Integrate central Keycloak in Teiler

This commit is contained in:
juarez 2023-11-17 10:27:12 +01:00
parent b0f6e5e3b7
commit 01bda82bca
7 changed files with 34 additions and 13 deletions

View File

@ -6,7 +6,8 @@ services:
image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
environment:
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes
PASSWORD: "${LDM_AUTH}"
#PASSWORD: "${LDM_AUTH}"
DISABLE_AUTH: "true" # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication.
HTTP_RELATIVE_PATH: "/rstudio"
labels:
- "traefik.enable=true"
@ -14,7 +15,7 @@ services:
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
- "traefik.http.routers.rstudio_ccp.tls=true"
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
- "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip"
- "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip,auth"
opal:
container_name: bridgehead-opal
@ -30,7 +31,7 @@ services:
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128"
# OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes
OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}"
OPAL_ADMINISTRATOR_PASSWORD: "${OPAL_ADMIN_PASSWORD}"
POSTGRESDATA_HOST: "opal-db"
POSTGRESDATA_DATABASE: "opal"
POSTGRESDATA_USER: "opal"
@ -40,6 +41,13 @@ services:
APP_CONTEXT_PATH: "/opal"
OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
KEYCLOAK_URL: "https://login.verbis.dkfz.de"
KEYCLOAK_REALM: "test-realm-01"
KEYCLOAK_CLIENT_ID: "${SITE_ID}-private"
KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
secrets:
- opal-cert.pem
- opal-key.pem

View File

@ -3,7 +3,10 @@
if [ "$ENABLE_DATASHIELD" == true ]; then
log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
EXPORTER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
TOKEN_MANAGER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Token Manager in Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
OPAL_ADMIN_PASSWORD="$(echo \"This is a salt string to generate one consistent admin password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
mkdir -p /tmp/bridgehead/
@ -20,4 +23,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
}]' > /tmp/bridgehead/opal-map/local.json
cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json
chown -R bridgehead:docker /tmp/bridgehead/
generate_private_oidc_client "OIDC_CLIENT_SECRET" "https://${HOST}/opal/*"
fi

View File

@ -15,7 +15,7 @@ services:
HTTP_RELATIVE_PATH: "/ccp-exporter"
SITE: "${SITE_ID}"
HTTP_SERVLET_REQUEST_SCHEME: "https"
OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}"
OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
labels:
- "traefik.enable=true"
- "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"

View File

@ -31,9 +31,10 @@ services:
environment:
DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
KEYCLOAK_URL: "https://${HOST}/login"
KEYCLOAK_REALM: "teiler"
KEYCLOAK_CLIENT_ID: "teiler"
KEYCLOAK_URL: "https://login.verbis.dkfz.de"
KEYCLOAK_REALM: "test-realm-01"
KEYCLOAK_CLIENT_ID: "${SITE_ID}-public"
KEYCLOAK_TOKEN_GROUP: "groups"
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
@ -42,8 +43,8 @@ services:
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
TEILER_USER: "TEILER_USER"
TEILER_ADMIN: "TEILER_ADMIN"
TEILER_USER: "${KEYCLOAK_USER_GROUP}"
TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}"
teiler-backend:
image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest

View File

@ -3,4 +3,5 @@
if [ "$ENABLE_TEILER" == true ];then
log INFO "Teiler setup detected -- will start Teiler services."
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
generate_public_oidc_client "OIDC_PUBLIC" "https://${HOST}/ccp-teiler/*"
fi

View File

@ -10,10 +10,11 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL
DEFAULT_LANGUAGE=DE
DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
ENABLE_EXPORTER=true
ENABLE_LOGIN=true
ENABLE_TEILER=true
#ENABLE_DATASHIELD=true
KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
POSTGRES_TAG=15.6-alpine
for module in $PROJECT/modules/*.sh

View File

@ -275,14 +275,20 @@ function sync_secrets() {
docker run --rm \
-v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
-e PROXY_ID=$PROXY_ID \
-e BROKER_URL=$BROKER_URL \
-e OIDC_PROVIDER=secret-sync-central.oidc.$BROKER_ID \
-e OIDC_PROVIDER=secret-sync-central.dev-jan.$BROKER_ID \
-e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
source /var/cache/bridgehead/secrets/*
}
capitalize_first_letter() {
input="$1"
capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}"
echo "$capitalized"
}