samply
/
bridgehead
mirror of https://github.com/samply/bridgehead.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feature/samplyBeam' into fix/proxyFix

This commit is contained in:
Martin Lablans 2022-10-24 15:23:27 +02:00 committed by GitHub
parent 0f1cb966ba 2b78835872
commit 428f7293e6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 53 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.gitignore vendored
View File

@ -3,10 +3,4 @@
site-config/* site-config/*
## Ignore site configuration ## Ignore site configuration
config/**/* */docker-compose.override.yml
!config/**/*.default
landing/*
docker-compose.override.yml
site.conf
auth/*
certs/*

8
bridgehead
View File

@ -77,6 +77,14 @@ case "$ACTION" in
uninstall) uninstall)
exec ./lib/remove-bridgehead-units.sh $PROJECT exec ./lib/remove-bridgehead-units.sh $PROJECT
;; ;;
enroll)
if [ -e $PRIVATEKEYFILENAME ]; then
echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
exit 1
fi
docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
chmod 600 $PRIVATEKEYFILENAME
;;
preRun | preUpdate) preRun | preUpdate)
fixPermissions fixPermissions
;; ;;

2
ccp/docker-compose.yml
View File

@ -25,7 +25,7 @@ services:
- 80:80 - 80:80
- 443:443 - 443:443
volumes: volumes:
- ../certs:/tools/certs:ro - /etc/bridgehead/traefik-tls:/certs:ro
- ../lib/traefik-configuration/:/configuration:ro - ../lib/traefik-configuration/:/configuration:ro
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro

2
ccp/vars
View File

@ -5,3 +5,5 @@ SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | he
SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}" SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}" REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem

2
lib/functions.sh
View File

@ -19,7 +19,7 @@ checkOwner(){
} }
printUsage() { printUsage() {
echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME" echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
echo "PROJECTNAME should be one of ccp|nngm|gbn" echo "PROJECTNAME should be one of ccp|nngm|gbn"
} }

116
lib/generate.sh
View File

@ -1,116 +0,0 @@
#!/bin/bash
if [ ! -d ./landing ]
then
mkdir landing
fi
if [ ! -f ./landing/index.html ]
then
touch index.html
fi
CENTRAL_SERVICES=" <tr>
<td>CCP-IT</td>
<td><a href=\"https://monitor.vmitro.de/icingaweb2/dashboard\">Monitoring Service</td>
</tr>"
LOCAL_SERVICES=" <tr>
<td>Bridgehead</td>
<td>Reverse Proxy <a href=\"http://${HOST}:8080/\">Traefik</a></td>
</tr>"
if [ "$project" = "dktk" ] || [ "$project" = "c4" ] || [ "$project" = "dktk-fed" ]
then
CENTRAL_SERVICES+=" <tr>
<td>CCP-IT</td>
<td><a href=\"https://patientlist.ccp-it.dktk.dkfz.de\">Zentrale Patientenliste</td>
</tr>
<tr>
<td>CCP-IT</td>
<td><a href=\"https://decentralsearch.ccp-it.dktk.dkfz.de\">Dezentrale Suche</td>
</tr>
<tr>
<td>CCP-IT</td>
<td><a href=\"https://centralsearch.ccp-it.dktk.dkfz.de\">Zentrale Suche</td>
</tr>
<tr>
<td>CCP-IT</td>
<td><a href=\"https://deployment.ccp-it.dktk.dkfz.de\">Deployment-Server</td>
</tr>
<tr>
<td>CCP-IT</td>
<td><a href=\"https://dktk-kne.kgu.de\">Zentraler Kontrollnummernerzeuger</td>
</tr>
"
fi
if [ "$project" = "dktk-fed" ]
then
LOCAL_SERVICES+=" <tr>
<td>DKTK</td>
<td><a href=\"https://${HOST}/dktk-localdatamanagement/fhir/\">Blaze</a></td>
</tr>
"
fi
cat > ./landing/index.html <<EOL
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<title>Bridgehead Overview</title>
<!-- Bootstrap core CSS -->
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet"
integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p"
crossorigin="anonymous"></script>
</head>
<body class="d-flex flex-column min-vh-100">
<nav class="navbar navbar-light" style="background-color: #aad7f6;">
<h2 class="pb-2 border-bottom">Bridgehead ${site_name}</h2>
</nav>
<div class="container px-4 py-5" id="featured-3">
<div>
<h2>Components</h2>
<h3>Central</h3>
<table class="table">
<thead class="thead-dark">
<tr>
<th style="width: 50%">Group</th>
<th style="width: 50%">Service</th>
</tr>
</thead>
<tbody>
${CENTRAL_SERVICES}
</tbody>
</table>
</div>
<div>
<h3>Local</h3>
<table class="table">
<thead class="thead-dark">
<tr>
<th style="width: 50%">Project</th>
<th style="width: 50%">Services</th>
</tr>
</thead>
<tbody>
${LOCAL_SERVICES}
</tbody>
</table>
</div>
<footer class="footer mt-auto py-3">
<a href="https://dktk.dkfz.de/"><img src="https://www.oncoray.de/fileadmin/files/bilder_gruppen/DKTK/Logo_DKTK_neu_2016.jpg" style="max-width: 30%; height: auto;"></a> DKTK 2022<span style="float: right;"><a href="https://github.com/samply/bridgehead"><button type="button" class="btn btn-primary">Documentaion</button></a></span>
</footer>
</body>
</html>
EOL

0
lib/log.sh Normal file → Executable file
View File

25
lib/prerequisites.sh
View File

@ -43,21 +43,30 @@ fi
# TODO: Make sure you're in the right directory, or, even better, be independent from the working directory. # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
log INFO "Checking ssl cert" log INFO "Checking ssl cert for accessing bridgehead via https"
if [ ! -d "certs" ]; then if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)" log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
mkdir -p certs mkdir -p /etc/bridgehead/traefik-tls
fi fi
if [ ! -e "certs/traefik.crt" ]; then if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST" openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
fi fi
if [ -e /etc/bridgehead/vault.conf ]; then if [ -e /etc/bridgehead/vault.conf ]; then
if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf." fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
fi fi
fi
log INFO "Checking your beam proxy private key"
if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
log INFO "Success - private key found."
else
log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
exit 1
fi fi
log INFO "Success - all prerequisites are met!" log INFO "Success - all prerequisites are met!"

4
lib/traefik-configuration/certificates.yaml
View File

@ -1,4 +1,4 @@
tls: tls:
certificates: certificates:
- certFile: /certs/traefik.crt - certFile: /certs/fullchain.pem
keyFile: /certs/traefik.key keyFile: /certs/privkey.pem

25
lib/update-bridgehead.sh
View File

@ -1,6 +1,17 @@
#!/bin/bash #!/bin/bash
source lib/functions.sh source lib/functions.sh
AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
A="Performing automatic maintenance: Cleaning docker images."
hc_send log "$A"
log INFO "$A"
docker system prune -a -f
else
log WARN "Automatic housekeeping disabled (variable AUTO_HOUSEKEEPING != \"true\")"
fi
hc_send log "Checking for bridgehead updates ..." hc_send log "Checking for bridgehead updates ..."
CONFFILE=/etc/bridgehead/$1.conf CONFFILE=/etc/bridgehead/$1.conf
@ -19,7 +30,10 @@ checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong
CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh" CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
CHANGES=""
# Check git updates # Check git updates
git_updated="false"
for DIR in /etc/bridgehead $(pwd); do for DIR in /etc/bridgehead $(pwd); do
log "INFO" "Checking for updates to git repo $DIR ..." log "INFO" "Checking for updates to git repo $DIR ..."
if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
@ -37,9 +51,10 @@ for DIR in /etc/bridgehead $(pwd); do
git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1 git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
fi fi
new_git_hash="$(git -C $DIR rev-parse --verify HEAD)" new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
git_updated="false"
if [ "$old_git_hash" != "$new_git_hash" ]; then if [ "$old_git_hash" != "$new_git_hash" ]; then
log "INFO" "Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash" CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
CHANGES+="- $CHANGE\n"
log "INFO" "$CHANGE"
# NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket. # NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
# See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974 # See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
git_repository_url="$(git -C $DIR remote get-url origin)" git_repository_url="$(git -C $DIR remote get-url origin)"
@ -63,14 +78,16 @@ docker_updated="false"
for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
log "INFO" "Checking for Updates of Image: $IMAGE" log "INFO" "Checking for Updates of Image: $IMAGE"
if docker pull $IMAGE | grep "Downloaded newer image"; then if docker pull $IMAGE | grep "Downloaded newer image"; then
log "INFO" "$IMAGE updated." CHANGE="Image $IMAGE updated."
CHANGES+="- $CHANGE\n"
log "INFO" "$CHANGE"
docker_updated="true" docker_updated="true"
fi fi
done done
# If anything is updated, restart service # If anything is updated, restart service
if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
RES="Update detected, now restarting bridgehead" RES="Updates detected, now restarting bridgehead:\n$CHANGES"
log "INFO" "$RES" log "INFO" "$RES"
hc_send log "$RES" hc_send log "$RES"
sudo /bin/systemctl restart bridgehead@*.service sudo /bin/systemctl restart bridgehead@*.service

11
site.dev.conf
View File

@ -1,11 +0,0 @@
#!/bin/bash
### This is the configuration file for secrets, only your site should know
##Setting Network properties
export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
export HOST=
export site_name=
### Write the Project you want to start with the brigdehead
##Exmaple project=dktk-fed
export project=