mirror of https://github.com/samply/bridgehead.git
Merge branch 'feature/samplyBeam' into fix/proxyFix
This commit is contained in:
commit
428f7293e6
|
@ -3,10 +3,4 @@
|
||||||
site-config/*
|
site-config/*
|
||||||
|
|
||||||
## Ignore site configuration
|
## Ignore site configuration
|
||||||
config/**/*
|
*/docker-compose.override.yml
|
||||||
!config/**/*.default
|
|
||||||
landing/*
|
|
||||||
docker-compose.override.yml
|
|
||||||
site.conf
|
|
||||||
auth/*
|
|
||||||
certs/*
|
|
||||||
|
|
|
@ -77,6 +77,14 @@ case "$ACTION" in
|
||||||
uninstall)
|
uninstall)
|
||||||
exec ./lib/remove-bridgehead-units.sh $PROJECT
|
exec ./lib/remove-bridgehead-units.sh $PROJECT
|
||||||
;;
|
;;
|
||||||
|
enroll)
|
||||||
|
if [ -e $PRIVATEKEYFILENAME ]; then
|
||||||
|
echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
|
||||||
|
chmod 600 $PRIVATEKEYFILENAME
|
||||||
|
;;
|
||||||
preRun | preUpdate)
|
preRun | preUpdate)
|
||||||
fixPermissions
|
fixPermissions
|
||||||
;;
|
;;
|
||||||
|
|
|
@ -25,7 +25,7 @@ services:
|
||||||
- 80:80
|
- 80:80
|
||||||
- 443:443
|
- 443:443
|
||||||
volumes:
|
volumes:
|
||||||
- ../certs:/tools/certs:ro
|
- /etc/bridgehead/traefik-tls:/certs:ro
|
||||||
- ../lib/traefik-configuration/:/configuration:ro
|
- ../lib/traefik-configuration/:/configuration:ro
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
|
||||||
|
|
2
ccp/vars
2
ccp/vars
|
@ -5,3 +5,5 @@ SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | he
|
||||||
SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
|
SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
|
||||||
REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
|
REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
|
||||||
REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
|
REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
|
||||||
|
SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
|
||||||
|
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
|
||||||
|
|
|
@ -19,7 +19,7 @@ checkOwner(){
|
||||||
}
|
}
|
||||||
|
|
||||||
printUsage() {
|
printUsage() {
|
||||||
echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
|
echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
|
||||||
echo "PROJECTNAME should be one of ccp|nngm|gbn"
|
echo "PROJECTNAME should be one of ccp|nngm|gbn"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
116
lib/generate.sh
116
lib/generate.sh
|
@ -1,116 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
if [ ! -d ./landing ]
|
|
||||||
then
|
|
||||||
mkdir landing
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -f ./landing/index.html ]
|
|
||||||
then
|
|
||||||
touch index.html
|
|
||||||
fi
|
|
||||||
|
|
||||||
CENTRAL_SERVICES=" <tr>
|
|
||||||
<td>CCP-IT</td>
|
|
||||||
<td><a href=\"https://monitor.vmitro.de/icingaweb2/dashboard\">Monitoring Service</td>
|
|
||||||
</tr>"
|
|
||||||
|
|
||||||
LOCAL_SERVICES=" <tr>
|
|
||||||
<td>Bridgehead</td>
|
|
||||||
<td>Reverse Proxy <a href=\"http://${HOST}:8080/\">Traefik</a></td>
|
|
||||||
</tr>"
|
|
||||||
|
|
||||||
if [ "$project" = "dktk" ] || [ "$project" = "c4" ] || [ "$project" = "dktk-fed" ]
|
|
||||||
then
|
|
||||||
CENTRAL_SERVICES+=" <tr>
|
|
||||||
<td>CCP-IT</td>
|
|
||||||
<td><a href=\"https://patientlist.ccp-it.dktk.dkfz.de\">Zentrale Patientenliste</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>CCP-IT</td>
|
|
||||||
<td><a href=\"https://decentralsearch.ccp-it.dktk.dkfz.de\">Dezentrale Suche</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>CCP-IT</td>
|
|
||||||
<td><a href=\"https://centralsearch.ccp-it.dktk.dkfz.de\">Zentrale Suche</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>CCP-IT</td>
|
|
||||||
<td><a href=\"https://deployment.ccp-it.dktk.dkfz.de\">Deployment-Server</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>CCP-IT</td>
|
|
||||||
<td><a href=\"https://dktk-kne.kgu.de\">Zentraler Kontrollnummernerzeuger</td>
|
|
||||||
</tr>
|
|
||||||
"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$project" = "dktk-fed" ]
|
|
||||||
then
|
|
||||||
LOCAL_SERVICES+=" <tr>
|
|
||||||
<td>DKTK</td>
|
|
||||||
<td><a href=\"https://${HOST}/dktk-localdatamanagement/fhir/\">Blaze</a></td>
|
|
||||||
</tr>
|
|
||||||
"
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat > ./landing/index.html <<EOL
|
|
||||||
<html lang="en">
|
|
||||||
|
|
||||||
<head>
|
|
||||||
<meta charset="utf-8">
|
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
||||||
<meta name="description" content="">
|
|
||||||
<title>Bridgehead Overview</title>
|
|
||||||
<!-- Bootstrap core CSS -->
|
|
||||||
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet"
|
|
||||||
integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
|
|
||||||
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
|
|
||||||
integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p"
|
|
||||||
crossorigin="anonymous"></script>
|
|
||||||
|
|
||||||
</head>
|
|
||||||
|
|
||||||
<body class="d-flex flex-column min-vh-100">
|
|
||||||
|
|
||||||
<nav class="navbar navbar-light" style="background-color: #aad7f6;">
|
|
||||||
<h2 class="pb-2 border-bottom">Bridgehead ${site_name}</h2>
|
|
||||||
</nav>
|
|
||||||
<div class="container px-4 py-5" id="featured-3">
|
|
||||||
<div>
|
|
||||||
<h2>Components</h2>
|
|
||||||
<h3>Central</h3>
|
|
||||||
<table class="table">
|
|
||||||
<thead class="thead-dark">
|
|
||||||
<tr>
|
|
||||||
<th style="width: 50%">Group</th>
|
|
||||||
<th style="width: 50%">Service</th>
|
|
||||||
</tr>
|
|
||||||
</thead>
|
|
||||||
<tbody>
|
|
||||||
${CENTRAL_SERVICES}
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
</div>
|
|
||||||
|
|
||||||
<div>
|
|
||||||
<h3>Local</h3>
|
|
||||||
<table class="table">
|
|
||||||
<thead class="thead-dark">
|
|
||||||
<tr>
|
|
||||||
<th style="width: 50%">Project</th>
|
|
||||||
<th style="width: 50%">Services</th>
|
|
||||||
</tr>
|
|
||||||
</thead>
|
|
||||||
<tbody>
|
|
||||||
${LOCAL_SERVICES}
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
</div>
|
|
||||||
<footer class="footer mt-auto py-3">
|
|
||||||
<a href="https://dktk.dkfz.de/"><img src="https://www.oncoray.de/fileadmin/files/bilder_gruppen/DKTK/Logo_DKTK_neu_2016.jpg" style="max-width: 30%; height: auto;"></a> DKTK 2022<span style="float: right;"><a href="https://github.com/samply/bridgehead"><button type="button" class="btn btn-primary">Documentaion</button></a></span>
|
|
||||||
</footer>
|
|
||||||
</body>
|
|
||||||
|
|
||||||
</html>
|
|
||||||
EOL
|
|
|
@ -43,21 +43,30 @@ fi
|
||||||
|
|
||||||
# TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
|
# TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
|
||||||
|
|
||||||
log INFO "Checking ssl cert"
|
log INFO "Checking ssl cert for accessing bridgehead via https"
|
||||||
|
|
||||||
if [ ! -d "certs" ]; then
|
if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
|
||||||
log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
|
log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
|
||||||
mkdir -p certs
|
mkdir -p /etc/bridgehead/traefik-tls
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -e "certs/traefik.crt" ]; then
|
if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
|
||||||
openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
|
openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -e /etc/bridgehead/vault.conf ]; then
|
if [ -e /etc/bridgehead/vault.conf ]; then
|
||||||
if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
|
if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
|
||||||
fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
|
fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
log INFO "Checking your beam proxy private key"
|
||||||
|
|
||||||
|
if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
|
||||||
|
log INFO "Success - private key found."
|
||||||
|
else
|
||||||
|
log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
log INFO "Success - all prerequisites are met!"
|
log INFO "Success - all prerequisites are met!"
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
tls:
|
tls:
|
||||||
certificates:
|
certificates:
|
||||||
- certFile: /certs/traefik.crt
|
- certFile: /certs/fullchain.pem
|
||||||
keyFile: /certs/traefik.key
|
keyFile: /certs/privkey.pem
|
||||||
|
|
|
@ -1,6 +1,17 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
source lib/functions.sh
|
source lib/functions.sh
|
||||||
|
|
||||||
|
AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
|
||||||
|
|
||||||
|
if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
|
||||||
|
A="Performing automatic maintenance: Cleaning docker images."
|
||||||
|
hc_send log "$A"
|
||||||
|
log INFO "$A"
|
||||||
|
docker system prune -a -f
|
||||||
|
else
|
||||||
|
log WARN "Automatic housekeeping disabled (variable AUTO_HOUSEKEEPING != \"true\")"
|
||||||
|
fi
|
||||||
|
|
||||||
hc_send log "Checking for bridgehead updates ..."
|
hc_send log "Checking for bridgehead updates ..."
|
||||||
|
|
||||||
CONFFILE=/etc/bridgehead/$1.conf
|
CONFFILE=/etc/bridgehead/$1.conf
|
||||||
|
@ -19,7 +30,10 @@ checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong
|
||||||
|
|
||||||
CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
|
CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
|
||||||
|
|
||||||
|
CHANGES=""
|
||||||
|
|
||||||
# Check git updates
|
# Check git updates
|
||||||
|
git_updated="false"
|
||||||
for DIR in /etc/bridgehead $(pwd); do
|
for DIR in /etc/bridgehead $(pwd); do
|
||||||
log "INFO" "Checking for updates to git repo $DIR ..."
|
log "INFO" "Checking for updates to git repo $DIR ..."
|
||||||
if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
|
if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
|
||||||
|
@ -37,9 +51,10 @@ for DIR in /etc/bridgehead $(pwd); do
|
||||||
git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
|
git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
|
||||||
fi
|
fi
|
||||||
new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
|
new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
|
||||||
git_updated="false"
|
|
||||||
if [ "$old_git_hash" != "$new_git_hash" ]; then
|
if [ "$old_git_hash" != "$new_git_hash" ]; then
|
||||||
log "INFO" "Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
|
CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
|
||||||
|
CHANGES+="- $CHANGE\n"
|
||||||
|
log "INFO" "$CHANGE"
|
||||||
# NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
|
# NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
|
||||||
# See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
|
# See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
|
||||||
git_repository_url="$(git -C $DIR remote get-url origin)"
|
git_repository_url="$(git -C $DIR remote get-url origin)"
|
||||||
|
@ -63,14 +78,16 @@ docker_updated="false"
|
||||||
for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
|
for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
|
||||||
log "INFO" "Checking for Updates of Image: $IMAGE"
|
log "INFO" "Checking for Updates of Image: $IMAGE"
|
||||||
if docker pull $IMAGE | grep "Downloaded newer image"; then
|
if docker pull $IMAGE | grep "Downloaded newer image"; then
|
||||||
log "INFO" "$IMAGE updated."
|
CHANGE="Image $IMAGE updated."
|
||||||
|
CHANGES+="- $CHANGE\n"
|
||||||
|
log "INFO" "$CHANGE"
|
||||||
docker_updated="true"
|
docker_updated="true"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
# If anything is updated, restart service
|
# If anything is updated, restart service
|
||||||
if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
|
if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
|
||||||
RES="Update detected, now restarting bridgehead"
|
RES="Updates detected, now restarting bridgehead:\n$CHANGES"
|
||||||
log "INFO" "$RES"
|
log "INFO" "$RES"
|
||||||
hc_send log "$RES"
|
hc_send log "$RES"
|
||||||
sudo /bin/systemctl restart bridgehead@*.service
|
sudo /bin/systemctl restart bridgehead@*.service
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
### This is the configuration file for secrets, only your site should know
|
|
||||||
|
|
||||||
##Setting Network properties
|
|
||||||
export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
|
|
||||||
export HOST=
|
|
||||||
|
|
||||||
export site_name=
|
|
||||||
### Write the Project you want to start with the brigdehead
|
|
||||||
##Exmaple project=dktk-fed
|
|
||||||
export project=
|
|
Loading…
Reference in New Issue