bridgehead/ccp/modules/datashield-compose.yml

172 lines
6.2 KiB
YAML
Raw Normal View History

version: "3.7"
2023-04-12 09:46:35 +02:00
services:
2023-04-12 15:51:30 +02:00
rstudio:
container_name: bridgehead-rstudio
2023-04-12 09:46:35 +02:00
image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
environment:
2023-09-15 10:14:12 +02:00
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes
PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled
DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use
2023-04-12 15:51:30 +02:00
HTTP_RELATIVE_PATH: "/rstudio"
ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html
2023-04-12 09:46:35 +02:00
labels:
- "traefik.enable=true"
- "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
2023-11-29 09:29:18 +01:00
- "traefik.http.routers.rstudio_ccp.tls=true"
- "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip"
2023-12-08 12:50:06 +01:00
networks:
- rstudio
2023-04-12 09:46:35 +02:00
2023-04-12 15:51:30 +02:00
opal:
container_name: bridgehead-opal
2023-05-16 16:40:22 +02:00
image: docker.verbis.dkfz.de/ccp/dktk-opal:latest
2023-04-12 09:46:35 +02:00
labels:
- "traefik.enable=true"
- "traefik.http.routers.opal_ccp.rule=PathPrefix(`/opal`)"
2023-04-12 15:51:30 +02:00
- "traefik.http.services.opal_ccp.loadbalancer.server.port=8080"
2023-04-12 09:46:35 +02:00
- "traefik.http.routers.opal_ccp.tls=true"
links:
2023-04-12 15:51:30 +02:00
- opal-rserver
- opal-db
2023-04-12 09:46:35 +02:00
environment:
2023-10-24 10:33:15 +02:00
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128"
2023-09-15 10:14:12 +02:00
# OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes
2023-11-17 10:27:12 +01:00
OPAL_ADMINISTRATOR_PASSWORD: "${OPAL_ADMIN_PASSWORD}"
2023-04-12 15:51:30 +02:00
POSTGRESDATA_HOST: "opal-db"
2023-04-12 09:46:35 +02:00
POSTGRESDATA_DATABASE: "opal"
POSTGRESDATA_USER: "opal"
POSTGRESDATA_PASSWORD: "${OPAL_DB_PASSWORD}"
2023-04-12 15:51:30 +02:00
ROCK_HOSTS: "opal-rserver:8085"
2023-04-26 16:34:15 +02:00
APP_URL: "https://${HOST}/opal"
APP_CONTEXT_PATH: "/opal"
2023-05-16 16:40:22 +02:00
OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
2024-02-13 18:54:26 +01:00
OIDC_URL: "${OIDC_URL}"
OIDC_REALM: "${OIDC_REALM}"
OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
2023-11-17 10:27:12 +01:00
TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
2023-12-12 10:53:14 +01:00
BEAM_APP_ID: token-manager.${PROXY_ID}
BEAM_SECRET: ${TOKEN_MANAGER_SECRET}
2023-12-21 09:28:47 +01:00
BEAM_DATASHIELD_PROXY: request-manager
2023-12-21 09:35:38 +01:00
volumes:
- "/var/cache/bridgehead/ccp/opal-metadata-db:/srv" # Opal metadata
2023-05-16 16:40:22 +02:00
secrets:
- opal-cert.pem
- opal-key.pem
2023-04-12 15:51:30 +02:00
2023-09-15 10:14:12 +02:00
opal-db:
2023-04-12 15:51:30 +02:00
container_name: bridgehead-opal-db
2024-02-09 17:14:45 +01:00
image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
2023-04-12 09:46:35 +02:00
environment:
POSTGRES_PASSWORD: "${OPAL_DB_PASSWORD}" # Set in datashield-setup.sh
2023-04-12 09:46:35 +02:00
POSTGRES_USER: "opal"
POSTGRES_DB: "opal"
2023-09-15 10:11:40 +02:00
volumes:
2023-12-21 09:35:38 +01:00
- "/var/cache/bridgehead/ccp/opal-db:/var/lib/postgresql/data" # Opal project data (imported from exporter)
2023-04-12 09:46:35 +02:00
2023-04-12 15:51:30 +02:00
opal-rserver:
container_name: bridgehead-opal-rserver
2024-01-22 14:47:25 +01:00
image: docker.verbis.dkfz.de/ccp/dktk-rserver # datashield/rock-base + dsCCPhos
2023-10-25 12:33:56 +02:00
tmpfs:
- /srv
2023-04-12 09:46:35 +02:00
beam-connect:
2023-10-23 14:33:56 +02:00
image: docker.verbis.dkfz.de/cache/samply/beam-connect:develop
container_name: bridgehead-datashield-connect
environment:
PROXY_URL: "http://beam-proxy:8081"
TLS_CA_CERTIFICATES_DIR: /run/secrets
2023-04-25 14:12:58 +02:00
APP_ID: datashield-connect.${SITE_ID}.${BROKER_ID}
PROXY_APIKEY: ${DATASHIELD_CONNECT_SECRET}
DISCOVERY_URL: "./map/central.json"
LOCAL_TARGETS_FILE: "./map/local.json"
2023-10-23 14:33:56 +02:00
NO_AUTH: "true"
secrets:
- opal-cert.pem
depends_on:
2023-04-27 10:52:25 +02:00
- beam-proxy
volumes:
- /tmp/bridgehead/opal-map/:/map/:ro
2023-12-08 12:50:06 +01:00
networks:
- default
- rstudio
2023-11-17 10:27:12 +01:00
2023-12-08 12:50:06 +01:00
traefik:
labels:
- "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/"
- "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
- "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
2023-12-08 12:50:06 +01:00
networks:
- default
- rstudio
forward_proxy:
networks:
- default
- rstudio
beam-proxy:
environment:
2023-07-17 13:59:19 +02:00
APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
2023-12-12 10:53:14 +01:00
APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}
2024-02-13 18:54:26 +01:00
# TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
2024-02-06 17:18:10 +01:00
# Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
2024-02-13 18:54:26 +01:00
# --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
oauth2-proxy:
2024-02-07 15:08:00 +01:00
image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
container_name: bridgehead-oauth2proxy
command: >-
2024-02-13 15:58:24 +01:00
--allowed-group=DataSHIELD
2024-02-13 18:54:26 +01:00
--oidc-groups-claim=${OIDC_GROUP_CLAIM}
--auth-logging=true
--whitelist-domain=${HOST}
--http-address="0.0.0.0:4180"
--reverse-proxy=true
--upstream="static://202"
--email-domain="*"
--cookie-name="_BRIDGEHEAD_oauth2"
--cookie-secret="${OAUTH2_PROXY_SECRET}"
--cookie-expire="12h"
--cookie-secure="true"
--cookie-httponly="true"
#OIDC settings
--provider="keycloak-oidc"
--provider-display-name="VerbIS Login"
2024-02-13 18:54:26 +01:00
--client-id="${OIDC_PRIVATE_CLIENT_ID}"
--client-secret="${OIDC_CLIENT_SECRET}"
--redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
2024-02-13 18:54:26 +01:00
--oidc-issuer-url="${OIDC_ISSUER_URL}"
--scope="openid email profile"
--code-challenge-method="S256"
--skip-provider-button=true
#X-Forwarded-Header settings - true/false depending on your needs
--pass-basic-auth=true
--pass-user-headers=false
--pass-access-token=false
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth2_proxy.rule=PathPrefix(`/oauth2`)"
- "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
- "traefik.http.routers.oauth2_proxy.tls=true"
2024-02-06 17:18:10 +01:00
environment:
http_proxy: "http://forward_proxy:3128"
https_proxy: "http://forward_proxy:3128"
2024-02-08 14:39:17 +01:00
depends_on:
forward_proxy:
condition: service_healthy
2023-05-16 16:40:22 +02:00
secrets:
opal-cert.pem:
file: /tmp/bridgehead/opal-cert.pem
2023-05-16 16:40:22 +02:00
opal-key.pem:
file: /tmp/bridgehead/opal-key.pem
2023-12-08 12:50:06 +01:00
networks:
rstudio: