Merge pull request #313 from jembi/add-automatic-cert-generation

Add automatic cert generation for interoperability package

Author: drizzentic

.env.traefik.remote

@@ -0,0 +1,53 @@
+# General
+
+CLUSTERED_MODE=false
+
+# Log
+
+DEBUG=0
+BASHLOG_FILE=0
+BASHLOG_FILE_PATH=platform.log
+
+# Data Mapper - Logstash
+
+LOGSTASH_DEV_MOUNT=false
+LOGSTASH_PACKAGE_PATH=
+
+# Dashboard Visualiser - JS Report
+
+## !NOTE: MAKE SURE YOU HAVE RUN 'set-permissions.sh' SCRIPT BEFORE AND AFTER RUNNING JS REPORT
+JS_REPORT_DEV_MOUNT=false
+JS_REPORT_PACKAGE_PATH=
+
+# Message Bus - Kafka
+
+#  !NOTE: Topics should comma seperated, optional include partion and repliction values
+#   e.g. <topic>:<partions>:<replicationFactor> -> test:3:2 (defaults to <topics>:3:1)
+# KAFKA_TOPICS=2xx,reprocess,3xx,metrics:3:1
+KAFKA_TOPICS=2xx,2xx-async,reprocess,3xx,metrics:3:3,patient,observation
+
+OPENHIM_CORE_MEDIATOR_HOSTNAME=c9a4-41-90-68-240.ngrok-free.app
+OPENHIM_MEDIATOR_API_PORT=443/openhimcomms
+
+# Reverse Proxy - Nginx
+REVERSE_PROXY_INSTANCES=1
+DOMAIN_NAME=c9a4-41-90-68-240.ngrok-free.app
+SUBDOMAINS=openhimcomms.<domain>,openhimcore.<domain>,openhimconsole.<domain>,kibana.<domain>,reports.<domain>,santewww.<domain>,santempi.<domain>,superset.<domain>,keycloak.<domain>,grafana.<domain>,minio.<domain>,jempi-web.<domain>,jempi-api.<domain>
+STAGING=false
+INSECURE=false
+
+# Identity Access Manager - Keycloak
+KC_FRONTEND_URL=https://keycloak.c9a4-41-90-68-240.ngrok-free.app
+KC_GRAFANA_ROOT_URL=https://grafana.<domain>
+KC_JEMPI_ROOT_URL=https://jempi-web.<domain>
+KC_SUPERSET_ROOT_URL=https://superset.<domain>
+KC_OPENHIM_ROOT_URL=https://c9a4-41-90-68-240.ngrok-free.app
+GF_SERVER_DOMAIN=grafana.<domain>
+
+REACT_APP_JEMPI_BASE_API_HOST=https://jempi-api.<domain>
+REACT_APP_JEMPI_BASE_API_PORT=443
+OPENHIM_CONSOLE_BASE_URL=https://c9a4-41-90-68-240.ngrok-free.app
+OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms
+OPENHIM_API_PORT=443/openhimcomms
+OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app
+CERT_RESOLVER=le

identity-access-manager-keycloak/docker-compose.yml

@@ -51,6 +51,8 @@ services:
         - traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak
         - traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080
         - traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
+        - traefik.http.routers.identity-access-manager-keycloak.tls=true
+        - traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER}
     networks:
       reverse-proxy:
       public:

interoperability-layer-openhim/docker-compose.yml

@@ -50,17 +50,21 @@ services:
         - traefik.http.routers.openhimcomms.tls=true
         - traefik.http.routers.openhimcomms.entrypoints=websecure
         - traefik.http.routers.openhimcomms.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcomms`)
-        - traefik.http.routers.openhimcomms.middlewares=openhimcomms
-        - traefik.http.middlewares.openhimcomms.stripprefix.prefixes=/openhimcomms
-
+        - traefik.http.middlewares.openhimcomms-stripprefix.stripprefix.prefixes=/openhimcomms
+        - traefik.http.routers.openhimcomms.middlewares=openhimcomms-stripprefix
+        - traefik.http.routers.openhimcomms.tls.certresolver=le
         - traefik.http.routers.openhimcore.service=openhimcore
         - traefik.http.services.openhimcore.loadbalancer.server.port=5000
         - traefik.http.services.openhimcore.loadbalancer.server.scheme=https
         - traefik.http.routers.openhimcore.tls=true
         - traefik.http.routers.openhimcore.entrypoints=websecure
         - traefik.http.routers.openhimcore.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/openhimcore`)
-        - traefik.http.routers.openhimcore.middlewares=openhimcore
-        - traefik.http.middlewares.openhimcore.stripprefix.prefixes=/openhimcore
+        - traefik.http.middlewares.openhimcore-stripprefix.stripprefix.prefixes=/openhimcore
+        - traefik.http.routers.openhimcore.middlewares=openhimcore-stripprefix
+        - traefik.http.routers.openhimcore.tls.certresolver=le
+
+
+
 
   openhim-console:
     image: ${OPENHIM_CONSOLE_IMAGE}
@@ -90,7 +94,8 @@ services:
         - traefik.http.services.openhim-console.loadbalancer.server.scheme=http
         - traefik.http.routers.openhim-console.service=openhim-console
         - traefik.http.routers.openhim-console.entrypoints=websecure
-        - traefik.http.routers.openhim-console.rule=Host(`${OPENHIM_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
+        - traefik.http.routers.openhim-console.tls=true
+        - traefik.http.routers.openhim-console.rule=Host(`${DOMAIN_NAME}`)
         - traefik.http.services.openhim-console.loadbalancer.server.port=80
       placement:
         max_replicas_per_node: ${OPENHIM_CONSOLE_MAX_REPLICAS_PER_NODE}

interoperability-layer-openhim/package-metadata.json

@@ -43,8 +43,7 @@
     "KC_OPENHIM_CLIENT_SECRET": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR",
     "KC_OPENHIM_ROOT_URL": "http://localhost:9000",
     "KC_API_URL": "http://identity-access-manager-keycloak:8080",
-    "OPENHIM_SUBDOMAIN": "openhim",
-    "OPENHIM_CONSOLE_BASE_URL": "localhost:9000",
+    "OPENHIM_CONSOLE_BASE_URL": "https://localhost:9000",
     "OPENHIM_API_HOST": "localhost",
     "OPENHIM_API_PORT": "5001"
   }

reverse-proxy-traefik/docker-compose.yml

@@ -19,27 +19,54 @@ services:
       - --api.insecure=${ENABLE_TRAEFIK_DASHBOARD}
       - --entrypoints.web.address=:80
       - --entryPoints.websecure.address=:443
-      - --providers.docker.network=reverse-proxy-traefik_public
+      #certificate resolver
+      - --certificatesresolvers.le.acme.email=${ACME_EMAIL?Variable not set}
+      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
+      - --certificatesresolvers.le.acme.tlschallenge=true
+      - --certificatesresolvers.le.acme.caserver=${CA_SERVER}
+      - --certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=0
+
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+      - traefik-public-certificates:/certificates
     deploy:
       replicas: 1
       labels:
-        #TODO: Are these 2 lines necessary?
-        - traefik.enable=true
-        - traefik.http.services.reverse-proxy-traefik.loadbalancer.server.port=80
+        - traefik.docker.lbswarm=true
+        - traefik.http.routers.to-https.rule=HostRegexp(`{host:.+}`)
+        - traefik.http.routers.to-https.entrypoints=http
+        - traefik.http.routers.to-https.middlewares=to-https
+
+        - traefik.http.routers.traefik.rule=Host(`${DOMAIN_NAME}`) && PathPrefix(`/dashboard`)
+        - traefik.http.routers.traefik.entrypoints=http
+        - traefik.http.routers.traefik.middlewares=auth
+        - traefik.http.routers.traefik.service=api@internal
+        - traefik.http.routers.traefik.tls=true
+        - traefik.http.routers.traefik.tls.certresolver=${CERT_RESOLVER}
+        - traefik.http.services.openhim-console.loadbalancer.server.port=8080
+
+        - traefik.http.middlewares.to-https.redirectscheme.scheme=https
+        - traefik.http.middlewares.auth.basicauth.users=${USERNAME}:${PASSWORD}
+
       placement:
         max_replicas_per_node: 1
         constraints:
           - node.role == ${PLACEMENT_ROLE_CONSTRAINTS}
       resources:
         limits:
-          cpus: "0.5"
-          memory: 256M
+          cpus: "1"
+          memory: 1G
         reservations:
           cpus: "0.1"
           memory: 64M
 
+volumes:
+  # Create a volume to store the certificates, there is a constraint to make sure
+  # Traefik is always deployed to the same Docker node with the same volume containing
+  # the HTTPS certificates
+  traefik-public-certificates:
+
+
 networks:
   traefik:
     name: reverse-proxy-traefik_public

reverse-proxy-traefik/package-metadata.json

@@ -13,8 +13,13 @@
     "TK_MEMORY_LIMIT": "3G",
     "TK_MEMORY_RESERVE": "500M",
     "INSECURE_SKIP_VERIFY": "true",
-    "ENABLE_TRAEFIK_DASHBOARD": "false",
-    "PLACEMENT_ROLE_CONSTRAINTS": "leader",
-    "ACME_EMAIL": ""
+    "ENABLE_TRAEFIK_DASHBOARD": "true",
+    "PLACEMENT_ROLE_CONSTRAINTS": "manager",
+    "ACME_EMAIL": "",
+    "USERNAME": "admin",
+    "PASSWORD": "test",
+    "DOMAIN": "platform.cloud.jembi",
+    "CERT_RESOLVER": "le",
+    "CA_SERVER": "https://acme-staging-v02.api.letsencrypt.org/directory"
   }
 }