Merge branch 'main' into CU-86byv0cyf_Add-initial-package-and-configu…

…ration-files-for-FHIR-info-Gateway
jembi · Aug 14, 2024 · 138558a · 138558a
2 parents 759e7ee + 0882027
commit 138558a
Show file tree

Hide file tree

Showing 19 changed files with 166 additions and 27 deletions.
diff --git a/.env.traefik.remote b/.env.traefik.remote
@@ -0,0 +1,53 @@
+# General
+
+CLUSTERED_MODE=false
+
+# Log
+
+DEBUG=0
+BASHLOG_FILE=0
+BASHLOG_FILE_PATH=platform.log
+
+# Data Mapper - Logstash
+
+LOGSTASH_DEV_MOUNT=false
+LOGSTASH_PACKAGE_PATH=
+
+# Dashboard Visualiser - JS Report
+
+## !NOTE: MAKE SURE YOU HAVE RUN 'set-permissions.sh' SCRIPT BEFORE AND AFTER RUNNING JS REPORT
+JS_REPORT_DEV_MOUNT=false
+JS_REPORT_PACKAGE_PATH=
+
+# Message Bus - Kafka
+
+#  !NOTE: Topics should comma seperated, optional include partion and repliction values
+#   e.g. <topic>:<partions>:<replicationFactor> -> test:3:2 (defaults to <topics>:3:1)
+# KAFKA_TOPICS=2xx,reprocess,3xx,metrics:3:1
+KAFKA_TOPICS=2xx,2xx-async,reprocess,3xx,metrics:3:3,patient,observation
+
+OPENHIM_CORE_MEDIATOR_HOSTNAME=c9a4-41-90-68-240.ngrok-free.app
+OPENHIM_MEDIATOR_API_PORT=443/openhimcomms
+
+# Reverse Proxy - Nginx
+REVERSE_PROXY_INSTANCES=1
+DOMAIN_NAME=c9a4-41-90-68-240.ngrok-free.app
+SUBDOMAINS=openhimcomms.<domain>,openhimcore.<domain>,openhimconsole.<domain>,kibana.<domain>,reports.<domain>,santewww.<domain>,santempi.<domain>,superset.<domain>,keycloak.<domain>,grafana.<domain>,minio.<domain>,jempi-web.<domain>,jempi-api.<domain>
+STAGING=false
+INSECURE=false
+
+# Identity Access Manager - Keycloak
+KC_FRONTEND_URL=https://keycloak.c9a4-41-90-68-240.ngrok-free.app
+KC_GRAFANA_ROOT_URL=https://grafana.<domain>
+KC_JEMPI_ROOT_URL=https://jempi-web.<domain>
+KC_SUPERSET_ROOT_URL=https://superset.<domain>
+KC_OPENHIM_ROOT_URL=https://c9a4-41-90-68-240.ngrok-free.app
+GF_SERVER_DOMAIN=grafana.<domain>
+
+REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.<domain>
+REACT_APP_JEMPI_BASE_API_PORT=443
+OPENHIM_CONSOLE_BASE_URL=https://c9a4-41-90-68-240.ngrok-free.app
+OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms
+OPENHIM_API_PORT=443/openhimcomms
+OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app
+CERT_RESOLVER=le
diff --git a/fhir-ig-importer/docker-compose.yml b/fhir-ig-importer/docker-compose.yml
@@ -21,6 +21,8 @@ services:
       reverse-proxy:
     environment:
       FHIR_IG_IMPORTER_CORE_URL: ${FHIR_IG_IMPORTER_CORE_URL}
+      OPENHIM_API_USERNAME: ${OPENHIM_USERNAME}
+      OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD}
 
 networks:
   hapi-fhir:

diff --git a/fhir-ig-importer/importer/docker-compose.config.yml b/fhir-ig-importer/importer/docker-compose.config.yml
@@ -12,6 +12,7 @@ services:
       OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD}
       # Reject unauthorised is only needed if the OpenHIM's SSL is not setup
       NODE_TLS_REJECT_UNAUTHORIZED: 0
+      OPENHIM_CONSOLE_BASE_URL: ${OPENHIM_CONSOLE_BASE_URL}
     command: sh -c "node openhimConfig.js"
     configs:
       - source: fhir-ig-importer-config-importer-openhimConfig.js

diff --git a/fhir-ig-importer/importer/volume/ig-importer-app.json b/fhir-ig-importer/importer/volume/ig-importer-app.json
@@ -3,7 +3,7 @@
   "description": "FHIR IG microfrontend app",
   "category": "HIE Configuration",
   "type": "esmodule",
-  "url": "https://openhimconsole.<domain>/fhir-ig-importer",
+  "url": "<openhim-console-url>/fhir-ig-importer",
   "showInPortal": true,
   "showInSideBar": true,
   "access_roles": ["admin"],

diff --git a/fhir-ig-importer/importer/volume/openhimConfig.js b/fhir-ig-importer/importer/volume/openhimConfig.js
@@ -43,6 +43,18 @@ const appJsonData = JSON.parse(
   fs.readFileSync(path.resolve(__dirname, "ig-importer-app.json"))
 );
 
+//Substitute the url with environ variable
+
+let url = appJsonData.url;
+if (!process.env.OPENHIM_CONSOLE_BASE_URL) {
+  throw new Error("Environment variable OPENHIM_CONSOLE_BASE_URL is not set");
+}
+let newUrl = url.replace(
+  "<openhim-console-url>",
+  process.env.OPENHIM_CONSOLE_BASE_URL
+);
+
+appJsonData.url = newUrl;
 const data = JSON.stringify(jsonData);
 const appData = JSON.stringify(appJsonData);
 

diff --git a/fhir-ig-importer/package-metadata.json b/fhir-ig-importer/package-metadata.json
@@ -15,6 +15,9 @@
     "FHIR_IG_IMPORTER_CORE_HOST": "0.0.0.0",
     "FHIR_IG_IMPORTER_CORE_URL": "http://0.0.0.0:3001/fhir/ig/v1.0",
     "FHIR_IG_IMPORTER_UI_VERSION": "latest",
-    "FHIR_IG_IMPORTER_CORE_VERSION": "latest"
+    "FHIR_IG_IMPORTER_CORE_VERSION": "latest",
+    "OPENHIM_CONSOLE_BASE_URL": "http://localhost:9000",
+    "OPENHIM_API_USERNAME": "[email protected]",
+    "OPENHIM_API_PASSWORD": "instant101"
   }
 }
diff --git a/identity-access-manager-keycloak/docker-compose.yml b/identity-access-manager-keycloak/docker-compose.yml
@@ -51,6 +51,8 @@ services:
         - traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak
         - traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080
         - traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
+        - traefik.http.routers.identity-access-manager-keycloak.tls=true
+        - traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER}
     networks:
       reverse-proxy:
       public:

diff --git a/interoperability-layer-openhim/docker-compose.yml b/interoperability-layer-openhim/docker-compose.yml
@@ -54,17 +54,21 @@ services:
         - traefik.http.routers.openhimcomms.tls=true
         - traefik.http.routers.openhimcomms.entrypoints=websecure
         - traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`)
-        - traefik.http.routers.openhimcomms.middlewares=openhimcomms
-        - traefik.http.middlewares.openhimcomms.stripprefix.prefixes=/openhimcomms
-
+        - traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms
+        - traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix
+        - traefik.http.routers.openhimcomms.tls.certresolver=le
         - traefik.http.routers.openhimcore.service=openhimcore
         - traefik.http.services.openhimcore.loadbalancer.server.port=5000
         - traefik.http.services.openhimcore.loadbalancer.server.scheme=https
         - traefik.http.routers.openhimcore.tls=true
         - traefik.http.routers.openhimcore.entrypoints=websecure
         - traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`)
-        - traefik.http.routers.openhimcore.middlewares=openhimcore
-        - traefik.http.middlewares.openhimcore.stripprefix.prefixes=/openhimcore
+        - traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore
+        - traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix
+        - traefik.http.routers.openhimcore.tls.certresolver=le
+
+
+
 
   openhim-console:
     image: ${OPENHIM_CONSOLE_IMAGE}
@@ -94,7 +98,8 @@ services:
         - traefik.http.services.openhim-console.loadbalancer.server.scheme=http
         - traefik.http.routers.openhim-console.service=openhim-console
         - traefik.http.routers.openhim-console.entrypoints=websecure
-        - traefik.http.routers.openhim-console.rule=Host(`${OPENHIM_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
+        - traefik.http.routers.openhim-console.tls=true
+        - traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`)
         - traefik.http.services.openhim-console.loadbalancer.server.port=80
       placement:
         max_replicas_per_node: ${OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE}

diff --git a/interoperability-layer-openhim/package-metadata.json b/interoperability-layer-openhim/package-metadata.json
@@ -43,8 +43,7 @@
     "KC_OPENHIM_CLIENT_SECRET": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR",
     "KC_OPENHIM_ROOT_URL": "http://localhost:9000",
     "KC_API_URL": "http://identity-access-manager-keycloak:8080",
-    "OPENHIM_SUBDOMAIN": "openhim",
-    "OPENHIM_CONSOLE_BASE_URL": "localhost:9000",
+    "OPENHIM_CONSOLE_BASE_URL": "https://localhost:9000",
     "OPENHIM_API_HOST": "localhost",
     "OPENHIM_API_PORT": "5001"
   }

diff --git a/kafka-mapper-consumer/consumer-ui-app.json b/kafka-mapper-consumer/consumer-ui-app.json
@@ -3,7 +3,7 @@
   "description": "Kafka mapper consumer microfrontends app",
   "category": "HIE Configuration",
   "type": "esmodule",
-  "url": "http://localhost:8091/jembi-kafka-mapper-consumer-ui.js",
+  "url": "<openhim-console-url>/kafka-mapper-consumer-ui",
   "showInPortal": true,
   "showInSideBar": false,
   "access_roles": ["admin"],

diff --git a/kafka-mapper-consumer/docker-compose.config.yml b/kafka-mapper-consumer/docker-compose.config.yml
@@ -12,6 +12,7 @@ services:
       OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD}
       # Reject unauthorised is only needed if the OpenHIM's SSL is not setup
       NODE_TLS_REJECT_UNAUTHORIZED: 0
+      OPENHIM_CONSOLE_BASE_URL: ${OPENHIM_CONSOLE_BASE_URL}
     command: sh -c "node openhimConfig.js"
     configs:
       - source: kafka-mapper-consumer-openhimConfig.js

diff --git a/kafka-mapper-consumer/openhimConfig.js b/kafka-mapper-consumer/openhimConfig.js
@@ -37,6 +37,20 @@ function makeRequest(options, data) {
 const appJsonData = JSON.parse(
   fs.readFileSync(path.resolve(__dirname, "consumer-ui-app.json"))
 );
+//Substitute the url with environ variable
+
+let url = appJsonData.url;
+
+if (!process.env.OPENHIM_CONSOLE_BASE_URL) {
+  throw new Error("Environment variable OPENHIM_CONSOLE_BASE_URL is not set");
+}
+
+let newUrl = url.replace(
+  "<openhim-console-url>",
+  process.env.OPENHIM_CONSOLE_BASE_URL
+);
+
+appJsonData.url = newUrl;
 const appData = JSON.stringify(appJsonData);
 
 const options = {

diff --git a/kafka-mapper-consumer/package-metadata.json b/kafka-mapper-consumer/package-metadata.json
@@ -17,7 +17,8 @@
     "REGISTER_MEDIATOR": "true",
     "CLICKHOUSE_HOST": "analytics-datastore-clickhouse",
     "CLICKHOUSE_PORT": "8123",
-    "KAFKA_CONSUMER_MAPPER_MEDIATOR_VERSION": "jembi/kafka-mapper-consumer:v0.0.1",
-    "KAFKA_CONSUMER_MAPPER_UI_VERSION": "jembi/kafka-mapper-consumer-ui:v0.0.1"
+    "KAFKA_CONSUMER_MAPPER_MEDIATOR_VERSION": "jembi/kafka-mapper-consumer:latest",
+    "KAFKA_CONSUMER_MAPPER_UI_VERSION": "jembi/kafka-mapper-consumer-ui:latest",
+    "OPENHIM_CONSOLE_BASE_URL": "http://localhost:9000"
   }
 }
diff --git a/reprocess-mediator/docker-compose.config.yml b/reprocess-mediator/docker-compose.config.yml
@@ -12,6 +12,7 @@ services:
       OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD}
       # Reject unauthorised is only needed if the OpenHIM's SSL is not setup
       NODE_TLS_REJECT_UNAUTHORIZED: 0
+      OPENHIM_CONSOLE_BASE_URL: ${OPENHIM_CONSOLE_BASE_URL}
     command: sh -c "node openhimConfig.js"
     configs:
       - source: reprocess-openhimConfig.js

diff --git a/reprocess-mediator/openhimConfig.js b/reprocess-mediator/openhimConfig.js
@@ -37,6 +37,19 @@ function makeRequest(options, data) {
 const appJsonData = JSON.parse(
   fs.readFileSync(path.resolve(__dirname, "reprocess-ui-app.json"))
 );
+//Substitute the url with environ variable
+
+let url = appJsonData.url;
+
+if (!process.env.OPENHIM_CONSOLE_BASE_URL) {
+  throw new Error("Environment variable OPENHIM_CONSOLE_BASE_URL is not set");
+}
+let newUrl = url.replace(
+  "<openhim-console-url>",
+  process.env.OPENHIM_CONSOLE_BASE_URL
+);
+
+appJsonData.url = newUrl;
 const appData = JSON.stringify(appJsonData);
 
 const options = {

diff --git a/reprocess-mediator/package-metadata.json b/reprocess-mediator/package-metadata.json
@@ -12,10 +12,10 @@
     "OPENHIM_PASSWORD": "instant101",
     "REGISTER_MEDIATOR": "true",
     "REPROCESSOR_API_BASE_URL": "http://reprocess-mediator:3000",
-    "REPROCESS_MEDIATOR_VERSION": "jembi/reprocess-mediator:v0.1.0",
-    "REPROCESS_MEDIATOR_UI_VERSION": "jembi/reprocess-mediator-ui:v0.1.0",
+    "REPROCESS_MEDIATOR_VERSION": "jembi/reprocess-mediator:latest",
+    "REPROCESS_MEDIATOR_UI_VERSION": "jembi/reprocess-mediator-ui:latest",
     "MONGODB_CONNECTION_STRING": "mongodb://mongo-1:27017/openhim",
-    "MONGODB_DIRECT_CONNECTION": false
-
+    "MONGODB_DIRECT_CONNECTION": false,
+    "OPENHIM_CONSOLE_BASE_URL": "http://localhost:9000"
   }
 }
diff --git a/reprocess-mediator/reprocess-ui-app.json b/reprocess-mediator/reprocess-ui-app.json
@@ -3,7 +3,7 @@
   "description": "Reprocess microfrontends app",
   "category": "HIE Configuration",
   "type": "esmodule",
-  "url": "http://localhost:3030/jembi-reprocessor-mediator-microfrontend.js",
+  "url": "<openhim-console-url>/reprocess-mediator-ui",
   "showInPortal": true,
   "showInSideBar": false,
   "access_roles": ["admin"],

diff --git a/reverse-proxy-traefik/docker-compose.yml b/reverse-proxy-traefik/docker-compose.yml
@@ -19,27 +19,54 @@ services:
       - --api.insecure=${ENABLE_TRAEFIK_DASHBOARD}
       - --entrypoints.web.address=:80
       - --entryPoints.websecure.address=:443
-      - --providers.docker.network=reverse-proxy-traefik_public
+      #certificate resolver
+      - --certificatesresolvers.le.acme.email=${ACME_EMAIL?Variable not set}
+      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
+      - --certificatesresolvers.le.acme.tlschallenge=true
+      - --certificatesresolvers.le.acme.caserver=${CA_SERVER}
+      - --certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0
+
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+      - traefik-public-certificates:/certificates
     deploy:
       replicas: 1
       labels:
-        #TODO: Are these 2 lines necessary?
-        - traefik.enable=true
-        - traefik.http.services.reverse-proxy-traefik.loadbalancer.server.port=80
+        - traefik.docker.lbswarm=true
+        - traefik.http.routers.to-https.rule=HostRegexp(`{host:.+}`)
+        - traefik.http.routers.to-https.entrypoints=http
+        - traefik.http.routers.to-https.middlewares=to-https
+
+        - traefik.http.routers.traefik.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`/dashboard`)
+        - traefik.http.routers.traefik.entrypoints=http
+        - traefik.http.routers.traefik.middlewares=auth
+        - traefik.http.routers.traefik.service=api@internal
+        - traefik.http.routers.traefik.tls=true
+        - traefik.http.routers.traefik.tls.certresolver=${CERT_RESOLVER}
+        - traefik.http.services.openhim-console.loadbalancer.server.port=8080
+
+        - traefik.http.middlewares.to-https.redirectscheme.scheme=https
+        - traefik.http.middlewares.auth.basicauth.users=${USERNAME}:${PASSWORD}
+
       placement:
         max_replicas_per_node: 1
         constraints:
           - node.role == ${PLACEMENT_ROLE_CONSTRAINTS}
       resources:
         limits:
-          cpus: "0.5"
-          memory: 256M
+          cpus: "1"
+          memory: 1G
         reservations:
           cpus: "0.1"
           memory: 64M
 
+volumes:
+  # Create a volume to store the certificates, there is a constraint to make sure
+  # Traefik is always deployed to the same Docker node with the same volume containing
+  # the HTTPS certificates
+  traefik-public-certificates:
+
+
 networks:
   traefik:
     name: reverse-proxy-traefik_public

diff --git a/reverse-proxy-traefik/package-metadata.json b/reverse-proxy-traefik/package-metadata.json
@@ -13,8 +13,13 @@
     "TK_MEMORY_LIMIT": "3G",
     "TK_MEMORY_RESERVE": "500M",
     "INSECURE_SKIP_VERIFY": "true",
-    "ENABLE_TRAEFIK_DASHBOARD": "false",
-    "PLACEMENT_ROLE_CONSTRAINTS": "leader",
-    "ACME_EMAIL": ""
+    "ENABLE_TRAEFIK_DASHBOARD": "true",
+    "PLACEMENT_ROLE_CONSTRAINTS": "manager",
+    "ACME_EMAIL": "",
+    "USERNAME": "admin",
+    "PASSWORD": "test",
+    "DOMAIN": "platform.cloud.jembi",
+    "CERT_RESOLVER": "le",
+    "CA_SERVER": "https://acme-staging-v02.api.letsencrypt.org/directory"
   }
 }