Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Letsencrypt automatic cert generation for platform packages #323

Merged
merged 10 commits into from
Dec 3, 2024
42 changes: 28 additions & 14 deletions .env.traefik.remote
Original file line number Diff line number Diff line change
Expand Up @@ -26,28 +26,42 @@ JS_REPORT_PACKAGE_PATH=
# KAFKA_TOPICS=2xx,reprocess,3xx,metrics:3:1
KAFKA_TOPICS=2xx,2xx-async,reprocess,3xx,metrics:3:3,patient,observation

OPENHIM_CORE_MEDIATOR_HOSTNAME=c9a4-41-90-68-240.ngrok-free.app
OPENHIM_CORE_MEDIATOR_HOSTNAME=domain
OPENHIM_MEDIATOR_API_PORT=443/openhimcomms

# Reverse Proxy - Nginx
REVERSE_PROXY_INSTANCES=1
DOMAIN_NAME=c9a4-41-90-68-240.ngrok-free.app
SUBDOMAINS=openhimcomms.<domain>,openhimcore.<domain>,openhimconsole.<domain>,kibana.<domain>,reports.<domain>,santewww.<domain>,santempi.<domain>,superset.<domain>,keycloak.<domain>,grafana.<domain>,minio.<domain>,jempi-web.<domain>,jempi-api.<domain>
DOMAIN_NAME=domain
SUBDOMAINS=openhimcomms.domain,openhimcore.domain,openhimconsole.domain,kibana.domain,reports.domain,santewww.domain,santempi.domain,superset.domain,keycloak.domain,grafana.domain,minio.domain,jempi-web.domain,jempi-api.domain
STAGING=false
INSECURE=false

# Identity Access Manager - Keycloak
KC_FRONTEND_URL=https://keycloak.c9a4-41-90-68-240.ngrok-free.app
KC_GRAFANA_ROOT_URL=https://grafana.<domain>
KC_JEMPI_ROOT_URL=https://jempi-web.<domain>
KC_SUPERSET_ROOT_URL=https://superset.<domain>
KC_OPENHIM_ROOT_URL=https://c9a4-41-90-68-240.ngrok-free.app
GF_SERVER_DOMAIN=grafana.<domain>

REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.<domain>
KC_FRONTEND_URL=https://keycloak.domain
KC_GRAFANA_ROOT_URL=https://grafana.domain
KC_JEMPI_ROOT_URL=https://jempi-web.domain
KC_SUPERSET_ROOT_URL=https://superset.domain
KC_OPENHIM_ROOT_URL=https://domain

REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.domain
REACT_APP_JEMPI_BASE_API_PORT=443
OPENHIM_CONSOLE_BASE_URL=https://c9a4-41-90-68-240.ngrok-free.app
OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms
OPENHIM_CONSOLE_BASE_URL=https://domain
OPENHIM_API_HOST=https://domain/openhimcomms
OPENHIM_API_PORT=443/openhimcomms
OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app
OPENHIM_HOST_NAME=domain
OPENHIM_CORE_IMAGE=jembi/openhim-core:prerelease
OPENHIM_CONSOLE_IMAGE=jembi/openhim-console:poc-microfrontend-prelease
GF_SERVER_ROOT_URL=https://domain/grafana
GF_SERVER_DOMAIN=domain
MINIO_BROWSER_REDIRECT_URL=https://domain/minio
DOMAIN_NAME_HOST_TRAEFIK=domain
GF_SERVER_SERVE_FROM_SUB_PATH=true

# Traefik Labels
CERT_RESOLVER=le
# letsencrypt staging url https://acme-staging-v02.api.letsencrypt.org/directory
CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
TLS=false
TLS_CHALLENGE=false
WEB_ENTRY_POINT=web
REDIRECT_TO_HTTPS=false
drizzentic marked this conversation as resolved.
Show resolved Hide resolved
10 changes: 10 additions & 0 deletions client-registry-jempi/docker-compose.api.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ services:
- traefik.http.routers.jempi-api.service=jempi-api
- traefik.http.services.jempi-api.loadbalancer.server.port=50000
- traefik.http.routers.jempi-api.rule=Host(`${JEMPI_API_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.routers.jempi-api.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.jempi-api.tls=${TLS}
- traefik.http.routers.jempi-api.tls.certresolver=${CERT_RESOLVER}
- traefik.http.services.jempi-api.loadbalancer.server.scheme=http
- traefik.http.middlewares.jempi-api-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.jempi-api-redirect.redirectscheme.permanent=${REDIRECT_TO_HTTPS}

drizzentic marked this conversation as resolved.
Show resolved Hide resolved
resources:
limits:
memory: ${JEMPI_API_MEMORY_LIMIT}
Expand All @@ -43,6 +50,7 @@ services:
jempi:
postgres:


jempi-api-kc:
image: jembi/jempi-api-kc:${JEMPI_API_KC_IMAGE_TAG}
environment:
Expand Down Expand Up @@ -89,9 +97,11 @@ services:
jempi:
postgres:


volumes:
jempi-shared-data:


networks:
reverse-proxy:
name: reverse-proxy_public
Expand Down
8 changes: 8 additions & 0 deletions client-registry-jempi/docker-compose.web.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ services:
- traefik.http.routers.jempi-web.service=jempi-web
- traefik.http.services.jempi-web.loadbalancer.server.port=3000
- traefik.http.routers.jempi-web.rule=Host(`${JEMPI_WEB_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.routers.jempi-web.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.jempi-web.tls=${TLS}
- traefik.http.routers.jempi-web.tls.certresolver=${CERT_RESOLVER}
- traefik.http.services.jempi-web.loadbalancer.server.scheme=http
- traefik.http.middlewares.jempi-web-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.jempi-web-redirect.redirectscheme.permanent=${REDIRECT_TO_HTTPS}

placement:
max_replicas_per_node: 1
resources:
Expand All @@ -34,6 +41,7 @@ services:
keycloak:
default:


networks:
reverse-proxy:
name: reverse-proxy_public
Expand Down
9 changes: 9 additions & 0 deletions dashboard-visualiser-superset/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@ services:
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.dashboard-visualiser-superset.rule=Host(`${SUPERSET_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.services.dashboard-visualiser-superset.loadbalancer.server.port=8088
- traefik.http.services.dashboard-visualiser-superset.loadbalancer.server.scheme=http
- traefik.http.routers.dashboard-visualiser-superset.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.dashboard-visualiser-superset.tls=${TLS}
- traefik.http.routers.dashboard-visualiser-superset.tls.certresolver=${CERT_RESOLVER}
- traefik.http.routers.dashboard-visualiser-superset.middlewares=dashboard-visualiser-superset-redirect
- traefik.http.middlewares.dashboard-visualiser-superset-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.dashboard-visualiser-superset-redirect.redirectscheme.permanent=${REDIRECT_TO_HTTPS}
environment:
KC_SUPERSET_SSO_ENABLED: ${KC_SUPERSET_SSO_ENABLED}
KC_SUPERSET_CLIENT_ID: ${KC_SUPERSET_CLIENT_ID}
Expand Down Expand Up @@ -46,6 +53,7 @@ services:
postgres:
default:


configs:
superset_config.py:
file: ./config/superset_config.py
Expand All @@ -71,6 +79,7 @@ configs:
volumes:
superset_home:


networks:
clickhouse:
name: clickhouse_public
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Traefik Environment Variables

The following environment variables can be used to configure Traefik:

| Variable | Value | Description |
| ----------------- | ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- |
| CERT_RESOLVER | le | The certificate resolver to use for obtaining TLS certificates. |
| CA_SERVER | [https://acme-v02.api.letsencrypt.org/directory](https://acme-v02.api.letsencrypt.org/directory) | The URL of the ACME server for certificate generation. |
| TLS | true | Enable or disable TLS encryption. |
| TLS_CHALLENGE | http | The challenge type to use for TLS certificate generation. |
| WEB_ENTRY_POINT | web | The entry point for web traffic. |
| REDIRECT_TO_HTTPS | true | Enable or disable automatic redirection to HTTPS. |
16 changes: 16 additions & 0 deletions fhir-ig-importer/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,23 @@ services:
hapi-fhir:
openhim:
reverse-proxy:
traefik:
environment:
FHIR_IG_IMPORTER_CORE_URL: ${FHIR_IG_IMPORTER_CORE_URL}
OPENHIM_API_USERNAME: ${OPENHIM_USERNAME}
OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD}
deploy:
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.fhir-ig-importer.rule=PathPrefix(`/fhir-ig-importer`)
- traefik.http.routers.fhir-ig-importer.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.fhir-ig-importer.tls=${TLS}
- traefik.http.services.fhir-ig-importer.loadbalancer.server.port=8080
- traefik.http.services.fhir-ig-importer.loadbalancer.server.scheme=http
- traefik.http.routers.fhir-ig-importer.middlewares=fhir-ig-importer-stripprefix
- traefik.http.middlewares.fhir-ig-importer-stripprefix.stripprefix.prefixes=/fhir-ig-importer

networks:
hapi-fhir:
Expand All @@ -34,4 +47,7 @@ networks:
reverse-proxy:
name: reverse-proxy_public
external: true
traefik:
name: reverse-proxy-traefik_public
external: true
default:
16 changes: 8 additions & 8 deletions identity-access-manager-keycloak/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,7 @@ version: "3.9"
services:
identity-access-manager-keycloak:
image: ${KEYCLOAK_IMAGE}
command:
[
"start",
"--proxy=edge",
"--hostname-url=${KC_FRONTEND_URL}",
"--import-realm",
]
command: [ "start", "--proxy=edge", "--hostname-url=${KC_FRONTEND_URL}", "--import-realm" ]
hostname: identity-access-manager-keycloak
healthcheck:
test: curl --fail http://localhost:8080/health/ready || exit 1
Expand Down Expand Up @@ -49,17 +43,23 @@ services:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak
- traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.scheme=http
- traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080
- traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.routers.identity-access-manager-keycloak.tls=true
- traefik.http.routers.identity-access-manager-keycloak.tls=${TLS}
- traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER}
- traefik.http.routers.identity-access-manager-keycloak.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.middlewares.identity-access-manager-keycloak-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.identity-access-manager-keycloak-redirect.redirectscheme.permanent=${REDIRECT_TO_HTTPS}

networks:
reverse-proxy:
public:
traefik:
default:
postgres:


configs:
realm.json:
file: ./config/realm.json
Expand Down
25 changes: 13 additions & 12 deletions interoperability-layer-openhim/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,24 +47,21 @@ services:
- traefik.http.routers.openhimcomms.service=openhimcomms
- traefik.http.services.openhimcomms.loadbalancer.server.port=8080
- traefik.http.services.openhimcomms.loadbalancer.server.scheme=https
- traefik.http.routers.openhimcomms.tls=true
- traefik.http.routers.openhimcomms.entrypoints=websecure
- traefik.http.routers.openhimcomms.tls=${TLS}
- traefik.http.routers.openhimcomms.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`)
- traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms
- traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix
- traefik.http.routers.openhimcomms.tls.certresolver=le
- traefik.http.routers.openhimcomms.tls.certresolver=${CERT_RESOLVER-""}
- traefik.http.routers.openhimcore.service=openhimcore
- traefik.http.services.openhimcore.loadbalancer.server.port=5000
- traefik.http.services.openhimcore.loadbalancer.server.scheme=https
- traefik.http.routers.openhimcore.tls=true
- traefik.http.routers.openhimcore.entrypoints=websecure
- traefik.http.routers.openhimcore.tls=${TLS}
- traefik.http.routers.openhimcore.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`)
- traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore
- traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix
- traefik.http.routers.openhimcore.tls.certresolver=le



- traefik.http.routers.openhimcore.tls.certresolver=${CERT_RESOLVER-""}

openhim-console:
image: ${OPENHIM_CONSOLE_IMAGE}
Expand Down Expand Up @@ -93,10 +90,14 @@ services:
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.services.openhim-console.loadbalancer.server.scheme=http
- traefik.http.routers.openhim-console.service=openhim-console
- traefik.http.routers.openhim-console.entrypoints=websecure
- traefik.http.routers.openhim-console.tls=true
- traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`)
- traefik.http.routers.openhim-console.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.openhim-console.tls=${TLS}
- traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.services.openhim-console.loadbalancer.server.port=80
- traefik.http.middlewares.openhim-console-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.openhim-console-redirect.redirectscheme.permanent=${REDIRECT_TO_HTTPS}
- traefik.http.routers.openhim-console.middlewares=openhim-console-redirect

placement:
max_replicas_per_node: ${OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE}
resources:
Expand Down
16 changes: 16 additions & 0 deletions kafka-mapper-consumer/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,19 @@ services:
networks:
kafka:
reverse-proxy:
traefik:
deploy:
replicas: 1
labels:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.kafka-mapper-consumer-ui.rule=PathPrefix(`/kafka-mapper-consumer-ui`)
- traefik.http.services.kafka-mapper-consumer-ui.loadbalancer.server.port=80
- traefik.http.services.kafka-mapper-consumer-ui.loadbalancer.server.url=http://kafka-mapper-consumer-ui:80/jembi-kafka-mapper-consumer-ui.js
- traefik.http.routers.kafka-mapper-consumer-ui.tls=${TLS}
- traefik.http.routers.kafka-mapper-consumer-ui.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.kafka-mapper-consumer-ui.middlewares=kafka-mapper-consumer-ui-stripprefix
- traefik.http.middlewares.kafka-mapper-consumer-ui-stripprefix.stripprefix.prefixes=/kafka-mapper-consumer-ui

configs:
fhir-mapping.json:
Expand All @@ -49,4 +62,7 @@ networks:
reverse-proxy:
name: reverse-proxy_public
external: true
traefik:
name: reverse-proxy-traefik_public
external: true
default:
26 changes: 22 additions & 4 deletions monitoring/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,16 @@ services:
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.grafana.service=grafana
- traefik.http.services.grafana.loadbalancer.server.port=3000
- traefik.http.routers.grafana.rule=Host(${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/grafana`)
- traefik.http.routers.grafana.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/grafana`)
- traefik.http.routers.grafana.tls=${TLS}
- traefik.http.services.grafana.loadbalancer.server.scheme=http
- traefik.http.routers.grafana.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.grafana.tls.certresolver=${CERT_RESOLVER-le}
- traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana
- traefik.http.routers.grafana.middlewares=grafana-stripprefix
- traefik.http.middlewares.grafana-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.grafana-redirect.redirectscheme.permanent=${REDIRECT_TO_HTTPS}

environment:
GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER}
GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD}
Expand All @@ -38,7 +47,7 @@ services:
GF_AUTH_GENERIC_OAUTH_API_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo"
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN}
GF_SERVER_ROOT_URL: ${KC_GRAFANA_ROOT_URL}
GF_SERVER_ROOT_URL: ${GF_SERVER_ROOT_URL}
GF_SERVER_SERVE_FROM_SUB_PATH: ${GF_SERVER_SERVE_FROM_SUB_PATH}
GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login"
configs:
Expand Down Expand Up @@ -72,6 +81,7 @@ services:
traefik:
default:


prometheus:
image: prom/prometheus:v2.38.0
user: root
Expand All @@ -92,6 +102,7 @@ services:
public:
default:


cadvisor:
image: gcr.io/cadvisor/cadvisor:v0.45.0
command: -docker_only
Expand Down Expand Up @@ -152,7 +163,7 @@ services:
MINIO_BROWSER_REDIRECT_URL: ${MINIO_BROWSER_REDIRECT_URL}
MINIO_SERVER_URL: http://localhost:9000
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
interval: 30s
timeout: 20s
retries: 3
Expand All @@ -165,15 +176,21 @@ services:
labels:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.minio.rule=${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/minio`)
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/minio`)
- traefik.http.services.minio.loadbalancer.server.port=9001
- traefik.http.routers.minio.tls=${TLS}
- traefik.http.services.minio.loadbalancer.server.scheme=http
- traefik.http.routers.minio.entrypoints=${WEB_ENTRY_POINT}
- traefik.http.routers.minio.tls.certresolver=le
- traefik.http.middlewares.minio-stripprefix.stripprefix.prefixes=/minio
- traefik.http.routers.minio.middlewares=minio-stripprefix
networks:
reverse-proxy:
traefik:
default:


configs:
grafana.ini:
file: ./grafana/grafana.ini
Expand Down Expand Up @@ -258,6 +275,7 @@ volumes:
minio-01-data1:
minio-01-data2:


networks:
keycloak:
name: keycloak_public
Expand Down
Loading
Loading