add internal network for deps

Author: rikukissa

infrastructure/backups/backup.sh

@@ -155,7 +155,7 @@ elif [ "$REPLICAS" = "0" ]; then
   NETWORK=opencrvs_default
   echo "Working with no replicas"
 else
-  NETWORK=dependencies_overlay_net
+  NETWORK=dependencies_internal_net
   # Construct the HOST string rs0/mongo1,mongo2... based on the number of replicas
   HOST="rs0/"
   for (( i=1; i<=REPLICAS; i++ )); do

infrastructure/backups/restore.sh

@@ -93,7 +93,7 @@ elif [ "$REPLICAS" = "0" ]; then
   NETWORK=opencrvs_default
   echo "Working with no replicas"
 else
-  NETWORK=dependencies_overlay_net
+  NETWORK=dependencies_internal_net
   # Construct the HOST string rs0/mongo1,mongo2... based on the number of replicas
   HOST="rs0/"
   for (( i=1; i<=REPLICAS; i++ )); do

infrastructure/clear-all-data.sh

@@ -44,7 +44,7 @@ if [ "$REPLICAS" = "0" ]; then
   NETWORK=opencrvs_default
   echo "Working with no replicas"
 else
-  NETWORK=dependencies_overlay_net
+  NETWORK=dependencies_internal_net
   # Construct the HOST string rs0/mongo1,mongo2... based on the number of replicas
   HOST="rs0/"
   for (( i=1; i<=REPLICAS; i++ )); do

infrastructure/deployment/add-networks.ts

@@ -32,7 +32,6 @@ function addNetworksToCompose(composeFile: string, networksList: string) {
     .map((network) => network.trim())
     .filter((network) => network.length > 0)
     .map((stack) => `${stack}_dependencies_net`)
-    .concat('traefik_net')
 
   // Add networks to each service
   for (const serviceName in composeObject.services) {

infrastructure/docker-compose.app.yml

@@ -68,7 +68,7 @@ services:
         - 'traefik.http.routers.${STACK}__countryconfig.tls.certresolver=certResolver'
         - 'traefik.http.routers.${STACK}__countryconfig.entrypoints=web,websecure'
         - 'traefik.http.routers.${STACK}__countryconfig.middlewares=gzip-compression'
-        - 'traefik.docker.network={{STACK}}_dependencies_net'
+        - 'traefik.docker.network=dependencies_{{STACK}}_dependencies_net'
         - 'traefik.http.middlewares.${STACK}__countryconfig.headers.customresponseheaders.Pragma=no-cache'
         - 'traefik.http.middlewares.${STACK}__countryconfig.headers.customresponseheaders.Cache-control=no-store'
         - 'traefik.http.middlewares.${STACK}__countryconfig.headers.customresponseheaders.X-Robots-Tag=none'
@@ -139,7 +139,7 @@ services:
         - 'traefik.http.routers.${STACK}__login.tls.certresolver=certResolver'
         - 'traefik.http.routers.${STACK}__login.entrypoints=web,websecure'
         - 'traefik.http.routers.${STACK}__login.middlewares=gzip-compression'
-        - 'traefik.docker.network={{STACK}}_dependencies_net'
+        - 'traefik.docker.network=dependencies_{{STACK}}_dependencies_net'
         - 'traefik.http.middlewares.${STACK}__login.headers.customresponseheaders.Pragma=no-cache'
         - 'traefik.http.middlewares.${STACK}__login.headers.customresponseheaders.Cache-control=no-store'
         - 'traefik.http.middlewares.${STACK}__login.headers.customresponseheaders.X-Robots-Tag=none'
@@ -174,7 +174,7 @@ services:
         - 'traefik.http.routers.${STACK}__client.tls=true'
         - 'traefik.http.routers.${STACK}__client.tls.certresolver=certResolver'
         - 'traefik.http.routers.${STACK}__client.entrypoints=web,websecure'
-        - 'traefik.docker.network={{STACK}}_dependencies_net'
+        - 'traefik.docker.network=dependencies_{{STACK}}_dependencies_net'
 
         - 'traefik.http.middlewares.${STACK}__test-replacepathregex.redirectregex.permanent=true'
         - 'traefik.http.middlewares.${STACK}__test-replacepathregex.redirectregex.regex=^https?://${STACK}.{{hostname}}/(.*)'
@@ -236,7 +236,7 @@ services:
         - 'traefik.http.routers.${STACK}__gateway.tls.certresolver=certResolver'
         - 'traefik.http.routers.${STACK}__gateway.entrypoints=web,websecure'
         - 'traefik.http.routers.${STACK}__gateway.middlewares=gzip-compression'
-        - 'traefik.docker.network={{STACK}}_dependencies_net'
+        - 'traefik.docker.network=dependencies_{{STACK}}_dependencies_net'
         - 'traefik.http.middlewares.${STACK}__gateway.headers.customresponseheaders.Pragma=no-cache'
         - 'traefik.http.middlewares.${STACK}__gateway.headers.customresponseheaders.Cache-control=no-store'
         - 'traefik.http.middlewares.${STACK}__gateway.headers.customresponseheaders.X-Robots-Tag=none'
@@ -421,7 +421,7 @@ services:
         - 'traefik.http.routers.${STACK}__auth.tls=true'
         - 'traefik.http.routers.${STACK}__auth.tls.certresolver=certResolver'
         - 'traefik.http.routers.${STACK}__auth.entrypoints=web,websecure'
-        - 'traefik.docker.network={{STACK}}_dependencies_net'
+        - 'traefik.docker.network=dependencies_{{STACK}}_dependencies_net'
         - 'traefik.http.middlewares.${STACK}__auth.headers.customresponseheaders.Pragma=no-cache'
         - 'traefik.http.middlewares.${STACK}__auth.headers.customresponseheaders.Cache-control=no-store'
         - 'traefik.http.middlewares.${STACK}__auth.headers.customresponseheaders.X-Robots-Tag=none'
@@ -494,7 +494,7 @@ services:
         - 'traefik.http.routers.${STACK}__webhooks.tls=true'
         - 'traefik.http.routers.${STACK}__webhooks.tls.certresolver=certResolver'
         - 'traefik.http.routers.${STACK}__webhooks.entrypoints=web,websecure'
-        - 'traefik.docker.network={{STACK}}_dependencies_net'
+        - 'traefik.docker.network=dependencies_{{STACK}}_dependencies_net'
         - 'traefik.http.middlewares.${STACK}__webhooks.headers.customresponseheaders.Pragma=no-cache'
         - 'traefik.http.middlewares.${STACK}__webhooks.headers.customresponseheaders.Cache-control=no-store'
         - 'traefik.http.middlewares.${STACK}__webhooks.headers.customresponseheaders.X-Robots-Tag=none'
@@ -543,7 +543,7 @@ services:
         - 'traefik.http.routers.${STACK}__config.tls=true'
         - 'traefik.http.routers.${STACK}__config.tls.certresolver=certResolver'
         - 'traefik.http.routers.${STACK}__config.entrypoints=web,websecure'
-        - 'traefik.docker.network={{STACK}}_dependencies_net'
+        - 'traefik.docker.network=dependencies_{{STACK}}_dependencies_net'
         - 'traefik.http.middlewares.${STACK}__config.headers.customresponseheaders.Pragma=no-cache'
         - 'traefik.http.middlewares.${STACK}__config.headers.customresponseheaders.Cache-control=no-store'
         - 'traefik.http.middlewares.${STACK}__config.headers.customresponseheaders.X-Robots-Tag=none'
@@ -721,7 +721,7 @@ services:
         - 'traefik.http.routers.${STACK}__metabase.tls=true'
         - 'traefik.http.routers.${STACK}__metabase.tls.certresolver=certResolver'
         - 'traefik.http.routers.${STACK}__metabase.entrypoints=web,websecure'
-        - 'traefik.docker.network={{STACK}}_dependencies_net'
+        - 'traefik.docker.network=dependencies_{{STACK}}_dependencies_net'
         - 'traefik.http.middlewares.${STACK}__metabase.headers.customresponseheaders.Pragma=no-cache'
         - 'traefik.http.middlewares.${STACK}__metabase.headers.customresponseheaders.Cache-control=no-store'
         - 'traefik.http.middlewares.${STACK}__metabase.headers.customresponseheaders.X-Robots-Tag=none'

infrastructure/docker-compose.dependencies.yml

@@ -12,6 +12,9 @@ services:
   # Only publish the exact ports that are required for OpenCRVS to work
   traefik:
     image: 'traefik:v2.10'
+    networks:
+      - traefik_net
+      - internal_net
     ports:
       - target: 80
         published: 80
@@ -59,6 +62,9 @@ services:
 
   filebeat:
     image: docker.elastic.co/beats/filebeat:8.14.3
+    networks:
+      - traefik_net
+      - internal_net
     user: root
 
     configs:
@@ -83,6 +89,9 @@ services:
 
   metricbeat:
     image: docker.elastic.co/beats/metricbeat:8.14.3
+    networks:
+      - traefik_net
+      - internal_net
     user: root
     cap_add:
       - SYS_PTRACE
@@ -120,6 +129,9 @@ services:
         tag: 'metricbeat'
   setup-kibana-config:
     image: curlimages/curl:7.88.1
+    networks:
+      - traefik_net
+      - internal_net
     entrypoint:
       [
         'curl',
@@ -152,6 +164,9 @@ services:
         tag: 'setup-kibana-config'
   kibana:
     image: docker.elastic.co/kibana/kibana:8.14.3
+    networks:
+      - traefik_net
+      - internal_net
     restart: always
     deploy:
       labels:
@@ -180,6 +195,9 @@ services:
   # Configure mongo nodes as a replica set
   mongo1:
     image: mongo:4.4
+    networks:
+      - traefik_net
+      - internal_net
     restart: unless-stopped
     command: mongod --auth --replSet rs0 --keyFile /etc/mongodb-keyfile
     hostname: 'mongo1'
@@ -214,6 +232,9 @@ services:
   # Configure redis
   redis:
     image: redis:5
+    networks:
+      - traefik_net
+      - internal_net
     restart: unless-stopped
 
     deploy:
@@ -227,6 +248,9 @@ services:
   # Configure elasticsearch
   elasticsearch:
     image: docker.elastic.co/elasticsearch/elasticsearch:8.14.3
+    networks:
+      - traefik_net
+      - internal_net
     restart: unless-stopped
     volumes:
       - '/data/elasticsearch:/usr/share/elasticsearch/data'
@@ -262,6 +286,9 @@ services:
   # Configure elasticsearch
   minio:
     image: quay.io/minio/minio:RELEASE.2023-09-16T01-01-47Z.fips
+    networks:
+      - traefik_net
+      - internal_net
     restart: unless-stopped
     environment:
       - MINIO_ROOT_USER=${MINIO_ROOT_USER}
@@ -298,6 +325,9 @@ services:
 
   minio-mc:
     image: minio/mc
+    networks:
+      - traefik_net
+      - internal_net
     entrypoint: >
       /bin/sh -c "
       /usr/bin/mc admin trace --path ocrvs/* minio
@@ -320,6 +350,9 @@ services:
 
   elastalert:
     image: jertel/elastalert2:2.19.0
+    networks:
+      - traefik_net
+      - internal_net
     restart: unless-stopped
     environment:
       - ES_USERNAME=elastic
@@ -343,6 +376,9 @@ services:
 
   logstash:
     image: logstash:8.14.3
+    networks:
+      - traefik_net
+      - internal_net
     command: logstash -f /etc/logstash/logstash.conf --verbose
     ports:
       - '12201:12201'
@@ -365,6 +401,9 @@ services:
       replicas: 1
   apm-server:
     image: docker.elastic.co/apm/apm-server:7.17.22
+    networks:
+      - traefik_net
+      - internal_net
     cap_add: ['CHOWN', 'DAC_OVERRIDE', 'SETGID', 'SETUID']
     cap_drop: ['ALL']
     restart: always
@@ -399,6 +438,9 @@ services:
   # Configure influxdb
   influxdb:
     image: influxdb:1.8.10
+    networks:
+      - traefik_net
+      - internal_net
     restart: unless-stopped
     volumes:
       - '/data/influxdb:/var/lib/influxdb'
@@ -447,3 +489,11 @@ configs:
     file: /opt/opencrvs/infrastructure/elasticsearch/jvm.options
   minio-mc-config.{{ts}}:
     file: /opt/opencrvs/infrastructure/mc-config/config.json
+
+networks:
+  traefik_net:
+    driver: overlay
+    name: traefik_net
+  internal_net:
+    driver: overlay
+    attachable: true

infrastructure/elasticsearch/setup-elastalert-indices.sh

@@ -13,7 +13,7 @@
 
 set -e
 
-docker_command="docker run --rm --network=dependencies_overlay_net curlimages/curl"
+docker_command="docker run --rm --network=dependencies_internal_net curlimages/curl"
 
 echo 'Waiting for availability of Elasticsearch'
 ping_status_code=$($docker_command --connect-timeout 60 -u elastic:$ELASTICSEARCH_SUPERUSER_PASSWORD -o /dev/null -w '%{http_code}' "http://elasticsearch:9200")

infrastructure/monitoring/kibana/setup-config.sh

@@ -26,7 +26,7 @@ response_text_from_curl_output() {
 }
 
 curl_raw() {
-  docker run --rm -v /opt/opencrvs/infrastructure/monitoring/kibana/config.ndjson:/config.ndjson --network=dependencies_overlay_net curlimages/curl -s -w "\n%{http_code}" "$@"
+  docker run --rm -v /opt/opencrvs/infrastructure/monitoring/kibana/config.ndjson:/config.ndjson --network=dependencies_internal_net curlimages/curl -s -w "\n%{http_code}" "$@"
 }
 
 parse_url_from_string() {
@@ -71,7 +71,7 @@ curl() {
 }
 
 jq() {
-  docker run --rm -i --network=dependencies_overlay_net ghcr.io/jqlang/jq "$@"
+  docker run --rm -i --network=dependencies_internal_net ghcr.io/jqlang/jq "$@"
 }
 
 # Initial API status check to ensure Kibana is ready

infrastructure/port-forward.sh

@@ -34,6 +34,6 @@ echo -e "Internal socat Port on Host: ${GREEN}$SOCAT_PORT${NC}"
 echo -e "Socat Container Name: ${GREEN}$CONTAINER_NAME${NC}"
 
 ssh -tL $LOCAL_PORT:localhost:$SOCAT_PORT $SSH_USER@$TARGET_SERVER \
-'docker run --rm --name '$CONTAINER_NAME' --network=dependencies_overlay_net --publish '$SOCAT_PORT:$SOCAT_PORT' alpine/socat tcp-listen:'$SOCAT_PORT',fork,reuseaddr tcp-connect:'$TARGET_CONTAINER_NAME:$PORT''
+'docker run --rm --name '$CONTAINER_NAME' --network=dependencies_internal_net --publish '$SOCAT_PORT:$SOCAT_PORT' alpine/socat tcp-listen:'$SOCAT_PORT',fork,reuseaddr tcp-connect:'$TARGET_CONTAINER_NAME:$PORT''
 
 echo -e "${GREEN}Port forwarding established and tunnel is online! Press Ctrl+C to close.${NC}"