From 90493785c79ae7fda82abb046d40324f76ccb353 Mon Sep 17 00:00:00 2001 From: drono Date: Mon, 5 Aug 2024 15:31:35 +0300 Subject: [PATCH] Add Letsencrypt automatic cert generation for monitoring packages --- .env.traefik.remote | 7 ++++ .../docker-compose.yml | 5 ++- monitoring/docker-compose.yml | 32 +++++++++++++++---- 3 files changed, 37 insertions(+), 7 deletions(-) diff --git a/.env.traefik.remote b/.env.traefik.remote index ca1131aa..c5902e65 100644 --- a/.env.traefik.remote +++ b/.env.traefik.remote @@ -51,3 +51,10 @@ OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms OPENHIM_API_PORT=443/openhimcomms OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app CERT_RESOLVER=le +CA_SERVER=https://acme-v02.api.letsencrypt.org/directory +OPENHIM_CORE_IMAGE=jembi/openhim-core:prerelease +OPENHIM_CONSOLE_IMAGE=jembi/openhim-console:poc-microfrontend-prelease +GF_SERVER_ROOT_URL=https:///grafana +GF_SERVER_DOMAIN= +MINIO_BROWSER_REDIRECT_URL=https:///minio +DOMAIN_NAME_HOST_TRAEFIK= diff --git a/identity-access-manager-keycloak/docker-compose.yml b/identity-access-manager-keycloak/docker-compose.yml index 3c1fbc69..b3d99f88 100644 --- a/identity-access-manager-keycloak/docker-compose.yml +++ b/identity-access-manager-keycloak/docker-compose.yml @@ -8,7 +8,7 @@ services: "start", "--proxy=edge", "--hostname-url=${KC_FRONTEND_URL}", - "--import-realm", + "--import-realm" ] hostname: identity-access-manager-keycloak healthcheck: @@ -49,10 +49,12 @@ services: - traefik.enable=true - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak + - traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.scheme=http - traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080 - traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`) - traefik.http.routers.identity-access-manager-keycloak.tls=true - traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER} + - traefik.http.routers.identity-access-manager-keycloak.entrypoints=websecure networks: reverse-proxy: public: @@ -60,6 +62,7 @@ services: default: postgres: + configs: realm.json: file: ./config/realm.json diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml index 2d4de27b..904e4886 100644 --- a/monitoring/docker-compose.yml +++ b/monitoring/docker-compose.yml @@ -10,8 +10,13 @@ services: - traefik.enable=true - traefik.docker.network=reverse-proxy-traefik_public - traefik.http.routers.grafana.service=grafana - - traefik.http.services.grafana.loadbalancer.server.port=3000 - - traefik.http.routers.grafana.rule=Host(${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/grafana`) + - traefik.http.routers.grafana.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/grafana`) + - traefik.http.routers.grafana.tls=true + - traefik.http.services.grafana.loadbalancer.server.scheme=http + - traefik.http.routers.grafana.entrypoints=websecure + - traefik.http.routers.grafana.tls.certresolver=le + - traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana + - traefik.http.routers.grafana.middlewares=grafana-stripprefix environment: GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER} GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD} @@ -37,8 +42,8 @@ services: GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token" GF_AUTH_GENERIC_OAUTH_API_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo" GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" - GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN} - GF_SERVER_ROOT_URL: ${KC_GRAFANA_ROOT_URL} + GF_SERVER_DOMAIN: ${DOMAIN_NAME_HOST_TRAEFIK} + GF_SERVER_ROOT_URL: ${DOMAIN_NAME_HOST_TRAEFIK} GF_SERVER_SERVE_FROM_SUB_PATH: ${GF_SERVER_SERVE_FROM_SUB_PATH} GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login" configs: @@ -72,6 +77,7 @@ services: traefik: default: + prometheus: image: prom/prometheus:v2.38.0 user: root @@ -92,6 +98,7 @@ services: public: default: + cadvisor: image: gcr.io/cadvisor/cadvisor:v0.45.0 command: -docker_only @@ -152,7 +159,13 @@ services: MINIO_BROWSER_REDIRECT_URL: ${MINIO_BROWSER_REDIRECT_URL} MINIO_SERVER_URL: http://localhost:9000 healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] + test: + [ + "CMD", + "curl", + "-f", + "http://localhost:9000/minio/health/live" + ] interval: 30s timeout: 20s retries: 3 @@ -165,8 +178,13 @@ services: labels: - traefik.enable=true - traefik.docker.network=reverse-proxy-traefik_public - - traefik.http.routers.minio.rule=${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/minio`) + - traefik.http.routers.minio.service=minio + - traefik.http.routers.minio.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/minio`) - traefik.http.services.minio.loadbalancer.server.port=9001 + - traefik.http.routers.minio.tls=true + - traefik.http.services.minio.loadbalancer.server.scheme=http + - traefik.http.routers.minio.entrypoints=websecure + - traefik.http.routers.minio.tls.certresolver=le - traefik.http.middlewares.minio-stripprefix.stripprefix.prefixes=/minio - traefik.http.routers.minio.middlewares=minio-stripprefix networks: @@ -174,6 +192,7 @@ services: traefik: default: + configs: grafana.ini: file: ./grafana/grafana.ini @@ -258,6 +277,7 @@ volumes: minio-01-data1: minio-01-data2: + networks: keycloak: name: keycloak_public