mirror of https://github.com/samply/bridgehead.git
Integrate central Keycloak in Teiler
This commit is contained in:
parent
faf46f9fea
commit
0545189cec
|
@ -6,7 +6,8 @@ services:
|
||||||
image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
|
image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
|
||||||
environment:
|
environment:
|
||||||
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes
|
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes
|
||||||
PASSWORD: "${LDM_AUTH}"
|
#PASSWORD: "${LDM_AUTH}"
|
||||||
|
DISABLE_AUTH: "true" # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication.
|
||||||
HTTP_RELATIVE_PATH: "/rstudio"
|
HTTP_RELATIVE_PATH: "/rstudio"
|
||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
|
@ -14,7 +15,7 @@ services:
|
||||||
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
|
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
|
||||||
- "traefik.http.routers.rstudio_ccp.tls=true"
|
- "traefik.http.routers.rstudio_ccp.tls=true"
|
||||||
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
|
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
|
||||||
- "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip"
|
- "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip,auth"
|
||||||
|
|
||||||
opal:
|
opal:
|
||||||
container_name: bridgehead-opal
|
container_name: bridgehead-opal
|
||||||
|
@ -30,7 +31,7 @@ services:
|
||||||
environment:
|
environment:
|
||||||
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128"
|
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128"
|
||||||
# OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes
|
# OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes
|
||||||
OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}"
|
OPAL_ADMINISTRATOR_PASSWORD: "${OPAL_ADMIN_PASSWORD}"
|
||||||
POSTGRESDATA_HOST: "opal-db"
|
POSTGRESDATA_HOST: "opal-db"
|
||||||
POSTGRESDATA_DATABASE: "opal"
|
POSTGRESDATA_DATABASE: "opal"
|
||||||
POSTGRESDATA_USER: "opal"
|
POSTGRESDATA_USER: "opal"
|
||||||
|
@ -40,6 +41,13 @@ services:
|
||||||
APP_CONTEXT_PATH: "/opal"
|
APP_CONTEXT_PATH: "/opal"
|
||||||
OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
|
OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
|
||||||
OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
|
OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
|
||||||
|
KEYCLOAK_URL: "https://login.verbis.dkfz.de"
|
||||||
|
KEYCLOAK_REALM: "test-realm-01"
|
||||||
|
KEYCLOAK_CLIENT_ID: "${SITE_ID}-private"
|
||||||
|
KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
|
||||||
|
KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
|
||||||
|
TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
|
||||||
|
EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
|
||||||
secrets:
|
secrets:
|
||||||
- opal-cert.pem
|
- opal-cert.pem
|
||||||
- opal-key.pem
|
- opal-key.pem
|
||||||
|
|
|
@ -3,7 +3,10 @@
|
||||||
if [ "$ENABLE_DATASHIELD" == true ]; then
|
if [ "$ENABLE_DATASHIELD" == true ]; then
|
||||||
log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
|
log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
|
||||||
OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
|
OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
|
||||||
OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
EXPORTER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||||
|
TOKEN_MANAGER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Token Manager in Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||||
|
OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||||
|
OPAL_ADMIN_PASSWORD="$(echo \"This is a salt string to generate one consistent admin password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||||
DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||||
if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
|
if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
|
||||||
mkdir -p /tmp/bridgehead/
|
mkdir -p /tmp/bridgehead/
|
||||||
|
@ -20,4 +23,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
|
||||||
}]' > /tmp/bridgehead/opal-map/local.json
|
}]' > /tmp/bridgehead/opal-map/local.json
|
||||||
cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json
|
cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json
|
||||||
chown -R bridgehead:docker /tmp/bridgehead/
|
chown -R bridgehead:docker /tmp/bridgehead/
|
||||||
|
generate_private_oidc_client "OIDC_CLIENT_SECRET" "https://${HOST}/opal/*"
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -15,7 +15,7 @@ services:
|
||||||
HTTP_RELATIVE_PATH: "/ccp-exporter"
|
HTTP_RELATIVE_PATH: "/ccp-exporter"
|
||||||
SITE: "${SITE_ID}"
|
SITE: "${SITE_ID}"
|
||||||
HTTP_SERVLET_REQUEST_SCHEME: "https"
|
HTTP_SERVLET_REQUEST_SCHEME: "https"
|
||||||
OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}"
|
OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
|
||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
- "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
|
- "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
|
||||||
|
|
|
@ -31,9 +31,10 @@ services:
|
||||||
environment:
|
environment:
|
||||||
DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
|
DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
|
||||||
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
|
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
|
||||||
KEYCLOAK_URL: "https://${HOST}/login"
|
KEYCLOAK_URL: "https://login.verbis.dkfz.de"
|
||||||
KEYCLOAK_REALM: "teiler"
|
KEYCLOAK_REALM: "test-realm-01"
|
||||||
KEYCLOAK_CLIENT_ID: "teiler"
|
KEYCLOAK_CLIENT_ID: "${SITE_ID}-public"
|
||||||
|
KEYCLOAK_TOKEN_GROUP: "groups"
|
||||||
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
|
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
|
||||||
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
|
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
|
||||||
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
|
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
|
||||||
|
@ -42,8 +43,8 @@ services:
|
||||||
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
|
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
|
||||||
TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
|
TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
|
||||||
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
|
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
|
||||||
TEILER_USER: "TEILER_USER"
|
TEILER_USER: "${KEYCLOAK_USER_GROUP}"
|
||||||
TEILER_ADMIN: "TEILER_ADMIN"
|
TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}"
|
||||||
|
|
||||||
teiler-backend:
|
teiler-backend:
|
||||||
image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
|
image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
|
||||||
|
|
|
@ -3,4 +3,5 @@
|
||||||
if [ "$ENABLE_TEILER" == true ];then
|
if [ "$ENABLE_TEILER" == true ];then
|
||||||
log INFO "Teiler setup detected -- will start Teiler services."
|
log INFO "Teiler setup detected -- will start Teiler services."
|
||||||
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
|
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
|
||||||
|
generate_public_oidc_client "OIDC_PUBLIC" "https://${HOST}/ccp-teiler/*"
|
||||||
fi
|
fi
|
||||||
|
|
3
ccp/vars
3
ccp/vars
|
@ -10,10 +10,11 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL
|
||||||
DEFAULT_LANGUAGE=DE
|
DEFAULT_LANGUAGE=DE
|
||||||
DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
|
DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
|
||||||
ENABLE_EXPORTER=true
|
ENABLE_EXPORTER=true
|
||||||
ENABLE_LOGIN=true
|
|
||||||
ENABLE_TEILER=true
|
ENABLE_TEILER=true
|
||||||
#ENABLE_DATASHIELD=true
|
#ENABLE_DATASHIELD=true
|
||||||
|
|
||||||
|
KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
|
||||||
|
KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
|
||||||
|
|
||||||
for module in $PROJECT/modules/*.sh
|
for module in $PROJECT/modules/*.sh
|
||||||
do
|
do
|
||||||
|
|
|
@ -275,14 +275,20 @@ function sync_secrets() {
|
||||||
docker run --rm \
|
docker run --rm \
|
||||||
-v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
|
-v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
|
||||||
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
|
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
|
||||||
-v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
|
-v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
|
||||||
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
|
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
|
||||||
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
|
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
|
||||||
-e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
|
-e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
|
||||||
-e PROXY_ID=$PROXY_ID \
|
-e PROXY_ID=$PROXY_ID \
|
||||||
-e BROKER_URL=$BROKER_URL \
|
-e BROKER_URL=$BROKER_URL \
|
||||||
-e OIDC_PROVIDER=secret-sync-central.oidc.$BROKER_ID \
|
-e OIDC_PROVIDER=secret-sync-central.dev-jan.$BROKER_ID \
|
||||||
-e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \
|
-e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \
|
||||||
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
|
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
|
||||||
source /var/cache/bridgehead/secrets/*
|
source /var/cache/bridgehead/secrets/*
|
||||||
}
|
}
|
||||||
|
|
||||||
|
capitalize_first_letter() {
|
||||||
|
input="$1"
|
||||||
|
capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}"
|
||||||
|
echo "$capitalized"
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue