers.jempi-api.tls=true
drizzentic marked this conversation as resolved.
Show resolved Hide resolved
- traefik.http.routers.jempi-api.tls.certresolver=${CERT_RESOLVER}
- traefik.http.services.jempi-api.loadbalancer.server.scheme=http
- traefik.http.middlewares.jempi-api-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.jempi-api-redirect.redirectscheme.permanent=true

drizzentic marked this conversation as resolved.
Show resolved Hide resolved
resources:
limits:
memory: ${JEMPI_API_MEMORY_LIMIT}
Expand All @@ -43,6 +50,7 @@ services:
jempi:
postgres:


jempi-api-kc:
image: jembi/jempi-api-kc:${JEMPI_API_KC_IMAGE_TAG}
environment:
Expand Down Expand Up @@ -89,9 +97,11 @@ services:
jempi:
postgres:


volumes:
jempi-shared-data:


networks:
reverse-proxy:
name: reverse-proxy_public
Expand Down
8 changes: 8 additions & 0 deletions client-registry-jempi/docker-compose.web.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ services:
- traefik.http.routers.jempi-web.service=jempi-web
- traefik.http.services.jempi-web.loadbalancer.server.port=3000
- traefik.http.routers.jempi-web.rule=Host(`${JEMPI_WEB_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.routers.jempi-web.entrypoints=websecure
- traefik.http.routers.jempi-web.tls=true
- traefik.http.routers.jempi-web.tls.certresolver=${CERT_RESOLVER}
- traefik.http.services.jempi-web.loadbalancer.server.scheme=http
- traefik.http.middlewares.jempi-web-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.jempi-web-redirect.redirectscheme.permanent=true

placement:
max_replicas_per_node: 1
resources:
Expand All @@ -34,6 +41,7 @@ services:
keycloak:
default:


networks:
reverse-proxy:
name: reverse-proxy_public
Expand Down
9 changes: 9 additions & 0 deletions dashboard-visualiser-superset/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@ services:
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.dashboard-visualiser-superset.rule=Host(`${SUPERSET_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.services.dashboard-visualiser-superset.loadbalancer.server.port=8088
- traefik.http.services.dashboard-visualiser-superset.loadbalancer.server.scheme=http
- traefik.http.routers.dashboard-visualiser-superset.entrypoints=websecure
- traefik.http.routers.dashboard-visualiser-superset.tls=true
- traefik.http.routers.dashboard-visualiser-superset.tls.certresolver=${CERT_RESOLVER}
- traefik.http.routers.dashboard-visualiser-superset.middlewares=dashboard-visualiser-superset-redirect
- traefik.http.middlewares.dashboard-visualiser-superset-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.dashboard-visualiser-superset-redirect.redirectscheme.permanent=true
environment:
KC_SUPERSET_SSO_ENABLED: ${KC_SUPERSET_SSO_ENABLED}
KC_SUPERSET_CLIENT_ID: ${KC_SUPERSET_CLIENT_ID}
Expand Down Expand Up @@ -46,6 +53,7 @@ services:
postgres:
default:


configs:
superset_config.py:
file: ./config/superset_config.py
Expand All @@ -71,6 +79,7 @@ configs:
volumes:
superset_home:


networks:
clickhouse:
name: clickhouse_public
Expand Down
16 changes: 16 additions & 0 deletions fhir-ig-importer/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,23 @@ services:
hapi-fhir:
openhim:
reverse-proxy:
traefik:
environment:
FHIR_IG_IMPORTER_CORE_URL: ${FHIR_IG_IMPORTER_CORE_URL}
OPENHIM_API_USERNAME: ${OPENHIM_USERNAME}
OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD}
deploy:
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.fhir-ig-importer.rule=PathPrefix(`/fhir-ig-importer`)
- traefik.http.routers.fhir-ig-importer.entrypoints=websecure
- traefik.http.routers.fhir-ig-importer.tls=true
- traefik.http.services.fhir-ig-importer.loadbalancer.server.port=8080
- traefik.http.services.fhir-ig-importer.loadbalancer.server.scheme=http
- traefik.http.routers.fhir-ig-importer.middlewares=fhir-ig-importer-stripprefix
- traefik.http.middlewares.fhir-ig-importer-stripprefix.stripprefix.prefixes=/fhir-ig-importer

networks:
hapi-fhir:
Expand All @@ -34,4 +47,7 @@ networks:
reverse-proxy:
name: reverse-proxy_public
external: true
traefik:
name: reverse-proxy-traefik_public
external: true
default:
8 changes: 7 additions & 1 deletion identity-access-manager-keycloak/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ services:
"start",
"--proxy=edge",
"--hostname-url=${KC_FRONTEND_URL}",
"--import-realm",
"--import-realm"
]
hostname: identity-access-manager-keycloak
healthcheck:
Expand Down Expand Up @@ -49,17 +49,23 @@ services:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak
- traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.scheme=http
- traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080
- traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.routers.identity-access-manager-keycloak.tls=true
- traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER}
- traefik.http.routers.identity-access-manager-keycloak.entrypoints=websecure
- traefik.http.middlewares.identity-access-manager-keycloak-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.identity-access-manager-keycloak-redirect.redirectscheme.permanent=true

networks:
reverse-proxy:
public:
traefik:
default:
postgres:


configs:
realm.json:
file: ./config/realm.json
Expand Down
13 changes: 7 additions & 6 deletions interoperability-layer-openhim/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ services:
- traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`)
- traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms
- traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix
- traefik.http.routers.openhimcomms.tls.certresolver=le
- traefik.http.routers.openhimcomms.tls.certresolver=${CERT_RESOLVER-le}
- traefik.http.routers.openhimcore.service=openhimcore
- traefik.http.services.openhimcore.loadbalancer.server.port=5000
- traefik.http.services.openhimcore.loadbalancer.server.scheme=https
Expand All @@ -61,10 +61,7 @@ services:
- traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`)
- traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore
- traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix
- traefik.http.routers.openhimcore.tls.certresolver=le



- traefik.http.routers.openhimcore.tls.certresolver=${CERT_RESOLVER-le}

openhim-console:
image: ${OPENHIM_CONSOLE_IMAGE}
Expand Down Expand Up @@ -95,8 +92,12 @@ services:
- traefik.http.routers.openhim-console.service=openhim-console
- traefik.http.routers.openhim-console.entrypoints=websecure
- traefik.http.routers.openhim-console.tls=true
- traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`)
- traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.services.openhim-console.loadbalancer.server.port=80
- traefik.http.middlewares.openhim-console-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.openhim-console-redirect.redirectscheme.permanent=true
- traefik.http.routers.openhim-console.middlewares=openhim-console-redirect

placement:
max_replicas_per_node: ${OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE}
resources:
Expand Down
16 changes: 16 additions & 0 deletions kafka-mapper-consumer/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,19 @@ services:
networks:
kafka:
reverse-proxy:
traefik:
deploy:
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.kafka-mapper-consumer-ui.rule=PathPrefix(`/kafka-mapper-consumer-ui`)
- traefik.http.services.kafka-mapper-consumer-ui.loadbalancer.server.port=80
- traefik.http.services.kafka-mapper-consumer-ui.loadbalancer.server.url=http://kafka-mapper-consumer-ui:80/jembi-kafka-mapper-consumer-ui.js
- traefik.http.routers.kafka-mapper-consumer-ui.tls=true
- traefik.http.routers.kafka-mapper-consumer-ui.entrypoints=websecure
- traefik.http.routers.kafka-mapper-consumer-ui.middlewares=kafka-mapper-consumer-ui-stripprefix
- traefik.http.middlewares.kafka-mapper-consumer-ui-stripprefix.stripprefix.prefixes=/kafka-mapper-consumer-ui

configs:
fhir-mapping.json:
Expand All @@ -49,4 +62,7 @@ networks:
reverse-proxy:
name: reverse-proxy_public
external: true
traefik:
name: reverse-proxy-traefik_public
external: true
default:
32 changes: 28 additions & 4 deletions monitoring/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,16 @@ services:
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.grafana.service=grafana
- traefik.http.services.grafana.loadbalancer.server.port=3000
- traefik.http.routers.grafana.rule=Host(${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/grafana`)
- traefik.http.routers.grafana.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/grafana`)
- traefik.http.routers.grafana.tls=true
- traefik.http.services.grafana.loadbalancer.server.scheme=http
- traefik.http.routers.grafana.entrypoints=websecure
- traefik.http.routers.grafana.tls.certresolver=${CERT_RESOLVER-le}
- traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana
- traefik.http.routers.grafana.middlewares=grafana-stripprefix
- traefik.http.middlewares.grafana-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.grafana-redirect.redirectscheme.permanent=true

environment:
GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER}
GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD}
Expand All @@ -38,7 +47,7 @@ services:
GF_AUTH_GENERIC_OAUTH_API_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo"
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN}
GF_SERVER_ROOT_URL: ${KC_GRAFANA_ROOT_URL}
GF_SERVER_ROOT_URL: ${GF_SERVER_ROOT_URL}
GF_SERVER_SERVE_FROM_SUB_PATH: ${GF_SERVER_SERVE_FROM_SUB_PATH}
GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login"
configs:
Expand Down Expand Up @@ -72,6 +81,7 @@ services:
traefik:
default:


prometheus:
image: prom/prometheus:v2.38.0
user: root
Expand All @@ -92,6 +102,7 @@ services:
public:
default:


cadvisor:
image: gcr.io/cadvisor/cadvisor:v0.45.0
command: -docker_only
Expand Down Expand Up @@ -152,7 +163,13 @@ services:
MINIO_BROWSER_REDIRECT_URL: ${MINIO_BROWSER_REDIRECT_URL}
MINIO_SERVER_URL: http://localhost:9000
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
test:
[
"CMD",
"curl",
"-f",
"http://localhost:9000/minio/health/live"
]
interval: 30s
timeout: 20s
retries: 3
Expand All @@ -165,15 +182,21 @@ services:
labels:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.minio.rule=${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/minio`)
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/minio`)
- traefik.http.services.minio.loadbalancer.server.port=9001
- traefik.http.routers.minio.tls=true
- traefik.http.services.minio.loadbalancer.server.scheme=http
- traefik.http.routers.minio.entrypoints=websecure
- traefik.http.routers.minio.tls.certresolver=le
- traefik.http.middlewares.minio-stripprefix.stripprefix.prefixes=/minio
- traefik.http.routers.minio.middlewares=minio-stripprefix
networks:
reverse-proxy:
traefik:
default:


configs:
grafana.ini:
file: ./grafana/grafana.ini
Expand Down Expand Up @@ -258,6 +281,7 @@ volumes:
minio-01-data1:
minio-01-data2:


networks:
keycloak:
name: keycloak_public
Expand Down
16 changes: 16 additions & 0 deletions reprocess-mediator/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,21 @@ services:
openhim:
reprocess:
reverse-proxy:
traefik:
environment:
REPROCESSOR_API_BASE_URL: ${REPROCESSOR_API_BASE_URL}
deploy:
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.reprocess-mediator-ui.rule=PathPrefix(`/reprocess-mediator-ui`)
- traefik.http.services.reprocess-mediator-ui.loadbalancer.server.port=80
- traefik.http.services.reprocess-mediator-ui.loadbalancer.server.url=http://reprocess-mediator-ui:80/jembi-reprocessor-mediator-microfrontend.js
- traefik.http.routers.reprocess-mediator-ui.tls=true
- traefik.http.routers.reprocess-mediator-ui.entrypoints=websecure
- traefik.http.routers.reprocess-mediator-ui.middlewares=reprocess-mediator-ui-stripprefix
- traefik.http.middlewares.reprocess-mediator-ui-stripprefix.stripprefix.prefixes=/reprocess-mediator-ui

networks:
openhim:
Expand All @@ -38,3 +51,6 @@ networks:
openhim-mongo:
name: openhim_mongo_public
external: true
traefik:
name: reverse-proxy-traefik_public
external: true
1 change: 1 addition & 0 deletions reverse-proxy-traefik/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ services:
- traefik.http.services.openhim-console.loadbalancer.server.port=8080

- traefik.http.middlewares.to-https.redirectscheme.scheme=https
- traefik.http.middlewares.to-https.redirectscheme.permanent=true
- traefik.http.middlewares.auth.basicauth.users=${USERNAME}:${PASSWORD}

placement:
Expand Down
Loading