Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Letsencrypt automatic cert generation for monitoring packages #320

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .env.local
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,4 @@ JS_REPORT_PACKAGE_PATH=
# Reverse Proxy - Traefik
PLACEMENT_ROLE_CONSTRAINTS=manager
ENABLE_TRAEFIK_DASHBOARD=true
DOMAIN_NAME_HOST_TRAEFIK=domain
DOMAIN_NAME_HOST_TRAEFIK=localhost
21 changes: 13 additions & 8 deletions .env.traefik.remote
Original file line number Diff line number Diff line change
Expand Up @@ -26,28 +26,33 @@ JS_REPORT_PACKAGE_PATH=
# KAFKA_TOPICS=2xx,reprocess,3xx,metrics:3:1
KAFKA_TOPICS=2xx,2xx-async,reprocess,3xx,metrics:3:3,patient,observation

OPENHIM_CORE_MEDIATOR_HOSTNAME=c9a4-41-90-68-240.ngrok-free.app
OPENHIM_CORE_MEDIATOR_HOSTNAME=<domain>
OPENHIM_MEDIATOR_API_PORT=443/openhimcomms

# Reverse Proxy - Nginx
REVERSE_PROXY_INSTANCES=1
DOMAIN_NAME=c9a4-41-90-68-240.ngrok-free.app
SUBDOMAINS=openhimcomms.<domain>,openhimcore.<domain>,openhimconsole.<domain>,kibana.<domain>,reports.<domain>,santewww.<domain>,santempi.<domain>,superset.<domain>,keycloak.<domain>,grafana.<domain>,minio.<domain>,jempi-web.<domain>,jempi-api.<domain>
DOMAIN_NAME_HOST_TRAEFIK=<domain>
STAGING=false
INSECURE=false

# Identity Access Manager - Keycloak
KC_FRONTEND_URL=https://keycloak.c9a4-41-90-68-240.ngrok-free.app
KC_FRONTEND_URL=https://keycloak.<domain>
KC_GRAFANA_ROOT_URL=https://grafana.<domain>
KC_JEMPI_ROOT_URL=https://jempi-web.<domain>
KC_SUPERSET_ROOT_URL=https://superset.<domain>
KC_OPENHIM_ROOT_URL=https://c9a4-41-90-68-240.ngrok-free.app
KC_OPENHIM_ROOT_URL=https://<domain>
GF_SERVER_DOMAIN=grafana.<domain>

REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.<domain>
REACT_APP_JEMPI_BASE_API_PORT=443
OPENHIM_CONSOLE_BASE_URL=https://c9a4-41-90-68-240.ngrok-free.app
OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms
OPENHIM_CONSOLE_BASE_URL=https://<domain>
OPENHIM_API_HOST=https://<domain>/openhimcomms
OPENHIM_API_PORT=443/openhimcomms
OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app
OPENHIM_HOST_NAME=<domain>
CERT_RESOLVER=le
CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
OPENHIM_CORE_IMAGE=jembi/openhim-core:prerelease
OPENHIM_CONSOLE_IMAGE=jembi/openhim-console:poc-microfrontend-prelease
GF_SERVER_ROOT_URL=https://<domain>/grafana
GF_SERVER_DOMAIN=<domain>
MINIO_BROWSER_REDIRECT_URL=https://<domain>/minio
3 changes: 3 additions & 0 deletions client-registry-jempi/docker-compose.api.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ services:
jempi:
postgres:


jempi-api-kc:
image: jembi/jempi-api-kc:${JEMPI_API_KC_IMAGE_TAG}
environment:
Expand Down Expand Up @@ -89,9 +90,11 @@ services:
jempi:
postgres:


volumes:
jempi-shared-data:


networks:
reverse-proxy:
name: reverse-proxy_public
Expand Down
1 change: 1 addition & 0 deletions client-registry-jempi/docker-compose.web.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ services:
keycloak:
default:


networks:
reverse-proxy:
name: reverse-proxy_public
Expand Down
2 changes: 1 addition & 1 deletion client-registry-jempi/package-metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@
"POSTGRESQL_PASSWORD": "instant101",
"JEMPI_SESSION_SECURE": false,
"JEMPI_SESSION_DOMAIN_NAME": "localhost",
"DOMAIN_NAME": "",
"DOMAIN_NAME": "localhost",
"KAFKA_APPLICATION_ID_API": "api-app-id",
"DGRAPH_HOSTS": "jempi-alpha-01,jempi-alpha-02,jempi-alpha-03",
"DGRAPH_PORTS": "9080,9081,9082",
Expand Down
3 changes: 2 additions & 1 deletion client-registry-santempi/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,11 @@ services:
reverse-proxy:
traefik:

# Sante's Match configuration is stored in the container. This will prevent the matching rules of the client registry from being lost. A docker config cannot be used for this case as the settings can be changed on Sante's UI.
# Sante's Match configuration is stored in the container. This will prevent the matching rules of the client registry from being lost. A docker config cannot be used for this case as the settings can be changed on Sante's UI.
volumes:
santedb-data:


networks:
mpi:
name: mpi_public
Expand Down
2 changes: 2 additions & 0 deletions dashboard-visualiser-jsreport/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,11 @@ services:
elastic:
default:


volumes:
jsreport-data:


networks:
reverse-proxy:
name: reverse-proxy_public
Expand Down
1 change: 1 addition & 0 deletions dashboard-visualiser-kibana/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ services:
elastic:
default:


configs:
kibana-kibana.yml:
file: ./kibana.yml
Expand Down
2 changes: 2 additions & 0 deletions dashboard-visualiser-superset/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ services:
postgres:
default:


configs:
superset_config.py:
file: ./config/superset_config.py
Expand All @@ -71,6 +72,7 @@ configs:
volumes:
superset_home:


networks:
clickhouse:
name: clickhouse_public
Expand Down
2 changes: 1 addition & 1 deletion fhir-ig-importer/importer/docker-compose.config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ services:
default:
environment:
OPENHIM_API_USERNAME: ${OPENHIM_USERNAME}
OPENHIM_API_PASSWORD: ${OPENHIM_PASSWORD}
OPENHIM_IG_PASSWORD: ${OPENHIM_PASSWORD}
# Reject unauthorised is only needed if the OpenHIM's SSL is not setup
NODE_TLS_REJECT_UNAUTHORIZED: 0
OPENHIM_CONSOLE_BASE_URL: ${OPENHIM_CONSOLE_BASE_URL}
Expand Down
2 changes: 1 addition & 1 deletion fhir-ig-importer/package-metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,6 @@
"FHIR_IG_IMPORTER_CORE_VERSION": "latest",
"OPENHIM_CONSOLE_BASE_URL": "http://localhost:9000",
"OPENHIM_API_USERNAME": "[email protected]",
"OPENHIM_API_PASSWORD": "instant101"
"OPENHIM_IG_PASSWORD": "instant101"
}
}
5 changes: 4 additions & 1 deletion identity-access-manager-keycloak/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ services:
"start",
"--proxy=edge",
"--hostname-url=${KC_FRONTEND_URL}",
"--import-realm",
"--import-realm"
]
hostname: identity-access-manager-keycloak
healthcheck:
Expand Down Expand Up @@ -49,17 +49,20 @@ services:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak
- traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.scheme=http
- traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080
- traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.routers.identity-access-manager-keycloak.tls=true
- traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER}
- traefik.http.routers.identity-access-manager-keycloak.entrypoints=websecure
networks:
reverse-proxy:
public:
traefik:
default:
postgres:


configs:
realm.json:
file: ./config/realm.json
Expand Down
5 changes: 1 addition & 4 deletions interoperability-layer-openhim/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,6 @@ services:
- traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix
- traefik.http.routers.openhimcore.tls.certresolver=le




openhim-console:
image: ${OPENHIM_CONSOLE_IMAGE}
environment:
Expand Down Expand Up @@ -95,7 +92,7 @@ services:
- traefik.http.routers.openhim-console.service=openhim-console
- traefik.http.routers.openhim-console.entrypoints=websecure
- traefik.http.routers.openhim-console.tls=true
- traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`)
- traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`)
- traefik.http.services.openhim-console.loadbalancer.server.port=80
placement:
max_replicas_per_node: ${OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ services:
image: node:erbium-alpine
environment:
OPENHIM_API_USERNAME: '[email protected]'
OPENHIM_API_PASSWORD: 'openhim-password'
OPENHIM_DEFAULT_PASSWORD: 'openhim-password'
# Reject unauthorised is only needed if the OpenHIM's SSL is not setup
NODE_TLS_REJECT_UNAUTHORIZED: 0
command: sh -c "node openhimConfig.js"
Expand Down
60 changes: 30 additions & 30 deletions interoperability-layer-openhim/importer/volume/openhimConfig.js
Original file line number Diff line number Diff line change
@@ -1,54 +1,54 @@
'use strict'
"use strict";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove redundant 'use strict' directive.

The use strict directive is unnecessary in ES6 modules as they are in strict mode by default.

-"use strict";
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"use strict";
Tools
Biome

[error] 1-1: Redundant use strict directive.

The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.
Safe fix: Remove the redundant use strict directive.

(lint/suspicious/noRedundantUseStrict)


const fs = require('fs')
const https = require('https')
const path = require('path')
const fs = require("fs");
const https = require("https");
const path = require("path");

const OPENHIM_CORE_SERVICE_NAME = 'openhim-core'
const OPENHIM_MEDIATOR_API_PORT = 8080
const OPENHIM_CORE_SERVICE_NAME = "openhim-core";
const OPENHIM_MEDIATOR_API_PORT = 8080;
const OPENHIM_API_PASSWORD =
process.env.OPENHIM_API_PASSWORD || 'openhim-password'
process.env.OPENHIM_DEFAULT_PASSWORD || "openhim-password";
const OPENHIM_API_USERNAME =
process.env.OPENHIM_API_USERNAME || '[email protected]'
process.env.OPENHIM_API_USERNAME || "[email protected]";

const authHeader = new Buffer.from(
`${OPENHIM_API_USERNAME}:${OPENHIM_API_PASSWORD}`
).toString('base64')
).toString("base64");

const jsonData = JSON.parse(
fs.readFileSync(path.resolve(__dirname, 'openhim-import.json'))
)
fs.readFileSync(path.resolve(__dirname, "openhim-import.json"))
);

const data = JSON.stringify(jsonData)
const data = JSON.stringify(jsonData);

const options = {
protocol: 'https:',
protocol: "https:",
hostname: OPENHIM_CORE_SERVICE_NAME,
port: OPENHIM_MEDIATOR_API_PORT,
path: '/metadata',
method: 'POST',
path: "/metadata",
method: "POST",
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length,
Authorization: `Basic ${authHeader}`
}
}
"Content-Type": "application/json",
"Content-Length": data.length,
Authorization: `Basic ${authHeader}`,
},
};

const req = https.request(options, res => {
const req = https.request(options, (res) => {
if (res.statusCode == 401) {
throw new Error(`Incorrect OpenHIM API credentials`)
throw new Error(`Incorrect OpenHIM API credentials`);
}

if (res.statusCode != 201) {
throw new Error(`Failed to import OpenHIM config: ${res.statusCode}`)
throw new Error(`Failed to import OpenHIM config: ${res.statusCode}`);
}

console.log('Successfully Imported OpenHIM Config')
})
console.log("Successfully Imported OpenHIM Config");
});

req.on('error', error => {
console.error('Failed to import OpenHIM config: ', error)
})
req.on("error", (error) => {
console.error("Failed to import OpenHIM config: ", error);
});

req.write(data)
req.end()
req.write(data);
req.end();
2 changes: 1 addition & 1 deletion interoperability-layer-openhim/package-metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
"KC_OPENHIM_CLIENT_SECRET": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR",
"KC_OPENHIM_ROOT_URL": "http://localhost:9000",
"KC_API_URL": "http://identity-access-manager-keycloak:8080",
"OPENHIM_CONSOLE_BASE_URL": "https://localhost:9000",
"OPENHIM_CONSOLE_BASE_URL": "http://localhost:9000",
"OPENHIM_API_HOST": "localhost",
"OPENHIM_API_PORT": "5001"
}
Expand Down
31 changes: 26 additions & 5 deletions monitoring/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,13 @@ services:
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.grafana.service=grafana
- traefik.http.services.grafana.loadbalancer.server.port=3000
- traefik.http.routers.grafana.rule=Host(${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/grafana`)
- traefik.http.routers.grafana.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/grafana`)
- traefik.http.routers.grafana.tls=true
- traefik.http.services.grafana.loadbalancer.server.scheme=http
- traefik.http.routers.grafana.entrypoints=websecure
- traefik.http.routers.grafana.tls.certresolver=le
- traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana
- traefik.http.routers.grafana.middlewares=grafana-stripprefix
environment:
GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER}
GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD}
Expand All @@ -37,8 +43,8 @@ services:
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token"
GF_AUTH_GENERIC_OAUTH_API_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo"
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN}
GF_SERVER_ROOT_URL: ${KC_GRAFANA_ROOT_URL}
GF_SERVER_DOMAIN: ${DOMAIN_NAME_HOST_TRAEFIK}
GF_SERVER_ROOT_URL: ${DOMAIN_NAME_HOST_TRAEFIK}
GF_SERVER_SERVE_FROM_SUB_PATH: ${GF_SERVER_SERVE_FROM_SUB_PATH}
GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login"
configs:
Expand Down Expand Up @@ -72,6 +78,7 @@ services:
traefik:
default:


prometheus:
image: prom/prometheus:v2.38.0
user: root
Expand All @@ -92,6 +99,7 @@ services:
public:
default:


cadvisor:
image: gcr.io/cadvisor/cadvisor:v0.45.0
command: -docker_only
Expand Down Expand Up @@ -152,7 +160,13 @@ services:
MINIO_BROWSER_REDIRECT_URL: ${MINIO_BROWSER_REDIRECT_URL}
MINIO_SERVER_URL: http://localhost:9000
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
test:
[
"CMD",
"curl",
"-f",
"http://localhost:9000/minio/health/live"
]
interval: 30s
timeout: 20s
retries: 3
Expand All @@ -165,15 +179,21 @@ services:
labels:
- traefik.enable=true
- traefik.docker.network=reverse-proxy-traefik_public
- traefik.http.routers.minio.rule=${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/minio`)
- traefik.http.routers.minio.service=minio
- traefik.http.routers.minio.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/minio`)
- traefik.http.services.minio.loadbalancer.server.port=9001
- traefik.http.routers.minio.tls=true
- traefik.http.services.minio.loadbalancer.server.scheme=http
- traefik.http.routers.minio.entrypoints=websecure
- traefik.http.routers.minio.tls.certresolver=le
- traefik.http.middlewares.minio-stripprefix.stripprefix.prefixes=/minio
- traefik.http.routers.minio.middlewares=minio-stripprefix
networks:
reverse-proxy:
traefik:
default:


configs:
grafana.ini:
file: ./grafana/grafana.ini
Expand Down Expand Up @@ -258,6 +278,7 @@ volumes:
minio-01-data1:
minio-01-data2:


networks:
keycloak:
name: keycloak_public
Expand Down
2 changes: 1 addition & 1 deletion reverse-proxy-traefik/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ services:
- traefik.http.routers.to-https.entrypoints=http
- traefik.http.routers.to-https.middlewares=to-https

- traefik.http.routers.traefik.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`/dashboard`)
- traefik.http.routers.traefik.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/dashboard`)
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.middlewares=auth
- traefik.http.routers.traefik.service=api@internal
Expand Down
Loading