samply
/
bridgehead
mirror of https://github.com/samply/bridgehead.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Integrate central Keycloak in Teiler

This commit is contained in:
juarez 2023-11-17 10:27:12 +01:00
parent b0f6e5e3b7
commit 01bda82bca
7 changed files with 34 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ccp/modules/datashield-compose.yml
View File

@ -6,7 +6,8 @@ services:
image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
environment: environment:
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes #DEFAULT_USER: "rstudio" # This line is kept for informational purposes
PASSWORD: "${LDM_AUTH}" #PASSWORD: "${LDM_AUTH}"
DISABLE_AUTH: "true" # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication.
HTTP_RELATIVE_PATH: "/rstudio" HTTP_RELATIVE_PATH: "/rstudio"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
@ -14,7 +15,7 @@ services:
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
- "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.routers.rstudio_ccp.tls=true"
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
- "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip" - "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip,auth"
opal: opal:
container_name: bridgehead-opal container_name: bridgehead-opal
@ -30,7 +31,7 @@ services:
environment: environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128" JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128"
# OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes # OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes
OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}" OPAL_ADMINISTRATOR_PASSWORD: "${OPAL_ADMIN_PASSWORD}"
POSTGRESDATA_HOST: "opal-db" POSTGRESDATA_HOST: "opal-db"
POSTGRESDATA_DATABASE: "opal" POSTGRESDATA_DATABASE: "opal"
POSTGRESDATA_USER: "opal" POSTGRESDATA_USER: "opal"
@ -40,6 +41,13 @@ services:
APP_CONTEXT_PATH: "/opal" APP_CONTEXT_PATH: "/opal"
OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem" OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem" OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
KEYCLOAK_URL: "https://login.verbis.dkfz.de"
KEYCLOAK_REALM: "test-realm-01"
KEYCLOAK_CLIENT_ID: "${SITE_ID}-private"
KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
secrets: secrets:
- opal-cert.pem - opal-cert.pem
- opal-key.pem - opal-key.pem

6
ccp/modules/datashield-setup.sh
View File

@ -3,7 +3,10 @@
if [ "$ENABLE_DATASHIELD" == true ]; then if [ "$ENABLE_DATASHIELD" == true ]; then
log INFO "DataSHIELD setup detected -- will start DataSHIELD services." log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" EXPORTER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
TOKEN_MANAGER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Token Manager in Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
OPAL_ADMIN_PASSWORD="$(echo \"This is a salt string to generate one consistent admin password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
mkdir -p /tmp/bridgehead/ mkdir -p /tmp/bridgehead/
@ -20,4 +23,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
}]' > /tmp/bridgehead/opal-map/local.json }]' > /tmp/bridgehead/opal-map/local.json
cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json
chown -R bridgehead:docker /tmp/bridgehead/ chown -R bridgehead:docker /tmp/bridgehead/
generate_private_oidc_client "OIDC_CLIENT_SECRET" "https://${HOST}/opal/*"
fi fi

2
ccp/modules/exporter-compose.yml
View File

@ -15,7 +15,7 @@ services:
HTTP_RELATIVE_PATH: "/ccp-exporter" HTTP_RELATIVE_PATH: "/ccp-exporter"
SITE: "${SITE_ID}" SITE: "${SITE_ID}"
HTTP_SERVLET_REQUEST_SCHEME: "https" HTTP_SERVLET_REQUEST_SCHEME: "https"
OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}" OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)" - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"

11
ccp/modules/teiler-compose.yml
View File

@ -31,9 +31,10 @@ services:
environment: environment:
DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}" DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
KEYCLOAK_URL: "https://${HOST}/login" KEYCLOAK_URL: "https://login.verbis.dkfz.de"
KEYCLOAK_REALM: "teiler" KEYCLOAK_REALM: "test-realm-01"
KEYCLOAK_CLIENT_ID: "teiler" KEYCLOAK_CLIENT_ID: "${SITE_ID}-public"
KEYCLOAK_TOKEN_GROUP: "groups"
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
@ -42,8 +43,8 @@ services:
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler" TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard" TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler" TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
TEILER_USER: "TEILER_USER" TEILER_USER: "${KEYCLOAK_USER_GROUP}"
TEILER_ADMIN: "TEILER_ADMIN" TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}"
teiler-backend: teiler-backend:
image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest

1
ccp/modules/teiler-setup.sh
View File

@ -3,4 +3,5 @@
if [ "$ENABLE_TEILER" == true ];then if [ "$ENABLE_TEILER" == true ];then
log INFO "Teiler setup detected -- will start Teiler services." log INFO "Teiler setup detected -- will start Teiler services."
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml" OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
generate_public_oidc_client "OIDC_PUBLIC" "https://${HOST}/ccp-teiler/*"
fi fi

3
ccp/vars
View File

@ -10,10 +10,11 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL
DEFAULT_LANGUAGE=DE DEFAULT_LANGUAGE=DE
DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
ENABLE_EXPORTER=true ENABLE_EXPORTER=true
ENABLE_LOGIN=true
ENABLE_TEILER=true ENABLE_TEILER=true
#ENABLE_DATASHIELD=true #ENABLE_DATASHIELD=true
KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
POSTGRES_TAG=15.6-alpine POSTGRES_TAG=15.6-alpine
for module in $PROJECT/modules/*.sh for module in $PROJECT/modules/*.sh

10
lib/functions.sh
View File

@ -275,14 +275,20 @@ function sync_secrets() {
docker run --rm \ docker run --rm \
-v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \ -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
-e PROXY_ID=$PROXY_ID \ -e PROXY_ID=$PROXY_ID \
-e BROKER_URL=$BROKER_URL \ -e BROKER_URL=$BROKER_URL \
-e OIDC_PROVIDER=secret-sync-central.oidc.$BROKER_ID \ -e OIDC_PROVIDER=secret-sync-central.dev-jan.$BROKER_ID \
-e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
source /var/cache/bridgehead/secrets/* source /var/cache/bridgehead/secrets/*
} }
capitalize_first_letter() {
input="$1"
capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}"
echo "$capitalized"
}