Add Letsencrypt automatic cert generation for monitoring packages

jembi · Aug 14, 2024 · 9049378 · 9049378
1 parent 0882027
commit 9049378
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 7 deletions.
diff --git a/.env.traefik.remote b/.env.traefik.remote
@@ -51,3 +51,10 @@ OPENHIM_API_HOST=https://c9a4-41-90-68-240.ngrok-free.app/openhimcomms
 OPENHIM_API_PORT=443/openhimcomms
 OPENHIM_HOST_NAME=c9a4-41-90-68-240.ngrok-free.app
 CERT_RESOLVER=le
+CA_SERVER=https://acme-v02.api.letsencrypt.org/directory
+OPENHIM_CORE_IMAGE=jembi/openhim-core:prerelease
+OPENHIM_CONSOLE_IMAGE=jembi/openhim-console:poc-microfrontend-prelease
+GF_SERVER_ROOT_URL=https://<domain>/grafana
+GF_SERVER_DOMAIN=<domain>
+MINIO_BROWSER_REDIRECT_URL=https://<domain>/minio
+DOMAIN_NAME_HOST_TRAEFIK=<domain>
diff --git a/identity-access-manager-keycloak/docker-compose.yml b/identity-access-manager-keycloak/docker-compose.yml
@@ -8,7 +8,7 @@ services:
         "start",
         "--proxy=edge",
         "--hostname-url=${KC_FRONTEND_URL}",
-        "--import-realm",
+        "--import-realm"
       ]
     hostname: identity-access-manager-keycloak
     healthcheck:
@@ -49,17 +49,20 @@ services:
         - traefik.enable=true
         - traefik.docker.network=reverse-proxy-traefik_public
         - traefik.http.routers.identity-access-manager-keycloak.service=identity-access-manager-keycloak
+        - traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.scheme=http
         - traefik.http.services.identity-access-manager-keycloak.loadbalancer.server.port=8080
         - traefik.http.routers.identity-access-manager-keycloak.rule=Host(`${KC_TRAEFIK_SUBDOMAIN}.${DOMAIN_NAME_HOST_TRAEFIK}`)
         - traefik.http.routers.identity-access-manager-keycloak.tls=true
         - traefik.http.routers.identity-access-manager-keycloak.tls.certresolver=${CERT_RESOLVER}
+        - traefik.http.routers.identity-access-manager-keycloak.entrypoints=websecure
     networks:
       reverse-proxy:
       public:
       traefik:
       default:
       postgres:
 
+
 configs:
   realm.json:
     file: ./config/realm.json

diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml
@@ -10,8 +10,13 @@ services:
         - traefik.enable=true
         - traefik.docker.network=reverse-proxy-traefik_public
         - traefik.http.routers.grafana.service=grafana
-        - traefik.http.services.grafana.loadbalancer.server.port=3000
-        - traefik.http.routers.grafana.rule=Host(${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/grafana`)
+        - traefik.http.routers.grafana.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/grafana`)
+        - traefik.http.routers.grafana.tls=true
+        - traefik.http.services.grafana.loadbalancer.server.scheme=http
+        - traefik.http.routers.grafana.entrypoints=websecure
+        - traefik.http.routers.grafana.tls.certresolver=le
+        - traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana
+        - traefik.http.routers.grafana.middlewares=grafana-stripprefix
     environment:
       GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER}
       GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD}
@@ -37,8 +42,8 @@ services:
       GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/token"
       GF_AUTH_GENERIC_OAUTH_API_URL: "${KC_API_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/userinfo"
       GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"
-      GF_SERVER_DOMAIN: ${GF_SERVER_DOMAIN}
-      GF_SERVER_ROOT_URL: ${KC_GRAFANA_ROOT_URL}
+      GF_SERVER_DOMAIN: ${DOMAIN_NAME_HOST_TRAEFIK}
+      GF_SERVER_ROOT_URL: ${DOMAIN_NAME_HOST_TRAEFIK}
       GF_SERVER_SERVE_FROM_SUB_PATH: ${GF_SERVER_SERVE_FROM_SUB_PATH}
       GF_AUTH_SIGNOUT_REDIRECT_URL: "${KC_FRONTEND_URL}/realms/${KC_REALM_NAME}/protocol/openid-connect/logout?client_id=${KC_GRAFANA_CLIENT_ID}&post_logout_redirect_uri=${KC_GRAFANA_ROOT_URL}/login"
     configs:
@@ -72,6 +77,7 @@ services:
       traefik:
       default:
 
+
   prometheus:
     image: prom/prometheus:v2.38.0
     user: root
@@ -92,6 +98,7 @@ services:
       public:
       default:
 
+
   cadvisor:
     image: gcr.io/cadvisor/cadvisor:v0.45.0
     command: -docker_only
@@ -152,7 +159,13 @@ services:
       MINIO_BROWSER_REDIRECT_URL: ${MINIO_BROWSER_REDIRECT_URL}
       MINIO_SERVER_URL: http://localhost:9000
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      test:
+        [
+          "CMD",
+          "curl",
+          "-f",
+          "http://localhost:9000/minio/health/live"
+        ]
       interval: 30s
       timeout: 20s
       retries: 3
@@ -165,15 +178,21 @@ services:
       labels:
         - traefik.enable=true
         - traefik.docker.network=reverse-proxy-traefik_public
-        - traefik.http.routers.minio.rule=${DOMAIN_NAME_HOST_TRAEFIK} && PathPrefix(`/minio`)
+        - traefik.http.routers.minio.service=minio
+        - traefik.http.routers.minio.rule=Host(`${DOMAIN_NAME_HOST_TRAEFIK}`) && PathPrefix(`/minio`)
         - traefik.http.services.minio.loadbalancer.server.port=9001
+        - traefik.http.routers.minio.tls=true
+        - traefik.http.services.minio.loadbalancer.server.scheme=http
+        - traefik.http.routers.minio.entrypoints=websecure
+        - traefik.http.routers.minio.tls.certresolver=le
         - traefik.http.middlewares.minio-stripprefix.stripprefix.prefixes=/minio
         - traefik.http.routers.minio.middlewares=minio-stripprefix
     networks:
       reverse-proxy:
       traefik:
       default:
 
+
 configs:
   grafana.ini:
     file: ./grafana/grafana.ini
@@ -258,6 +277,7 @@ volumes:
   minio-01-data1:
   minio-01-data2:
 
+
 networks:
   keycloak:
     name: keycloak_public