diff --git a/ccp/modules/ovis-compose.yml b/ccp/modules/ovis-compose.yml index 2048da81..c3e73343 100644 --- a/ccp/modules/ovis-compose.yml +++ b/ccp/modules/ovis-compose.yml @@ -1,6 +1,43 @@ version: "3.7" services: + ovis-traefik-forward-auth: + image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest + environment: + - http_proxy=http://forward_proxy:3128 + - https_proxy=http://forward_proxy:3128 + - OAUTH2_PROXY_PROVIDER=oidc + - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true + - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL} + - OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID} + - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET} + - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET} + - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_ovis + - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST} + - OAUTH2_PROXY_COOKIE_REFRESH=4m + - OAUTH2_PROXY_COOKIE_EXPIRE=24h + - OAUTH2_PROXY_HTTP_ADDRESS=:4180 + - OAUTH2_PROXY_REVERSE_PROXY=true + - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST} + - OAUTH2_PROXY_UPSTREAMS=static://202 + - OAUTH2_PROXY_EMAIL_DOMAINS=* + - OAUTH2_PROXY_SCOPE=openid profile email + - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true + - OAUTH2_PROXY_SET_XAUTHREQUEST=true + - OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_PSP_GROUP} + - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM} + - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-ovis + labels: + - "traefik.enable=true" + - "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180" + - "traefik.http.routers.ovis-traefik-forward-auth.rule=Host(`${HOST}`) && PathPrefix(`/oauth2-ovis`)" + - "traefik.http.routers.ovis-traefik-forward-auth.tls=true" + - "traefik.http.middlewares.traefik-forward-auth-ovis.forwardauth.address=http://ovis-traefik-forward-auth:4180" + - "traefik.http.middlewares.traefik-forward-auth-ovis.forwardauth.authResponseHeaders=Authorization" + depends_on: + forward_proxy: + condition: service_healthy + ovis-backend-database-mongodb: image: docker.verbis.dkfz.de/ovis/ovis-backend-mongodb:latest container_name: bridgehead-ccp-ovis-mongo @@ -47,11 +84,12 @@ services: - "traefik.enable=true" - "traefik.http.routers.ovis-backend.rule=PathPrefix(`/graphql`)" - "traefik.http.routers.ovis-backend.tls=true" + - "traefik.http.routers.ovis-backend.middlewares=traefik-forward-auth-ovis" - "traefik.http.routers.ovis-backend.service=ovis-backend" - "traefik.http.routers.ovis-backend-ccp.rule=PathPrefix(`/ccp-ovis/graphql`)" - "traefik.http.routers.ovis-backend-ccp.tls=true" - "traefik.http.middlewares.ovis-backend-ccp-strip.stripprefix.prefixes=/ccp-ovis" - - "traefik.http.routers.ovis-backend-ccp.middlewares=ovis-backend-ccp-strip" + - "traefik.http.routers.ovis-backend-ccp.middlewares=ovis-backend-ccp-strip,traefik-forward-auth-ovis" - "traefik.http.routers.ovis-backend-ccp.service=ovis-backend" - "traefik.http.services.ovis-backend.loadbalancer.server.port=4001" @@ -68,6 +106,5 @@ services: - "traefik.http.middlewares.ovis-frontend-ccp-slash-redirect.redirectregex.permanent=true" - "traefik.http.routers.ovis-frontend-ccp.tls=true" - "traefik.http.routers.ovis-frontend-ccp.rule=PathPrefix(`/ccp-ovis`)" - - "traefik.http.middlewares.ovis-frontend-ccp-strip.stripprefix.prefixes=/ccp-ovis" - - "traefik.http.routers.ovis-frontend-ccp.middlewares=ovis-frontend-ccp-slash-redirect,ovis-frontend-ccp-strip" + - "traefik.http.routers.ovis-frontend-ccp.middlewares=ovis-frontend-ccp-slash-redirect,traefik-forward-auth-ovis" - "traefik.http.services.ovis-frontend.loadbalancer.server.port=5173" diff --git a/ccp/modules/ovis-setup.sh b/ccp/modules/ovis-setup.sh index 41d59b1e..2ae23a7f 100644 --- a/ccp/modules/ovis-setup.sh +++ b/ccp/modules/ovis-setup.sh @@ -1,6 +1,6 @@ #!/bin/bash -e if [ -n "$ENABLE_OVIS" ]; then - log INFO "OVIS setup detected -- will start OVIS services." + log INFO "OVIS setup detected -- will start OVIS services with local oauth2-proxy middleware." OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml" fi