new refactor and encription key generation

itcc/modules/itcc-omics-ingest.sh

@@ -4,4 +4,24 @@ if [ -n "$ENABLE_OMICS" ];then
   OVERRIDE+=" -f ./$PROJECT/modules/itcc-omics-ingest.yaml"
   GENERATE_API_KEY="$(generate_simple_password 'omics')"
   PATIENTLIST_POSTGRES_PASSWORD=="$(generate_simple_password 'mainzelliste')"
+  KEYSET=/etc/bridgehead/mainzelliste/keyset_siv.json
+  if [ ! -f "$KEYSET" ]; then
+    mkdir -p "$(dirname "$KEYSET")"
+    KEY_ID=$(($(openssl rand -hex 4 | sed 's/^/0x/') & 0x7FFFFFFF))
+    VALUE=$({ printf '\x12\x40'; openssl rand 64; } | base64 | tr -d '\n')
+    jq -n --argjson id "$KEY_ID" --arg value "$VALUE" '{
+      primaryKeyId: $id,
+      key: [{
+        keyData: {
+          typeUrl: "type.googleapis.com/google.crypto.tink.AesSivKey",
+          value: $value,
+          keyMaterialType: "SYMMETRIC"
+        },
+        status: "ENABLED",
+        keyId: $id,
+        outputPrefixType: "TINK"
+      }]
+    }' > "$KEYSET"
+    chmod 600 "$KEYSET"
+  fi
 fi

itcc/modules/itcc-omics-ingest.yaml

@@ -1,21 +1,14 @@
 services:
   omics-endpoint:
-    image: ghcr.io/samply/itcc-omics-ingest:main
+    image: samply/itcc-omics-ingest:main
     environment:
       API_KEY: ${GENERATE_API_KEY}
-      BEAM_ID: "omics-endpoint.${PROXY_ID}"
+      BEAM_APP_ID_LONG: omics-endpoint.${PROXY_ID}
-      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
+      BEAM_SECRET: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_URL: http://beam-proxy:8081
+      DWH_SOCKET_ID: ${DWH_SOCKET_ID}
-      ML_URL: http://mainzelliste:8080
+      DWH_TASK_ID: ${DWH_TASK_ID}
-      BLAZE_URL: http://bridgehead-itcc-blaze:8080/fhir/
+      PARTNER_ID: ${SITE_ID}
-      DWH_SOCKET_ID: "${DWH_SOCKET_ID}"
-      DWH_TASK_ID: "${DWH_TASK_ID}"
-      ENABLE_SOCKETS: false
-      PARTNER_ID: "${SITE_ID}"
       ML_API_KEY: ${GENERATE_API_KEY}
-
-    volumes:
-      - /var/cache/bridgehead/omics/data:/data/uploads
     labels:
       - "traefik.http.routers.omics.rule=Host(`${HOST}`) &&
         PathPrefix(`/api/upload`)"
@@ -25,38 +18,33 @@ services:
       - "traefik.http.middlewares.omics-stripprefix.stripprefix.prefixes=/api"
       - "traefik.http.routers.omics.middlewares=omics-stripprefix"
 
-  db:
+  patientlist-db:
-    image: postgres:15
+    image: postgres:${POSTGRES_TAG}
-    container_name: db
+    container_name: bridgehead-patientlist-db
     restart: unless-stopped
     environment:
       POSTGRES_DB: mainzelliste
       POSTGRES_USER: ${ML_DB_USER}
       POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
-    ports:
-      - "5432:5432"
     volumes:
-      - db_data:/var/lib/postgresql/data
+      - "patientlist-db-data:/var/lib/postgresql/data"
     healthcheck:
-      test: [ "CMD-SHELL", "pg_isready -U ${ML_DB_USER} -d mainzelliste" ]
+      test: ["CMD-SHELL", "pg_isready -U ${ML_DB_USER} -d mainzelliste"]
       interval: 5s
       timeout: 5s
       retries: 10
       start_period: 10s
 
-  mainzelliste:
+  patientlist:
     image: medicalinformatics/mainzelliste:latest
-    container_name: mainzelliste
+    container_name: bridgehead-patientlist
     restart: unless-stopped
     depends_on:
       db:
         condition: service_healthy
-    ports:
-      - 7887:8080
-
     environment:
       ML_API_KEY: ${GENERATE_API_KEY}
-      ML_DB_HOST: db
+      ML_DB_HOST: patientlist-db
       ML_DB_PORT: "5432"
       ML_DB_NAME: mainzelliste
       ML_DB_USER: ${ML_DB_USER}
@@ -72,7 +60,7 @@ services:
         target: /etc/resources/keys/symmetric_key.der
 
 volumes:
-  db_data:
+  patientlist-db-data:
 secrets:
   mainzelliste.docker.conf:
     file: /etc/bridgehead/mainzelliste/mainzelliste.docker.conf