feat: Move to central rstudio

2024-04-17 14:25:59 +02:00 · 2024-04-17 14:25:59 +02:00 · 8b33912fee
parent 7d5f771181
commit 8b33912fee
5 changed files with 5 additions and 121 deletions
--- a/ccp/modules/datashield-compose.yml
+++ b/ccp/modules/datashield-compose.yml
@ -1,25 +1,6 @@
 version: "3.7"

 services:
-  rstudio:
-    container_name: bridgehead-rstudio
-    image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
-    environment:
-      #DEFAULT_USER: "rstudio" # This line is kept for informational purposes
-      PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled
-      DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use
-      HTTP_RELATIVE_PATH: "/rstudio"
-      ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
-      - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
-      - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
-      - "traefik.http.routers.rstudio_ccp.tls=true"
-      - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip"
-    networks:
-      - rstudio
-
  opal:
    container_name: bridgehead-opal
    image: docker.verbis.dkfz.de/ccp/dktk-opal:latest
@ -93,79 +74,14 @@ services:
      - beam-proxy
    volumes:
      - /tmp/bridgehead/opal-map/:/map/:ro
-    networks:
-      - default
-      - rstudio
-
-  traefik:
-    labels:
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
-    networks:
-      - default
-      - rstudio
-  forward_proxy:
-    networks:
-      - default
-      - rstudio

  beam-proxy:
    environment:
      APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
      APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}

-  # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
-  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
-  # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
-  oauth2-proxy:
-    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
-    container_name: bridgehead-oauth2proxy
-    command: >-
-      --allowed-group=DataSHIELD
-      --oidc-groups-claim=${OIDC_GROUP_CLAIM}
-      --auth-logging=true
-      --whitelist-domain=${HOST}
-      --http-address="0.0.0.0:4180"
-      --reverse-proxy=true
-      --upstream="static://202"
-      --email-domain="*"
-      --cookie-name="_BRIDGEHEAD_oauth2"
-      --cookie-secret="${OAUTH2_PROXY_SECRET}"
-      --cookie-expire="12h"
-      --cookie-secure="true"
-      --cookie-httponly="true"
-      #OIDC settings
-      --provider="keycloak-oidc"
-      --provider-display-name="VerbIS Login"
-      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
-      --client-secret="${OIDC_CLIENT_SECRET}"
-      --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${OIDC_ISSUER_URL}"
-      --scope="openid email profile"
-      --code-challenge-method="S256"
-      --skip-provider-button=true
-      #X-Forwarded-Header settings - true/false depending on your needs
-      --pass-basic-auth=true
-      --pass-user-headers=false
-      --pass-access-token=false
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"
-      - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
-      - "traefik.http.routers.oauth2_proxy.tls=true"
-    environment:
-      http_proxy: "http://forward_proxy:3128"
-      https_proxy: "http://forward_proxy:3128"
-    depends_on:
-      forward_proxy:
-        condition: service_healthy
-
 secrets:
  opal-cert.pem:
    file: /tmp/bridgehead/opal-cert.pem
  opal-key.pem:
    file: /tmp/bridgehead/opal-key.pem
-
-networks:
-  rstudio:
--- a/ccp/modules/datashield-setup.sh
+++ b/ccp/modules/datashield-setup.sh
@ -5,17 +5,12 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
  if [ -z "${ENABLE_EXPORTER}" ] || [ "${ENABLE_EXPORTER}" != "true" ]; then
    log WARN "The ENABLE_EXPORTER variable is either not set or not set to 'true'."
  fi
-  OAUTH2_CALLBACK=/oauth2/callback
-  OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
-  add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
-
  log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
  OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
  EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")"
  TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")"
  OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)"
  OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")"
-  RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")"
  DATASHIELD_CONNECT_SECRET="$(echo \"DataShield Connect\" | generate_simple_password)"
  TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)"
  if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
@ -23,17 +18,11 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
    openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE"
  fi
  mkdir -p /tmp/bridgehead/opal-map
-  sites="$(cat ./$PROJECT/modules/datashield-sites.json)"
-  echo "$sites" | docker_jq -n --args '{"sites": input | map({
-    "name": .,
-    "id": .,
-    "virtualhost": "\(.):443",
-    "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'"
-  })}' $sites >/tmp/bridgehead/opal-map/central.json
-  echo "$sites" | docker_jq -n --args '[{
-    "external": "'"$SITE_ID"':443",
+  echo '{"sites": []}' >/tmp/bridgehead/opal-map/central.json
+  echo '[{
+    "external": "'$SITE_ID':443",
    "internal": "opal:8443",
-    "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'")
+    "allowed": ["datashield-connect.request-manager.'$BROKER_ID'"]
  }]' > /tmp/bridgehead/opal-map/local.json
  if [ "$USER" == "root" ]; then
    chown -R bridgehead:docker /tmp/bridgehead
--- a/ccp/modules/datashield-sites.json
+++ b/ccp/modules/datashield-sites.json
@ -1,14 +0,0 @@
-[
-    "berlin",
-    "muenchen-lmu",
-    "dresden",
-    "freiburg",
-    "muenchen-tum",
-    "tuebingen",
-    "mainz",
-    "frankfurt",
-    "essen",
-    "dktk-datashield-test",
-    "dktk-test",
-    "mannheim"
-]
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -367,7 +367,3 @@ generate_simple_password(){
  local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
  echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
 }
-
-docker_jq() {
-    docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:latest "$@"
-}
--- a/minimal/docker-compose.yml
+++ b/minimal/docker-compose.yml
@ -42,9 +42,6 @@ services:
      - /var/spool/squid
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
-    healthcheck:
-      # Wait 1s before marking this service healthy. Required for the oauth2-proxy to talk to the OIDC provider on startup which will fail if the forward proxy is not started yet.
-      test: ["CMD", "sleep", "1"]

  landing:
    container_name: bridgehead-landingpage