From e5540972a1a8fbdea6f42cd79340384f8ee1a1e1 Mon Sep 17 00:00:00 2001 From: drono Date: Fri, 12 Jul 2024 13:24:04 +0300 Subject: [PATCH 1/4] Add initial cert generation for traefik and interop layer --- .env.traefik.remote | 53 +++++++++++++++++++ .../docker-compose.yml | 2 + .../docker-compose.yml | 18 ++++--- .../package-metadata.json | 7 ++- reverse-proxy-traefik/docker-compose.yml | 39 +++++++++++--- reverse-proxy-traefik/package-metadata.json | 10 ++-- 6 files changed, 110 insertions(+), 19 deletions(-) create mode 100644 .env.traefik.remote diff --git a/.env.traefik.remote b/.env.traefik.remote new file mode 100644 index 00000000..ca1131aa --- /dev/null +++ b/.env.traefik.remote @@ -0,0 +1,53 @@ +# General + +CLUSTERED_MODE=false + +# Log + +DEBUG=0 +BASHLOG_FILE=0 +BASHLOG_FILE_PATH=platform.log + +# Data Mapper - Logstash + +LOGSTASH_DEV_MOUNT=false +LOGSTASH_PACKAGE_PATH= + +# Dashboard Visualiser - JS Report + +## !NOTE: MAKE SURE YOU HAVE RUN 'set-permissions.sh' SCRIPT BEFORE AND AFTER RUNNING JS REPORT +JS_REPORT_DEV_MOUNT=false +JS_REPORT_PACKAGE_PATH= + +# Message Bus - Kafka + +# !NOTE: Topics should comma seperated, optional include partion and repliction values +# e.g. :: -> test:3:2 (defaults to :3:1) +# KAFKA_TOPICS=2xx,reprocess,3xx,metrics:3:1 +KAFKA_TOPICS=2xx,2xx-async,reprocess,3xx,metrics:3:3,patient,observation + +OPENHIM_CORE_MEDIATOR_HOSTNAME=c9a4-41-90-68-240.ngrok-free.app +OPENHIM_MEDIATOR_API_PORT=443/openhimcomms + +# Reverse Proxy - Nginx +REVERSE_PROXY_INSTANCES=1 +DOMAIN_NAME=c9a4-41-90-68-240.ngrok-free.app +SUBDOMAINS=openhimcomms.,openhimcore.,openhimconsole.,kibana.,reports.,santewww.,santempi.,superset.,keycloak.,grafana.,minio.,jempi-web.,jempi-api. +STAGING=false +INSECURE=false + +# Identity Access Manager - Keycloak +KC_FRONTEND_URL=https://keycloak.c9a4-41-90-68-240.ngrok-free.app +KC_GRAFANA_ROOT_URL=https://grafana. +KC_JEMPI_ROOT_URL=https://jempi-web. +KC_SUPERSET_ROOT_URL=https://superset. +KC_OPENHIM_ROOT_URL=https://c9a4-41-90-68-240.ngrok-free.app +GF_SERVER_DOMAIN=grafana. + +REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api. +REACT_APP_JEMPI_BASE_API_PORT=443 +OPENHIM_CONSOLE_BASE_URL=https://c9a4-41-90-68-240.ngrok-free.app +OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms +OPENHIM_API_PORT=443/openhimcomms +OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app +CERT_RESOLVER=le diff --git a/identity-access-manager-keycloak/docker-compose.yml b/identity-access-manager-keycloak/docker-compose.yml index ff58f721..3c1fbc69 100644 --- a/identity-access-manager-keycloak/docker-compose.yml +++ b/identity-access-manager-keycloak/docker-compose.yml @@ -51,6 +51,8 @@ services: - traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak - traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080 - traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.identity-access-manager-keycloak.tls=true + - traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER} networks: reverse-proxy: public: diff --git a/interoperability-layer-openhim/docker-compose.yml b/interoperability-layer-openhim/docker-compose.yml index 35715913..9df62a1c 100644 --- a/interoperability-layer-openhim/docker-compose.yml +++ b/interoperability-layer-openhim/docker-compose.yml @@ -50,17 +50,22 @@ services: - traefik.http.routers.openhimcomms.tls=true - traefik.http.routers.openhimcomms.entrypoints=websecure - traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`) - - traefik.http.routers.openhimcomms.middlewares=openhimcomms - - traefik.http.middlewares.openhimcomms.stripprefix.prefixes=/openhimcomms - + - traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms + - traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix + - "traefik.http.routers.openhimcomms.tls.certresolver=le" + - traefik.http.routers.openhimcore.service=openhimcore - traefik.http.services.openhimcore.loadbalancer.server.port=5000 - traefik.http.services.openhimcore.loadbalancer.server.scheme=https - traefik.http.routers.openhimcore.tls=true - traefik.http.routers.openhimcore.entrypoints=websecure - traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`) - - traefik.http.routers.openhimcore.middlewares=openhimcore - - traefik.http.middlewares.openhimcore.stripprefix.prefixes=/openhimcore + - traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore + - traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix + - "traefik.http.routers.openhimcore.tls.certresolver=le" + + + openhim-console: image: ${OPENHIM_CONSOLE_IMAGE} @@ -90,7 +95,8 @@ services: - traefik.http.services.openhim-console.loadbalancer.server.scheme=http - traefik.http.routers.openhim-console.service=openhim-console - traefik.http.routers.openhim-console.entrypoints=websecure - - traefik.http.routers.openhim-console.rule=Host(`${OPENHIM_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - 'traefik.http.routers.openhim-console.tls=true' + - traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`) - traefik.http.services.openhim-console.loadbalancer.server.port=80 placement: max_replicas_per_node: ${OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE} diff --git a/interoperability-layer-openhim/package-metadata.json b/interoperability-layer-openhim/package-metadata.json index 1fa38624..ac5ad32f 100644 --- a/interoperability-layer-openhim/package-metadata.json +++ b/interoperability-layer-openhim/package-metadata.json @@ -6,8 +6,8 @@ "type": "infrastructure", "dependencies": [], "environmentVariables": { - "OPENHIM_CORE_IMAGE": "jembi/openhim-core:v8.4.3", - "OPENHIM_CONSOLE_IMAGE": "jembi/openhim-console:poc-microfrontend", + "OPENHIM_CORE_IMAGE": "jembi/openhim-core:prerelease", + "OPENHIM_CONSOLE_IMAGE": "jembi/openhim-console:poc-microfrontend-prelease", "MONGO_IMAGE": "mongo:4.2", "AWAIT_HELPER_IMAGE": "jembi/await-helper:1.0.1", "MONGO_1_PLACEMENT": "node-1", @@ -43,8 +43,7 @@ "KC_OPENHIM_CLIENT_SECRET": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR", "KC_OPENHIM_ROOT_URL": "http://localhost:9000", "KC_API_URL": "http://identity-access-manager-keycloak:8080", - "OPENHIM_SUBDOMAIN": "openhim", - "OPENHIM_CONSOLE_BASE_URL": "localhost:9000", + "OPENHIM_CONSOLE_BASE_URL": "https://localhost:9000", "OPENHIM_API_HOST": "localhost", "OPENHIM_API_PORT": "5001" } diff --git a/reverse-proxy-traefik/docker-compose.yml b/reverse-proxy-traefik/docker-compose.yml index 50426bee..77d2d537 100644 --- a/reverse-proxy-traefik/docker-compose.yml +++ b/reverse-proxy-traefik/docker-compose.yml @@ -19,27 +19,54 @@ services: - --api.insecure=${ENABLE_TRAEFIK_DASHBOARD} - --entrypoints.web.address=:80 - --entryPoints.websecure.address=:443 - - --providers.docker.network=reverse-proxy-traefik_public + #certificate resolver + - --certificatesresolvers.le.acme.email=${ACME_EMAIL?Variable not set} + - --certificatesresolvers.le.acme.storage=/certificates/acme.json + - --certificatesresolvers.le.acme.tlschallenge=true + - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory + - --certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0 + volumes: - /var/run/docker.sock:/var/run/docker.sock + - traefik-public-certificates:/certificates deploy: replicas: 1 labels: - #TODO: Are these 2 lines necessary? - - traefik.enable=true - - traefik.http.services.reverse-proxy-traefik.loadbalancer.server.port=80 + - traefik.docker.lbswarm=true + - traefik.http.routers.to-https.rule=HostRegexp(`{host:.+}`) + - traefik.http.routers.to-https.entrypoints=http + - traefik.http.routers.to-https.middlewares=to-https + + - traefik.http.routers.traefik.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`/dashboard`) + - traefik.http.routers.traefik.entrypoints=http + - traefik.http.routers.traefik.middlewares=auth + - traefik.http.routers.traefik.service=api@internal + - traefik.http.routers.traefik.tls=true + - traefik.http.routers.traefik.tls.certresolver=${CERT_RESOLVER} + - traefik.http.services.openhim-console.loadbalancer.server.port=8080 + + - traefik.http.middlewares.to-https.redirectscheme.scheme=https + - traefik.http.middlewares.auth.basicauth.users=${USERNAME}:${PASSWORD} + placement: max_replicas_per_node: 1 constraints: - node.role == ${PLACEMENT_ROLE_CONSTRAINTS} resources: limits: - cpus: "0.5" - memory: 256M + cpus: "1" + memory: 1G reservations: cpus: "0.1" memory: 64M +volumes: + # Create a volume to store the certificates, there is a constraint to make sure + # Traefik is always deployed to the same Docker node with the same volume containing + # the HTTPS certificates + traefik-public-certificates: + + networks: traefik: name: reverse-proxy-traefik_public diff --git a/reverse-proxy-traefik/package-metadata.json b/reverse-proxy-traefik/package-metadata.json index 1a031245..3ee93c4b 100644 --- a/reverse-proxy-traefik/package-metadata.json +++ b/reverse-proxy-traefik/package-metadata.json @@ -13,8 +13,12 @@ "TK_MEMORY_LIMIT": "3G", "TK_MEMORY_RESERVE": "500M", "INSECURE_SKIP_VERIFY": "true", - "ENABLE_TRAEFIK_DASHBOARD": "false", - "PLACEMENT_ROLE_CONSTRAINTS": "leader", - "ACME_EMAIL": "" + "ENABLE_TRAEFIK_DASHBOARD": "true", + "PLACEMENT_ROLE_CONSTRAINTS": "manager", + "ACME_EMAIL": "", + "USERNAME": "admin", + "PASSWORD": "test", + "DOMAIN": "platform.cloud.jembi", + "CERT_RESOLVER": "le" } } From 4fb85463622ce46e1907b48dcf305481af86cf3a Mon Sep 17 00:00:00 2001 From: drono Date: Fri, 26 Jul 2024 09:40:09 +0300 Subject: [PATCH 2/4] Make CA server url configurable --- reverse-proxy-traefik/docker-compose.yml | 2 +- reverse-proxy-traefik/package-metadata.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/reverse-proxy-traefik/docker-compose.yml b/reverse-proxy-traefik/docker-compose.yml index 77d2d537..6fae1279 100644 --- a/reverse-proxy-traefik/docker-compose.yml +++ b/reverse-proxy-traefik/docker-compose.yml @@ -23,7 +23,7 @@ services: - --certificatesresolvers.le.acme.email=${ACME_EMAIL?Variable not set} - --certificatesresolvers.le.acme.storage=/certificates/acme.json - --certificatesresolvers.le.acme.tlschallenge=true - - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory + - --certificatesresolvers.le.acme.caserver=${CA_SERVER} - --certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0 volumes: diff --git a/reverse-proxy-traefik/package-metadata.json b/reverse-proxy-traefik/package-metadata.json index 3ee93c4b..2c62ad9b 100644 --- a/reverse-proxy-traefik/package-metadata.json +++ b/reverse-proxy-traefik/package-metadata.json @@ -19,6 +19,7 @@ "USERNAME": "admin", "PASSWORD": "test", "DOMAIN": "platform.cloud.jembi", - "CERT_RESOLVER": "le" + "CERT_RESOLVER": "le", + "CA_SERVER": "https://acme-staging-v02.api.letsencrypt.org/directory" } } From 9a227620861329f58de68bcc2963c32871fb931d Mon Sep 17 00:00:00 2001 From: drono Date: Fri, 2 Aug 2024 14:44:11 +0300 Subject: [PATCH 3/4] PR feedback --- interoperability-layer-openhim/docker-compose.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/interoperability-layer-openhim/docker-compose.yml b/interoperability-layer-openhim/docker-compose.yml index 9df62a1c..a35ab2e4 100644 --- a/interoperability-layer-openhim/docker-compose.yml +++ b/interoperability-layer-openhim/docker-compose.yml @@ -52,7 +52,7 @@ services: - traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`) - traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms - traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix - - "traefik.http.routers.openhimcomms.tls.certresolver=le" + - traefik.http.routers.openhimcomms.tls.certresolver=le - traefik.http.routers.openhimcore.service=openhimcore - traefik.http.services.openhimcore.loadbalancer.server.port=5000 @@ -62,7 +62,7 @@ services: - traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`) - traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore - traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix - - "traefik.http.routers.openhimcore.tls.certresolver=le" + - traefik.http.routers.openhimcore.tls.certresolver=le @@ -95,7 +95,7 @@ services: - traefik.http.services.openhim-console.loadbalancer.server.scheme=http - traefik.http.routers.openhim-console.service=openhim-console - traefik.http.routers.openhim-console.entrypoints=websecure - - 'traefik.http.routers.openhim-console.tls=true' + - traefik.http.routers.openhim-console.tls=true - traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`) - traefik.http.services.openhim-console.loadbalancer.server.port=80 placement: From 3bf8736e539d0a18bc89fcace56b77092957f427 Mon Sep 17 00:00:00 2001 From: Drizzentic Date: Fri, 2 Aug 2024 14:46:30 +0300 Subject: [PATCH 4/4] Update interoperability-layer-openhim/docker-compose.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- interoperability-layer-openhim/docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/interoperability-layer-openhim/docker-compose.yml b/interoperability-layer-openhim/docker-compose.yml index a35ab2e4..59a1d95e 100644 --- a/interoperability-layer-openhim/docker-compose.yml +++ b/interoperability-layer-openhim/docker-compose.yml @@ -53,7 +53,6 @@ services: - traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms - traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix - traefik.http.routers.openhimcomms.tls.certresolver=le - - traefik.http.routers.openhimcore.service=openhimcore - traefik.http.services.openhimcore.loadbalancer.server.port=5000 - traefik.http.services.openhimcore.loadbalancer.server.scheme=https