Set SELinux labels for bind mounts, replace secrets with bind mounts

2025-07-12 13:00:21 +02:00 · 2025-07-03 14:09:01 +00:00
parent 98e0512a61
commit 078c16e8dd
22 changed files with 62 additions and 86 deletions
--- a/kr/docker-compose.yml
+++ b/kr/docker-compose.yml
@ -56,12 +56,10 @@ services:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/kr/root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/kr/root.crt.pem:/conf/root.crt.pem:ro,Z
+      # secrets don't seem to allow us to specify Z
+      - /etc/bridgehead/pki/${SITE_ID}.priv.pem:/run/secrets/proxy.pem:ro


 volumes:
  blaze-data:
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/kr/modules/exporter-compose.yml
+++ b/kr/modules/exporter-compose.yml
@ -24,7 +24,7 @@ services:
      - "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter"
      - "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip"
    volumes:
-      - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
+      - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output:z"

  exporter-db:
    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
@ -35,7 +35,7 @@ services:
      POSTGRES_DB: "exporter"
    volumes:
      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
-      - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data"
+      - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data:Z"

  reporter:
    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
@ -57,7 +57,7 @@ services:
    # There is a risk that the bridgehead restarts, losing the already created export.

    volumes:
-      - "/var/cache/bridgehead/ccp/reporter-files:/app/reports"
+      - "/var/cache/bridgehead/ccp/reporter-files:/app/reports:z"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)"
--- a/kr/modules/teiler-compose.yml
+++ b/kr/modules/teiler-compose.yml
@ -71,9 +71,6 @@ services:
      HTTP_PROXY: "http://forward_proxy:3128"
      ENABLE_MTBA: "${ENABLE_MTBA}"
      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
-    secrets:
-      - ccp.conf
-
-secrets:
-  ccp.conf:
-    file: /etc/bridgehead/ccp.conf
+    volumes:
+      # secrets don't seem to allow us to specify Z
+      - /etc/bridgehead/ccp.conf:/run/secrets/ccp.conf:ro