Set SELinux labels for bind mounts, replace secrets with bind mounts

2025-11-04 10:40:18 +01:00 · 2025-07-03 14:09:01 +00:00
parent 98e0512a61
commit 078c16e8dd
22 changed files with 62 additions and 86 deletions
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -26,7 +26,3 @@ services:
 volumes:
  blaze-data:

-# used in modules *-locator.yml
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/bbmri/modules/eric-compose.yml
+++ b/bbmri/modules/eric-compose.yml
@@ -26,11 +26,11 @@ services:
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro,Z
+      # secrets don't seem to allow us to specify Z
+      - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro

--- a/bbmri/modules/exporter-compose.yml
+++ b/bbmri/modules/exporter-compose.yml
@@ -36,7 +36,7 @@ services:
      - "traefik.http.middlewares.exporter_auth.basicauth.users=${EXPORTER_USER}"

    volumes:
-      - "/var/cache/bridgehead/bbmri/exporter-files:/app/exporter-files/output"
+      - "/var/cache/bridgehead/bbmri/exporter-files:/app/exporter-files/output:z"

  exporter-db:
    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
@@ -47,7 +47,7 @@ services:
      POSTGRES_DB: "exporter"
    volumes:
      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
-      - "/var/cache/bridgehead/bbmri/exporter-db:/var/lib/postgresql/data"
+      - "/var/cache/bridgehead/bbmri/exporter-db:/var/lib/postgresql/data:Z"

  reporter:
    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
@@ -69,7 +69,7 @@ services:
    # There is a risk that the bridgehead restarts, losing the already created export.

    volumes:
-      - "/var/cache/bridgehead/bbmri/reporter-files:/app/reports"
+      - "/var/cache/bridgehead/bbmri/reporter-files:/app/reports:z"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.reporter_bbmri.rule=PathPrefix(`/bbmri-reporter`)"
--- a/bbmri/modules/gbn-compose.yml
+++ b/bbmri/modules/gbn-compose.yml
@@ -26,11 +26,11 @@ services:
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/bbmri/modules/${GBN_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/bbmri/modules/${GBN_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro,Z
+      # secrets don't seem to allow us to specify Z
+      - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro