diff --git a/.env.traefik.remote b/.env.traefik.remote new file mode 100644 index 00000000..ca1131aa --- /dev/null +++ b/.env.traefik.remote @@ -0,0 +1,53 @@ +# General + +CLUSTERED_MODE=false + +# Log + +DEBUG=0 +BASHLOG_FILE=0 +BASHLOG_FILE_PATH=platform.log + +# Data Mapper - Logstash + +LOGSTASH_DEV_MOUNT=false +LOGSTASH_PACKAGE_PATH= + +# Dashboard Visualiser - JS Report + +## !NOTE: MAKE SURE YOU HAVE RUN 'set-permissions.sh' SCRIPT BEFORE AND AFTER RUNNING JS REPORT +JS_REPORT_DEV_MOUNT=false +JS_REPORT_PACKAGE_PATH= + +# Message Bus - Kafka + +# !NOTE: Topics should comma seperated, optional include partion and repliction values +# e.g. :: -> test:3:2 (defaults to :3:1) +# KAFKA_TOPICS=2xx,reprocess,3xx,metrics:3:1 +KAFKA_TOPICS=2xx,2xx-async,reprocess,3xx,metrics:3:3,patient,observation + +OPENHIM_CORE_MEDIATOR_HOSTNAME=c9a4-41-90-68-240.ngrok-free.app +OPENHIM_MEDIATOR_API_PORT=443/openhimcomms + +# Reverse Proxy - Nginx +REVERSE_PROXY_INSTANCES=1 +DOMAIN_NAME=c9a4-41-90-68-240.ngrok-free.app +SUBDOMAINS=openhimcomms.,openhimcore.,openhimconsole.,kibana.,reports.,santewww.,santempi.,superset.,keycloak.,grafana.,minio.,jempi-web.,jempi-api. +STAGING=false +INSECURE=false + +# Identity Access Manager - Keycloak +KC_FRONTEND_URL=https://keycloak.c9a4-41-90-68-240.ngrok-free.app +KC_GRAFANA_ROOT_URL=https://grafana. +KC_JEMPI_ROOT_URL=https://jempi-web. +KC_SUPERSET_ROOT_URL=https://superset. +KC_OPENHIM_ROOT_URL=https://c9a4-41-90-68-240.ngrok-free.app +GF_SERVER_DOMAIN=grafana. + +REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api. +REACT_APP_JEMPI_BASE_API_PORT=443 +OPENHIM_CONSOLE_BASE_URL=https://c9a4-41-90-68-240.ngrok-free.app +OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms +OPENHIM_API_PORT=443/openhimcomms +OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app +CERT_RESOLVER=le diff --git a/fhir-ig-importer/docker-compose.yml b/fhir-ig-importer/docker-compose.yml index c1bca48c..7c87cced 100644 --- a/fhir-ig-importer/docker-compose.yml +++ b/fhir-ig-importer/docker-compose.yml @@ -21,6 +21,8 @@ services: reverse-proxy: environment: FHIR_IG_IMPORTER_CORE_URL: ${FHIR_IG_IMPORTER_CORE_URL} + OPENHIM_API_USERNAME: ${OPENHIM_USERNAME} + OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD} networks: hapi-fhir: diff --git a/fhir-ig-importer/importer/docker-compose.config.yml b/fhir-ig-importer/importer/docker-compose.config.yml index 0d11921a..3447da3b 100644 --- a/fhir-ig-importer/importer/docker-compose.config.yml +++ b/fhir-ig-importer/importer/docker-compose.config.yml @@ -12,6 +12,7 @@ services: OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD} # Reject unauthorised is only needed if the OpenHIM's SSL is not setup NODE_TLS_REJECT_UNAUTHORIZED: 0 + OPENHIM_CONSOLE_BASE_URL: ${OPENHIM_CONSOLE_BASE_URL} command: sh -c "node openhimConfig.js" configs: - source: fhir-ig-importer-config-importer-openhimConfig.js diff --git a/fhir-ig-importer/importer/volume/ig-importer-app.json b/fhir-ig-importer/importer/volume/ig-importer-app.json index 4517c9b8..b4336fba 100644 --- a/fhir-ig-importer/importer/volume/ig-importer-app.json +++ b/fhir-ig-importer/importer/volume/ig-importer-app.json @@ -3,7 +3,7 @@ "description": "FHIR IG microfrontend app", "category": "HIE Configuration", "type": "esmodule", - "url": "https://openhimconsole./fhir-ig-importer", + "url": "/fhir-ig-importer", "showInPortal": true, "showInSideBar": true, "access_roles": ["admin"], diff --git a/fhir-ig-importer/importer/volume/openhimConfig.js b/fhir-ig-importer/importer/volume/openhimConfig.js index cae7a270..4a9b2ceb 100644 --- a/fhir-ig-importer/importer/volume/openhimConfig.js +++ b/fhir-ig-importer/importer/volume/openhimConfig.js @@ -43,6 +43,18 @@ const appJsonData = JSON.parse( fs.readFileSync(path.resolve(__dirname, "ig-importer-app.json")) ); +//Substitute the url with environ variable + +let url = appJsonData.url; +if (!process.env.OPENHIM_CONSOLE_BASE_URL) { + throw new Error("Environment variable OPENHIM_CONSOLE_BASE_URL is not set"); +} +let newUrl = url.replace( + "", + process.env.OPENHIM_CONSOLE_BASE_URL +); + +appJsonData.url = newUrl; const data = JSON.stringify(jsonData); const appData = JSON.stringify(appJsonData); diff --git a/fhir-ig-importer/package-metadata.json b/fhir-ig-importer/package-metadata.json index 1bc5473f..bed49d43 100644 --- a/fhir-ig-importer/package-metadata.json +++ b/fhir-ig-importer/package-metadata.json @@ -15,6 +15,9 @@ "FHIR_IG_IMPORTER_CORE_HOST": "0.0.0.0", "FHIR_IG_IMPORTER_CORE_URL": "http://0.0.0.0:3001/fhir/ig/v1.0", "FHIR_IG_IMPORTER_UI_VERSION": "latest", - "FHIR_IG_IMPORTER_CORE_VERSION": "latest" + "FHIR_IG_IMPORTER_CORE_VERSION": "latest", + "OPENHIM_CONSOLE_BASE_URL": "http://localhost:9000", + "OPENHIM_API_USERNAME": "root@openhim.org", + "OPENHIM_API_PASSWORD": "instant101" } } diff --git a/identity-access-manager-keycloak/docker-compose.yml b/identity-access-manager-keycloak/docker-compose.yml index ff58f721..3c1fbc69 100644 --- a/identity-access-manager-keycloak/docker-compose.yml +++ b/identity-access-manager-keycloak/docker-compose.yml @@ -51,6 +51,8 @@ services: - traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak - traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080 - traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.identity-access-manager-keycloak.tls=true + - traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER} networks: reverse-proxy: public: diff --git a/interoperability-layer-openhim/docker-compose.yml b/interoperability-layer-openhim/docker-compose.yml index 5e692e4d..684bb005 100644 --- a/interoperability-layer-openhim/docker-compose.yml +++ b/interoperability-layer-openhim/docker-compose.yml @@ -54,17 +54,21 @@ services: - traefik.http.routers.openhimcomms.tls=true - traefik.http.routers.openhimcomms.entrypoints=websecure - traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`) - - traefik.http.routers.openhimcomms.middlewares=openhimcomms - - traefik.http.middlewares.openhimcomms.stripprefix.prefixes=/openhimcomms - + - traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms + - traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix + - traefik.http.routers.openhimcomms.tls.certresolver=le - traefik.http.routers.openhimcore.service=openhimcore - traefik.http.services.openhimcore.loadbalancer.server.port=5000 - traefik.http.services.openhimcore.loadbalancer.server.scheme=https - traefik.http.routers.openhimcore.tls=true - traefik.http.routers.openhimcore.entrypoints=websecure - traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`) - - traefik.http.routers.openhimcore.middlewares=openhimcore - - traefik.http.middlewares.openhimcore.stripprefix.prefixes=/openhimcore + - traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore + - traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix + - traefik.http.routers.openhimcore.tls.certresolver=le + + + openhim-console: image: ${OPENHIM_CONSOLE_IMAGE} @@ -94,7 +98,8 @@ services: - traefik.http.services.openhim-console.loadbalancer.server.scheme=http - traefik.http.routers.openhim-console.service=openhim-console - traefik.http.routers.openhim-console.entrypoints=websecure - - traefik.http.routers.openhim-console.rule=Host(`${OPENHIM_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) + - traefik.http.routers.openhim-console.tls=true + - traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`) - traefik.http.services.openhim-console.loadbalancer.server.port=80 placement: max_replicas_per_node: ${OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE} diff --git a/interoperability-layer-openhim/package-metadata.json b/interoperability-layer-openhim/package-metadata.json index 1fa38624..fb92768a 100644 --- a/interoperability-layer-openhim/package-metadata.json +++ b/interoperability-layer-openhim/package-metadata.json @@ -43,8 +43,7 @@ "KC_OPENHIM_CLIENT_SECRET": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR", "KC_OPENHIM_ROOT_URL": "http://localhost:9000", "KC_API_URL": "http://identity-access-manager-keycloak:8080", - "OPENHIM_SUBDOMAIN": "openhim", - "OPENHIM_CONSOLE_BASE_URL": "localhost:9000", + "OPENHIM_CONSOLE_BASE_URL": "https://localhost:9000", "OPENHIM_API_HOST": "localhost", "OPENHIM_API_PORT": "5001" } diff --git a/kafka-mapper-consumer/consumer-ui-app.json b/kafka-mapper-consumer/consumer-ui-app.json index b6ac02d7..42d47345 100644 --- a/kafka-mapper-consumer/consumer-ui-app.json +++ b/kafka-mapper-consumer/consumer-ui-app.json @@ -3,7 +3,7 @@ "description": "Kafka mapper consumer microfrontends app", "category": "HIE Configuration", "type": "esmodule", - "url": "http://localhost:8091/jembi-kafka-mapper-consumer-ui.js", + "url": "/kafka-mapper-consumer-ui", "showInPortal": true, "showInSideBar": false, "access_roles": ["admin"], diff --git a/kafka-mapper-consumer/docker-compose.config.yml b/kafka-mapper-consumer/docker-compose.config.yml index 2e1b4db5..dd13d684 100644 --- a/kafka-mapper-consumer/docker-compose.config.yml +++ b/kafka-mapper-consumer/docker-compose.config.yml @@ -12,6 +12,7 @@ services: OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD} # Reject unauthorised is only needed if the OpenHIM's SSL is not setup NODE_TLS_REJECT_UNAUTHORIZED: 0 + OPENHIM_CONSOLE_BASE_URL: ${OPENHIM_CONSOLE_BASE_URL} command: sh -c "node openhimConfig.js" configs: - source: kafka-mapper-consumer-openhimConfig.js diff --git a/kafka-mapper-consumer/openhimConfig.js b/kafka-mapper-consumer/openhimConfig.js index a7868cde..c56379df 100644 --- a/kafka-mapper-consumer/openhimConfig.js +++ b/kafka-mapper-consumer/openhimConfig.js @@ -37,6 +37,20 @@ function makeRequest(options, data) { const appJsonData = JSON.parse( fs.readFileSync(path.resolve(__dirname, "consumer-ui-app.json")) ); +//Substitute the url with environ variable + +let url = appJsonData.url; + +if (!process.env.OPENHIM_CONSOLE_BASE_URL) { + throw new Error("Environment variable OPENHIM_CONSOLE_BASE_URL is not set"); +} + +let newUrl = url.replace( + "", + process.env.OPENHIM_CONSOLE_BASE_URL +); + +appJsonData.url = newUrl; const appData = JSON.stringify(appJsonData); const options = { diff --git a/kafka-mapper-consumer/package-metadata.json b/kafka-mapper-consumer/package-metadata.json index 0c0b17a9..9fa23ea9 100644 --- a/kafka-mapper-consumer/package-metadata.json +++ b/kafka-mapper-consumer/package-metadata.json @@ -17,7 +17,8 @@ "REGISTER_MEDIATOR": "true", "CLICKHOUSE_HOST": "analytics-datastore-clickhouse", "CLICKHOUSE_PORT": "8123", - "KAFKA_CONSUMER_MAPPER_MEDIATOR_VERSION": "jembi/kafka-mapper-consumer:v0.0.1", - "KAFKA_CONSUMER_MAPPER_UI_VERSION": "jembi/kafka-mapper-consumer-ui:v0.0.1" + "KAFKA_CONSUMER_MAPPER_MEDIATOR_VERSION": "jembi/kafka-mapper-consumer:latest", + "KAFKA_CONSUMER_MAPPER_UI_VERSION": "jembi/kafka-mapper-consumer-ui:latest", + "OPENHIM_CONSOLE_BASE_URL": "http://localhost:9000" } } diff --git a/reprocess-mediator/docker-compose.config.yml b/reprocess-mediator/docker-compose.config.yml index 1135b51e..6ed5fbb8 100644 --- a/reprocess-mediator/docker-compose.config.yml +++ b/reprocess-mediator/docker-compose.config.yml @@ -12,6 +12,7 @@ services: OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD} # Reject unauthorised is only needed if the OpenHIM's SSL is not setup NODE_TLS_REJECT_UNAUTHORIZED: 0 + OPENHIM_CONSOLE_BASE_URL: ${OPENHIM_CONSOLE_BASE_URL} command: sh -c "node openhimConfig.js" configs: - source: reprocess-openhimConfig.js diff --git a/reprocess-mediator/openhimConfig.js b/reprocess-mediator/openhimConfig.js index e5268dd9..d645c501 100644 --- a/reprocess-mediator/openhimConfig.js +++ b/reprocess-mediator/openhimConfig.js @@ -37,6 +37,19 @@ function makeRequest(options, data) { const appJsonData = JSON.parse( fs.readFileSync(path.resolve(__dirname, "reprocess-ui-app.json")) ); +//Substitute the url with environ variable + +let url = appJsonData.url; + +if (!process.env.OPENHIM_CONSOLE_BASE_URL) { + throw new Error("Environment variable OPENHIM_CONSOLE_BASE_URL is not set"); +} +let newUrl = url.replace( + "", + process.env.OPENHIM_CONSOLE_BASE_URL +); + +appJsonData.url = newUrl; const appData = JSON.stringify(appJsonData); const options = { diff --git a/reprocess-mediator/package-metadata.json b/reprocess-mediator/package-metadata.json index fa8c999d..049d2e32 100644 --- a/reprocess-mediator/package-metadata.json +++ b/reprocess-mediator/package-metadata.json @@ -12,10 +12,10 @@ "OPENHIM_PASSWORD": "instant101", "REGISTER_MEDIATOR": "true", "REPROCESSOR_API_BASE_URL": "http://reprocess-mediator:3000", - "REPROCESS_MEDIATOR_VERSION": "jembi/reprocess-mediator:v0.1.0", - "REPROCESS_MEDIATOR_UI_VERSION": "jembi/reprocess-mediator-ui:v0.1.0", + "REPROCESS_MEDIATOR_VERSION": "jembi/reprocess-mediator:latest", + "REPROCESS_MEDIATOR_UI_VERSION": "jembi/reprocess-mediator-ui:latest", "MONGODB_CONNECTION_STRING": "mongodb://mongo-1:27017/openhim", - "MONGODB_DIRECT_CONNECTION": false - + "MONGODB_DIRECT_CONNECTION": false, + "OPENHIM_CONSOLE_BASE_URL": "http://localhost:9000" } } diff --git a/reprocess-mediator/reprocess-ui-app.json b/reprocess-mediator/reprocess-ui-app.json index 840b037b..f89da247 100644 --- a/reprocess-mediator/reprocess-ui-app.json +++ b/reprocess-mediator/reprocess-ui-app.json @@ -3,7 +3,7 @@ "description": "Reprocess microfrontends app", "category": "HIE Configuration", "type": "esmodule", - "url": "http://localhost:3030/jembi-reprocessor-mediator-microfrontend.js", + "url": "/reprocess-mediator-ui", "showInPortal": true, "showInSideBar": false, "access_roles": ["admin"], diff --git a/reverse-proxy-traefik/docker-compose.yml b/reverse-proxy-traefik/docker-compose.yml index 50426bee..6fae1279 100644 --- a/reverse-proxy-traefik/docker-compose.yml +++ b/reverse-proxy-traefik/docker-compose.yml @@ -19,27 +19,54 @@ services: - --api.insecure=${ENABLE_TRAEFIK_DASHBOARD} - --entrypoints.web.address=:80 - --entryPoints.websecure.address=:443 - - --providers.docker.network=reverse-proxy-traefik_public + #certificate resolver + - --certificatesresolvers.le.acme.email=${ACME_EMAIL?Variable not set} + - --certificatesresolvers.le.acme.storage=/certificates/acme.json + - --certificatesresolvers.le.acme.tlschallenge=true + - --certificatesresolvers.le.acme.caserver=${CA_SERVER} + - --certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0 + volumes: - /var/run/docker.sock:/var/run/docker.sock + - traefik-public-certificates:/certificates deploy: replicas: 1 labels: - #TODO: Are these 2 lines necessary? - - traefik.enable=true - - traefik.http.services.reverse-proxy-traefik.loadbalancer.server.port=80 + - traefik.docker.lbswarm=true + - traefik.http.routers.to-https.rule=HostRegexp(`{host:.+}`) + - traefik.http.routers.to-https.entrypoints=http + - traefik.http.routers.to-https.middlewares=to-https + + - traefik.http.routers.traefik.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`/dashboard`) + - traefik.http.routers.traefik.entrypoints=http + - traefik.http.routers.traefik.middlewares=auth + - traefik.http.routers.traefik.service=api@internal + - traefik.http.routers.traefik.tls=true + - traefik.http.routers.traefik.tls.certresolver=${CERT_RESOLVER} + - traefik.http.services.openhim-console.loadbalancer.server.port=8080 + + - traefik.http.middlewares.to-https.redirectscheme.scheme=https + - traefik.http.middlewares.auth.basicauth.users=${USERNAME}:${PASSWORD} + placement: max_replicas_per_node: 1 constraints: - node.role == ${PLACEMENT_ROLE_CONSTRAINTS} resources: limits: - cpus: "0.5" - memory: 256M + cpus: "1" + memory: 1G reservations: cpus: "0.1" memory: 64M +volumes: + # Create a volume to store the certificates, there is a constraint to make sure + # Traefik is always deployed to the same Docker node with the same volume containing + # the HTTPS certificates + traefik-public-certificates: + + networks: traefik: name: reverse-proxy-traefik_public diff --git a/reverse-proxy-traefik/package-metadata.json b/reverse-proxy-traefik/package-metadata.json index 1a031245..2c62ad9b 100644 --- a/reverse-proxy-traefik/package-metadata.json +++ b/reverse-proxy-traefik/package-metadata.json @@ -13,8 +13,13 @@ "TK_MEMORY_LIMIT": "3G", "TK_MEMORY_RESERVE": "500M", "INSECURE_SKIP_VERIFY": "true", - "ENABLE_TRAEFIK_DASHBOARD": "false", - "PLACEMENT_ROLE_CONSTRAINTS": "leader", - "ACME_EMAIL": "" + "ENABLE_TRAEFIK_DASHBOARD": "true", + "PLACEMENT_ROLE_CONSTRAINTS": "manager", + "ACME_EMAIL": "", + "USERNAME": "admin", + "PASSWORD": "test", + "DOMAIN": "platform.cloud.jembi", + "CERT_RESOLVER": "le", + "CA_SERVER": "https://acme-staging-v02.api.letsencrypt.org/directory" } }